[Security Solution][Hosts] Fix Host Events flyout and remove the Endpoint Host Isolation Take Action button (only valid for Alerts) (#103784)

* Fix bug in `endpointAlertCheck` to ensure events are not looked at * Fix data/type
2025-04-23 09:19:04 -04:00 · 2021-06-29 20:43:13 -04:00 · 2021-06-29 20:43:13 -04:00 · 37e2d8a6c5
commit 37e2d8a6c5
parent 0de3df5f0d
4 changed files with 54 additions and 19 deletions
--- a/x-pack/plugins/security_solution/public/common/mock/mock_detail_item.ts
+++ b/x-pack/plugins/security_solution/public/common/mock/mock_detail_item.ts
@ -9,7 +9,7 @@ import { TimelineEventsDetailsItem } from '../../../common/search_strategy';

 export const mockDetailItemDataId = 'Y-6TfmcB0WOhS6qyMv3s';

-export const mockDetailItemData: TimelineEventsDetailsItem[] = [
+export const generateMockDetailItemData = (): TimelineEventsDetailsItem[] => [
  {
    field: '_id',
    originalValue: 'pEMaMmkBUV60JmNWmWVi',
@ -137,3 +137,5 @@ export const mockDetailItemData: TimelineEventsDetailsItem[] = [
    isObjectArray: false,
  },
 ];
+
+export const mockDetailItemData: TimelineEventsDetailsItem[] = generateMockDetailItemData();
--- a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts
+++ b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts
@ -6,26 +6,48 @@
 */

 import _ from 'lodash';
-import { mockDetailItemData } from '../mock';
+import { generateMockDetailItemData } from '../mock';
 import { endpointAlertCheck } from './endpoint_alert_check';

-describe('utils', () => {
-  describe('endpointAlertCheck', () => {
-    it('should return false if detections data does not come from endpoint rule', () => {
-      expect(endpointAlertCheck({ data: mockDetailItemData })).toBeFalsy();
-    });
-    it('should return true if detections data comes from an endpoint rule', () => {
-      _.remove(mockDetailItemData, function (o) {
-        return o.field === 'agent.type';
-      });
-      const mockEndpointDetailItemData = _.concat(mockDetailItemData, {
+describe('Endpoint Alert Check Utility', () => {
+  let mockDetailItemData: ReturnType<typeof generateMockDetailItemData>;
+
+  beforeEach(() => {
+    mockDetailItemData = generateMockDetailItemData();
+
+    // Remove the filebeat agent type from the mock
+    _.remove(mockDetailItemData, { field: 'agent.type' });
+
+    mockDetailItemData.push(
+      // Must be an Alert
+      {
+        field: 'signal.rule.id',
+        category: 'signal',
+        originalValue: 'endpoint',
+        values: ['endpoint'],
+        isObjectArray: false,
+      },
+      // Must be from an endpoint agent
+      {
        field: 'agent.type',
        originalValue: 'endpoint',
        values: ['endpoint'],
        isObjectArray: false,
-      });
+      }
+    );
+  });

-      expect(endpointAlertCheck({ data: mockEndpointDetailItemData })).toBeTruthy();
-    });
+  it('should return true if detections data comes from an endpoint rule', () => {
+    expect(endpointAlertCheck({ data: mockDetailItemData })).toBe(true);
+  });
+
+  it('should return false if it is not an Alert (ex. maybe an event)', () => {
+    _.remove(mockDetailItemData, { field: 'signal.rule.id' });
+    expect(endpointAlertCheck({ data: mockDetailItemData })).toBeFalsy();
+  });
+
+  it('should return false if it is not an endpoint agent', () => {
+    _.remove(mockDetailItemData, { field: 'agent.type' });
+    expect(endpointAlertCheck({ data: mockDetailItemData })).toBeFalsy();
  });
 });
--- a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts
+++ b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts
@ -5,10 +5,21 @@
 * 2.0.
 */

-import { find } from 'lodash/fp';
-import { TimelineEventsDetailsItem } from '../../../common/search_strategy';
+import { find, some } from 'lodash/fp';
+import { TimelineEventsDetailsItem } from '../../../../timelines/common';
+
+/**
+ * Checks to see if the given set of Timeline event detail items includes data that indicates its
+ * an endpoint Alert. Note that it will NOT match on Events - only alerts
+ * @param data
+ */
+export const endpointAlertCheck = ({ data }: { data: TimelineEventsDetailsItem[] }): boolean => {
+  const isAlert = some({ category: 'signal', field: 'signal.rule.id' }, data);
+
+  if (!isAlert) {
+    return false;
+  }

-export const endpointAlertCheck = ({ data }: { data: TimelineEventsDetailsItem[] | null }) => {
  const findEndpointAlert = find({ field: 'agent.type' }, data)?.values;
  return findEndpointAlert ? findEndpointAlert[0] === 'endpoint' : false;
 };
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx
@ -95,7 +95,7 @@ const EventDetailsPanelComponent: React.FC<EventDetailsPanelProps> = ({
  const isAlert = some({ category: 'signal', field: 'signal.rule.id' }, detailsData);

  const isEndpointAlert = useMemo(() => {
-    return endpointAlertCheck({ data: detailsData });
+    return endpointAlertCheck({ data: detailsData || [] });
  }, [detailsData]);

  const agentId = useMemo(() => {