From aa0e22879a0cfa6c7485fafe914c955dd96263d1 Mon Sep 17 00:00:00 2001 From: Ashokaditya Date: Mon, 23 Dec 2024 15:31:26 +0100 Subject: [PATCH] isolate/release methods --- .../common/experimental_features.ts | 5 + .../ms_defender_endpoint_actions_client.ts | 125 ++++++++++++++++++ 2 files changed, 130 insertions(+) diff --git a/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts b/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts index 56f4657500c45..d3ac03cfd990c 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts @@ -267,6 +267,11 @@ export const allowedExperimentalValues = Object.freeze({ * Enables the Asset Inventory feature */ assetInventoryStoreEnabled: false, + + /** + * Enabled Microsoft Defender for Endpoint actions client + */ + responseActionsMSDefenderEndpointEnabled: false, }); type ExperimentalConfigKeys = Array; diff --git a/x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/clients/microsoft/defender/endpoint/ms_defender_endpoint_actions_client.ts b/x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/clients/microsoft/defender/endpoint/ms_defender_endpoint_actions_client.ts index 3b8b9e02a296f..f88f352cdd734 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/clients/microsoft/defender/endpoint/ms_defender_endpoint_actions_client.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/clients/microsoft/defender/endpoint/ms_defender_endpoint_actions_client.ts @@ -12,8 +12,14 @@ import { } from '@kbn/stack-connectors-plugin/common/microsoft_defender_endpoint/constants'; import type { MicrosoftDefenderEndpointAgentDetailsParams, + MicrosoftDefenderEndpointIsolateHostParams, MicrosoftDefenderEndpointMachine, + MicrosoftDefenderEndpointReleaseHostParams, } from '@kbn/stack-connectors-plugin/common/microsoft_defender_endpoint/types'; +import type { + IsolationRouteRequestBody, + UnisolationRouteRequestBody, +} from '../../../../../../../../common/api/endpoint'; import type { ActionDetails, EndpointActionDataParameterTypes, @@ -30,6 +36,7 @@ import { } from '../../../lib/base_response_actions_client'; import { stringify } from '../../../../../../utils/stringify'; import { ResponseActionsClientError } from '../../../errors'; +import type { CommonResponseActionMethodOptions } from '../../../lib/types'; export type MicrosoftDefenderActionsClientOptions = ResponseActionsClientOptions & { connectorActions: NormalizedExternalConnectorClient; @@ -212,4 +219,122 @@ export class MicrosoftDefenderEndpointActionsClient extends ResponseActionsClien return msDefenderEndpointGetMachineDetailsApiResponse; } + + async isolate( + actionRequest: IsolationRouteRequestBody, + options: CommonResponseActionMethodOptions = {} + ): Promise { + const reqIndexOptions: ResponseActionsClientWriteActionRequestToEndpointIndexOptions< + undefined, + {}, + MicrosoftDefenderEndpointActionRequestCommonMeta + > = { + ...actionRequest, + ...this.getMethodOptions(options), + command: 'isolate', + }; + + if (!reqIndexOptions.error) { + let error = (await this.validateRequest(reqIndexOptions)).error; + + if (!error) { + try { + await this.sendAction( + MICROSOFT_DEFENDER_ENDPOINT_SUB_ACTION.ISOLATE_HOST, + { + id: actionRequest.endpoint_ids[0], + comment: actionRequest.comment ?? '', + } + ); + } catch (err) { + error = err; + } + } + + reqIndexOptions.error = error?.message; + + if (!this.options.isAutomated && error) { + throw error; + } + } + + const { actionDetails, actionEsDoc: actionRequestDoc } = + await this.handleResponseActionCreation(reqIndexOptions); + + if ( + !actionRequestDoc.error && + !this.options.endpointService.experimentalFeatures.responseActionsMSDefenderEndpointEnabled + ) { + await this.writeActionResponseToEndpointIndex({ + actionId: actionRequestDoc.EndpointActions.action_id, + agentId: actionRequestDoc.agent.id, + data: { + command: actionRequestDoc.EndpointActions.data.command, + }, + }); + + return this.fetchActionDetails(actionRequestDoc.EndpointActions.action_id); + } + + return actionDetails; + } + + async release( + actionRequest: UnisolationRouteRequestBody, + options: CommonResponseActionMethodOptions = {} + ): Promise { + const reqIndexOptions: ResponseActionsClientWriteActionRequestToEndpointIndexOptions< + undefined, + {}, + MicrosoftDefenderEndpointActionRequestCommonMeta + > = { + ...actionRequest, + ...this.getMethodOptions(options), + command: 'unisolate', + }; + + if (!reqIndexOptions.error) { + let error = (await this.validateRequest(reqIndexOptions)).error; + + if (!error) { + try { + await this.sendAction( + MICROSOFT_DEFENDER_ENDPOINT_SUB_ACTION.RELEASE_HOST, + { + id: actionRequest.endpoint_ids[0], + comment: actionRequest.comment ?? '', + } + ); + } catch (err) { + error = err; + } + } + + reqIndexOptions.error = error?.message; + + if (!this.options.isAutomated && error) { + throw error; + } + } + + const { actionDetails, actionEsDoc: actionRequestDoc } = + await this.handleResponseActionCreation(reqIndexOptions); + + if ( + !actionRequestDoc.error && + !this.options.endpointService.experimentalFeatures.responseActionsMSDefenderEndpointEnabled + ) { + await this.writeActionResponseToEndpointIndex({ + actionId: actionRequestDoc.EndpointActions.action_id, + agentId: actionRequestDoc.agent.id, + data: { + command: actionRequestDoc.EndpointActions.data.command, + }, + }); + + return this.fetchActionDetails(actionRequestDoc.EndpointActions.action_id); + } + + return actionDetails; + } }