[Security Solution][Endpoint] Add support to Action Responder script for get-file response action
#142663
Conversation
paul-tavares
added
release_note:skip
|
Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt) |
| }, | ||
| // randomly before a few hours/minutes/seconds later | ||
| started_at: new Date(startedAtTimes[this.randomN(startedAtTimes.length)]).toISOString(), | ||
| output: undefined, |
There was a problem hiding this comment.
output seemed to be in the wrong place here. It should have been under data
| * The Metadata information about a file that was uploaded by Endpoint | ||
| * as a result of a `get-file` response action | ||
| */ | ||
| export interface UploadedFile { |
There was a problem hiding this comment.
FYI - having had some more time looking at the file upload and how we will use it in the UI, I'm not sure that we will need this Type. Or we might needed it, but not under common/ - maybe on the server side only. We might not actually need to interact with the file stored because the Endpoint action response will likely have everything we need.
| * as a result of a `get-file` response action | ||
| */ | ||
| export interface UploadedFile { | ||
| file: { |
There was a problem hiding this comment.
I only defined a subset of the ECS file attributes. Let me now if I should define others and/or the full set.
| // Add the file's metadata | ||
| const fileMeta = await esClient.index<UploadedFile>({ | ||
| index: FILE_STORAGE_METADATA_INDEX, | ||
| id: `${action.id}.${action.hosts[0]}`, |
There was a problem hiding this comment.
@pzl - I think this is right for now, correct?
If anything changes, and you remember, let us know and we'll update.
There was a problem hiding this comment.
correct for now. This is a completely opaque value that we get to determine. So whatever order or value is easiest for us to look up again.
There was a problem hiding this comment.
either approach works IMO. both pieces of data is on the Action request/response
|
|
||
| await esClient.index({ | ||
| index: FILE_STORAGE_DATA_INDEX, | ||
| id: `${fileMeta._id}.0`, |
There was a problem hiding this comment.
@pzl - I think this is right. I did not have a file with multiple chunks, but looking at the data you sent me, I assumed that each chunk's id would be comprised of the File's meta document _id + .<chunk_number>.
| id: `${fileMeta._id}.0`, | ||
| body: { | ||
| bid: fileMeta._id, | ||
| last: false, |
There was a problem hiding this comment.
Is this correct for file stored all within one chunk?
There was a problem hiding this comment.
no, what I sent you actually had a bug in it. Should still be true for 1-chunk-docs
| ssdeep?: string; | ||
| tlsh?: string; |
There was a problem hiding this comment.
I think it's highly unlikely we will ever use these hashes. After determining the capabilities of agent/endpoint to generate hashes, we will support a specific subset, since fleet server will also need to perform that same hashing, it will be a known subset we support. But is yet to be determined until they start work
md5, sha256 is probably a safe assumption. unless we need to add something simpler like crc
There was a problem hiding this comment.
will adjust once we know that.
| * of the contents and metadata happens. Deleted files should be treated as if they don’t | ||
| * exist. Only files in READY state can transition into DELETED state. | ||
| */ | ||
| Status: 'AWAITING_UPLOAD' | 'UPLOADING' | 'READY' | 'UPLOAD_ERROR' | 'DELETED'; |
| body: { | ||
| bid: fileMeta._id, | ||
| last: false, | ||
| data: 'UEsDBBQACAAIAFVeRFUAAAAAAAAAABMAAAAMACAAYmFkX2ZpbGUudHh0VVQNAAdTVjxjU1Y8Y1NWPGN1eAsAAQT1AQAABBQAAAArycgsVgCiRIWkxBSFtMycVC4AUEsHCKkCwMsTAAAAEwAAAFBLAQIUAxQACAAIAFVeRFWpAsDLEwAAABMAAAAMACAAAAAAAAAAAACkgQAAAABiYWRfZmlsZS50eHRVVA0AB1NWPGNTVjxjU1Y8Y3V4CwABBPUBAAAEFAAAAFBLBQYAAAAAAQABAFoAAABtAAAAAAA=', |
There was a problem hiding this comment.
for 💩 and 🤣 I actually checked what this is.
It's a zip of a single file, bad_file.txt with contents: this is a bad file.
There was a problem hiding this comment.
LOL - yep 😎
(and thanks for testing that out)
💚 Build Succeeded
Metrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
| ssdeep?: string; | ||
| tlsh?: string; | ||
| }; | ||
| mime_type?: string; |
There was a problem hiding this comment.
Should we restrict this to the allowed mime types?
There was a problem hiding this comment.
yeah, I think we could since the file the endpoint will upload will always be zip. I'll wait on that until we actually get this working with the Endpoint and get agreement on the expectation.
| expect(filterList.querySelectorAll('ul>li').length).toEqual(RESPONSE_ACTION_COMMANDS.length); | ||
| expect( | ||
| Array.from(filterList.querySelectorAll('ul>li')).map((option) => option.textContent) | ||
| ).toEqual(['isolate', 'release', 'kill-process', 'suspend-process', 'processes']); | ||
| ).toEqual(['isolate', 'release', 'kill-process', 'suspend-process', 'processes', 'get-file']); |
I will do this in the next PR. I would like to do some refactoring and move some of the |
|
Awesome, I am excited for this feature. Since I can't quite follow the complexities of the code, I would like to ask: Does the end goal .zip file contain a password and if so is it configurable? |
…for `get-file` response action (elastic#142663) * Add `const`'s for file storage indexes * Add file storage TS type * Add support to Action Responder script for `get-file` response action * Add support to action generator to output `get-file` responses * correct `last` property of the upload chunk * Fix type * fix UI jest test failures * Fix server jest tests and Generator bug
|
@nicpenning - yes, the zip file that is uploaded by the Endpoint with the requested file will have a password set on it and currently we are not planning on making that configurable. We are planning on using |
|
Awesome, thanks! That should be great. |
…for `get-file` response action (elastic#142663) * Add `const`'s for file storage indexes * Add file storage TS type * Add support to Action Responder script for `get-file` response action * Add support to action generator to output `get-file` responses * correct `last` property of the upload chunk * Fix type * fix UI jest test failures * Fix server jest tests and Generator bug
Summary
x-pack/plugins/security_solution/scripts/endpoint/endpoint_action_responder.js) forget-fileresponse action (coming in 8.6). Will write a generated file to ES when action is submitted.generateResponse()method ofEndpointActionGeneratorto also generateparametersandoutputforget-fileactionUploadedFileandconst's for the indexes that will store the files.