isolate/release methods

elastic · Dec 23, 2024 · aa0e228 · aa0e228
1 parent de81c78
commit aa0e228
Show file tree

Hide file tree

Showing 2 changed files with 130 additions and 0 deletions.
diff --git a/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts b/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts
@@ -267,6 +267,11 @@ export const allowedExperimentalValues = Object.freeze({
    * Enables the Asset Inventory feature
    */
   assetInventoryStoreEnabled: false,
+
+  /**
+   * Enabled Microsoft Defender for  Endpoint actions client
+   */
+  responseActionsMSDefenderEndpointEnabled: false,
 });
 
 type ExperimentalConfigKeys = Array<keyof ExperimentalFeatures>;

diff --git a/...rvices/actions/clients/microsoft/defender/endpoint/ms_defender_endpoint_actions_client.ts b/...rvices/actions/clients/microsoft/defender/endpoint/ms_defender_endpoint_actions_client.ts
@@ -12,8 +12,14 @@ import {
 } from '@kbn/stack-connectors-plugin/common/microsoft_defender_endpoint/constants';
 import type {
   MicrosoftDefenderEndpointAgentDetailsParams,
+  MicrosoftDefenderEndpointIsolateHostParams,
   MicrosoftDefenderEndpointMachine,
+  MicrosoftDefenderEndpointReleaseHostParams,
 } from '@kbn/stack-connectors-plugin/common/microsoft_defender_endpoint/types';
+import type {
+  IsolationRouteRequestBody,
+  UnisolationRouteRequestBody,
+} from '../../../../../../../../common/api/endpoint';
 import type {
   ActionDetails,
   EndpointActionDataParameterTypes,
@@ -30,6 +36,7 @@ import {
 } from '../../../lib/base_response_actions_client';
 import { stringify } from '../../../../../../utils/stringify';
 import { ResponseActionsClientError } from '../../../errors';
+import type { CommonResponseActionMethodOptions } from '../../../lib/types';
 
 export type MicrosoftDefenderActionsClientOptions = ResponseActionsClientOptions & {
   connectorActions: NormalizedExternalConnectorClient;
@@ -212,4 +219,122 @@ export class MicrosoftDefenderEndpointActionsClient extends ResponseActionsClien
 
     return msDefenderEndpointGetMachineDetailsApiResponse;
   }
+
+  async isolate(
+    actionRequest: IsolationRouteRequestBody,
+    options: CommonResponseActionMethodOptions = {}
+  ): Promise<ActionDetails> {
+    const reqIndexOptions: ResponseActionsClientWriteActionRequestToEndpointIndexOptions<
+      undefined,
+      {},
+      MicrosoftDefenderEndpointActionRequestCommonMeta
+    > = {
+      ...actionRequest,
+      ...this.getMethodOptions(options),
+      command: 'isolate',
+    };
+
+    if (!reqIndexOptions.error) {
+      let error = (await this.validateRequest(reqIndexOptions)).error;
+
+      if (!error) {
+        try {
+          await this.sendAction<unknown, MicrosoftDefenderEndpointIsolateHostParams>(
+            MICROSOFT_DEFENDER_ENDPOINT_SUB_ACTION.ISOLATE_HOST,
+            {
+              id: actionRequest.endpoint_ids[0],
+              comment: actionRequest.comment ?? '',
+            }
+          );
+        } catch (err) {
+          error = err;
+        }
+      }
+
+      reqIndexOptions.error = error?.message;
+
+      if (!this.options.isAutomated && error) {
+        throw error;
+      }
+    }
+
+    const { actionDetails, actionEsDoc: actionRequestDoc } =
+      await this.handleResponseActionCreation(reqIndexOptions);
+
+    if (
+      !actionRequestDoc.error &&
+      !this.options.endpointService.experimentalFeatures.responseActionsMSDefenderEndpointEnabled
+    ) {
+      await this.writeActionResponseToEndpointIndex({
+        actionId: actionRequestDoc.EndpointActions.action_id,
+        agentId: actionRequestDoc.agent.id,
+        data: {
+          command: actionRequestDoc.EndpointActions.data.command,
+        },
+      });
+
+      return this.fetchActionDetails(actionRequestDoc.EndpointActions.action_id);
+    }
+
+    return actionDetails;
+  }
+
+  async release(
+    actionRequest: UnisolationRouteRequestBody,
+    options: CommonResponseActionMethodOptions = {}
+  ): Promise<ActionDetails> {
+    const reqIndexOptions: ResponseActionsClientWriteActionRequestToEndpointIndexOptions<
+      undefined,
+      {},
+      MicrosoftDefenderEndpointActionRequestCommonMeta
+    > = {
+      ...actionRequest,
+      ...this.getMethodOptions(options),
+      command: 'unisolate',
+    };
+
+    if (!reqIndexOptions.error) {
+      let error = (await this.validateRequest(reqIndexOptions)).error;
+
+      if (!error) {
+        try {
+          await this.sendAction<unknown, MicrosoftDefenderEndpointReleaseHostParams>(
+            MICROSOFT_DEFENDER_ENDPOINT_SUB_ACTION.RELEASE_HOST,
+            {
+              id: actionRequest.endpoint_ids[0],
+              comment: actionRequest.comment ?? '',
+            }
+          );
+        } catch (err) {
+          error = err;
+        }
+      }
+
+      reqIndexOptions.error = error?.message;
+
+      if (!this.options.isAutomated && error) {
+        throw error;
+      }
+    }
+
+    const { actionDetails, actionEsDoc: actionRequestDoc } =
+      await this.handleResponseActionCreation(reqIndexOptions);
+
+    if (
+      !actionRequestDoc.error &&
+      !this.options.endpointService.experimentalFeatures.responseActionsMSDefenderEndpointEnabled
+    ) {
+      await this.writeActionResponseToEndpointIndex({
+        actionId: actionRequestDoc.EndpointActions.action_id,
+        agentId: actionRequestDoc.agent.id,
+        data: {
+          command: actionRequestDoc.EndpointActions.data.command,
+        },
+      });
+
+      return this.fetchActionDetails(actionRequestDoc.EndpointActions.action_id);
+    }
+
+    return actionDetails;
+  }
 }