Skip to content

Commit

Permalink
[Defend Workflows] Live queries with parameters on timelines' events (e…
Browse files Browse the repository at this point in the history
…lastic#151317)

Closes elastic/security-team#5999

![test](https://user-images.githubusercontent.com/29123534/219058689-f2c423b8-b239-4ec0-b946-7b2e350749e3.gif)

**BUG***
"Take action" > "Run osquery" on timeline event that is not an alert
won't substitute params.
**CAUSE**
Lack of context connection in the component that carries `alertData`

(cherry picked from commit 9109fd5)
  • Loading branch information
szwarckonrad committed Feb 20, 2023
1 parent ae5666b commit e6d9000
Showing 1 changed file with 16 additions and 3 deletions.
19 changes: 16 additions & 3 deletions x-pack/plugins/osquery/public/live_queries/form/index.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,14 @@
import { EuiButton, EuiButtonEmpty, EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
import { FormattedMessage } from '@kbn/i18n-react';
import type { ECSMapping } from '@kbn/osquery-io-ts-types';
import React, { useCallback, useEffect, useMemo, useState } from 'react';
import React, { useCallback, useContext, useEffect, useMemo, useState } from 'react';
import { useForm as useHookForm, FormProvider } from 'react-hook-form';
import { isEmpty, find, pickBy } from 'lodash';

import {
containsDynamicQuery,
replaceParamsQuery,
} from '../../../common/utils/replace_params_query';
import { PLUGIN_NAME as OSQUERY_PLUGIN_NAME } from '../../../common';
import { QueryPackSelectable } from './query_pack_selectable';
import type { SavedQuerySOFormData } from '../../saved_queries/form/use_saved_query_form';
Expand All @@ -26,6 +30,7 @@ import { LiveQueryQueryField } from './live_query_query_field';
import { AgentsTableField } from './agents_table_field';
import { savedQueryDataSerializer } from '../../saved_queries/form/use_saved_query_form';
import { PackFieldWrapper } from '../../shared_components/osquery_response_action_type/pack_field_wrapper';
import { AlertAttachmentContext } from '../../common/contexts';

export interface LiveQueryFormFields {
alertIds?: string[];
Expand Down Expand Up @@ -66,6 +71,8 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
enabled = true,
hideAgentsField = false,
}) => {
const alertAttachmentContext = useContext(AlertAttachmentContext);

const { application, appName } = useKibana().services;
const permissions = application.capabilities.osquery;
const canRunPacks = useMemo(
Expand Down Expand Up @@ -138,11 +145,17 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({

const onSubmit = useCallback(
async (values: LiveQueryFormFields) => {
// Temporary, frontend solution for params substitution. To be removed once alert_ids refactored in create_live_query_route
const query =
values.query && containsDynamicQuery(values.query) && alertAttachmentContext
? replaceParamsQuery(values.query, alertAttachmentContext).result
: values.query;

const serializedData = pickBy(
{
agentSelection: values.agentSelection,
saved_query_id: values.savedQueryId,
query: values.query,
query,
alert_ids: values.alertIds,
pack_id: values?.packId?.length ? values?.packId[0] : undefined,
ecs_mapping: values.ecs_mapping,
Expand All @@ -152,7 +165,7 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({

await mutateAsync(serializedData);
},
[mutateAsync]
[alertAttachmentContext, mutateAsync]
);

const serializedData: SavedQuerySOFormData = useMemo(
Expand Down

0 comments on commit e6d9000

Please sign in to comment.