[EDR Workflows][Serverless] Fix Host Isolation Exceptions PLIs (#191954)

This PR establishes appropriate privileges across Endpoint tiers. In Endpoint Complete, users will be able to create, update, and delete Host Isolation Exceptions. Upon downgrading to Endpoint Essentials, users should still be able to view and remove items from the Blocklist but will not have the ability to edit or create new entries. Please see linked issue for more details on current behaviour. Expected privileges: Endpoint Essentials - User can read and delete HIE Endpoint Complete - User can read, delete and write HIE https://github.com/user-attachments/assets/69d14a51-6004-45b7-9c78-62066441f4ab
2025-04-24 09:48:58 -04:00 · 2024-09-10 09:20:25 +02:00 · 2024-09-10 09:20:25 +02:00 · 66ab8ab60c
commit 66ab8ab60c
parent e356781ed2
6 changed files with 26 additions and 8 deletions
--- a/x-pack/packages/security-solution/features/src/product_features_keys.ts
+++ b/x-pack/packages/security-solution/features/src/product_features_keys.ts
@ -34,6 +34,11 @@ export enum ProductFeatureSecurityKey {
   * Host Isolation Exceptions, Blocklist.
   */
  endpointArtifactManagement = 'endpoint_artifact_management',
+  /**
+   * Enables managing host isolation exceptions for serverless PLIs
+   * Allows user to create, read, update HIEs Endpoint Complete PLI
+   */
+  endpointHostIsolationExceptions = 'endpoint_host_isolation_exceptions',
  /**
   * Enables all of endpoint's supported response actions - like host isolation, file operations,
   * process operations, command execution, etc.
@ -121,7 +126,7 @@ export enum SecuritySubFeatureId {
  endpointList = 'endpointListSubFeature',
  endpointExceptions = 'endpointExceptionsSubFeature',
  trustedApplications = 'trustedApplicationsSubFeature',
-  hostIsolationExceptions = 'hostIsolationExceptionsSubFeature',
+  hostIsolationExceptionsBasic = 'hostIsolationExceptionsBasicSubFeature',
  blocklist = 'blocklistSubFeature',
  eventFilters = 'eventFiltersSubFeature',
  policyManagement = 'policyManagementSubFeature',
--- a/x-pack/packages/security-solution/features/src/security/kibana_sub_features.ts
+++ b/x-pack/packages/security-solution/features/src/security/kibana_sub_features.ts
@ -125,7 +125,7 @@ const trustedApplicationsSubFeature: SubFeatureConfig = {
    },
  ],
 };
-const hostIsolationExceptionsSubFeature: SubFeatureConfig = {
+const hostIsolationExceptionsBasicSubFeature: SubFeatureConfig = {
  requireAllSpaces: true,
  privilegesTooltip: i18n.translate(
    'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolationExceptions.privilegesTooltip',
@ -664,7 +664,7 @@ export const getSecuritySubFeaturesMap = ({
    [SecuritySubFeatureId.endpointList, endpointListSubFeature],
    [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature],
    [SecuritySubFeatureId.trustedApplications, trustedApplicationsSubFeature],
-    [SecuritySubFeatureId.hostIsolationExceptions, hostIsolationExceptionsSubFeature],
+    [SecuritySubFeatureId.hostIsolationExceptionsBasic, hostIsolationExceptionsBasicSubFeature],
    [SecuritySubFeatureId.blocklist, blocklistSubFeature],
    [SecuritySubFeatureId.eventFilters, eventFiltersSubFeature],
    [SecuritySubFeatureId.policyManagement, policyManagementSubFeature],
--- a/x-pack/packages/security-solution/features/src/security/product_feature_config.ts
+++ b/x-pack/packages/security-solution/features/src/security/product_feature_config.ts
@ -79,10 +79,16 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature

  [ProductFeatureSecurityKey.endpointArtifactManagement]: {
    subFeatureIds: [
+      SecuritySubFeatureId.hostIsolationExceptionsBasic,
      SecuritySubFeatureId.trustedApplications,
      SecuritySubFeatureId.blocklist,
      SecuritySubFeatureId.eventFilters,
    ],
+  },
+
+  // Endpoint Complete Tier:
+  // Allows access to create/update HIEs
+  [ProductFeatureSecurityKey.endpointHostIsolationExceptions]: {
    subFeaturesPrivileges: [
      {
        id: 'host_isolation_exceptions_all',
@ -99,7 +105,6 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature

  [ProductFeatureSecurityKey.endpointResponseActions]: {
    subFeatureIds: [
-      SecuritySubFeatureId.hostIsolationExceptions,
      SecuritySubFeatureId.responseActionsHistory,
      SecuritySubFeatureId.hostIsolation,
      SecuritySubFeatureId.processOperations,
@ -117,10 +122,13 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature
  },

  // Product features without RBAC
+  // Endpoint/Osquery PLIs
  [ProductFeatureSecurityKey.osqueryAutomatedResponseActions]: {},
  [ProductFeatureSecurityKey.endpointProtectionUpdates]: {},
  [ProductFeatureSecurityKey.endpointAgentTamperProtection]: {},
  [ProductFeatureSecurityKey.externalRuleActions]: {},
  [ProductFeatureSecurityKey.cloudSecurityPosture]: {},
+
+  // Security PLIs
  [ProductFeatureSecurityKey.integrationAssistant]: {},
 };
--- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts
@ -911,7 +911,7 @@ describe('ManifestManager', () => {
      }
    });

-    test(`when it has endpoint artifact management and response actions app features it should generate all exceptions`, async () => {
+    test(`when it has endpoint artifact management and endpoint host isolation exceptions app features it should generate all exceptions`, async () => {
      const exceptionListItem = getExceptionListItemSchemaMock({ os_types: ['macos'] });
      const trustedAppListItem = getExceptionListItemSchemaMock({
        os_types: ['linux'],
@ -931,7 +931,7 @@ describe('ManifestManager', () => {
      });
      const context = buildManifestManagerContextMock({}, [
        ProductFeatureSecurityKey.endpointArtifactManagement,
-        ProductFeatureSecurityKey.endpointResponseActions,
+        ProductFeatureSecurityKey.endpointHostIsolationExceptions,
      ]);
      const manifestManager = new ManifestManager(context);

--- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts
@ -157,9 +157,14 @@ export class ManifestManager {
  }): Promise<WrappedTranslatedExceptionList> {
    if (!this.cachedExceptionsListsByOs.has(`${listId}-${os}`)) {
      let itemsByListId: ExceptionListItemSchema[] = [];
+      // endpointHostIsolationExceptions includes full CRUD support for Host Isolation Exceptions
+      // endpointArtifactManagement includes full CRUD support for all other exception lists + RD support for Host Isolation Exceptions
+      // If there are host isolation exceptions in place but there is a downgrade scenario, those shouldn't be taken into account when generating artifacts.
      if (
        (listId === ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id &&
-          this.productFeaturesService.isEnabled(ProductFeatureKey.endpointResponseActions)) ||
+          this.productFeaturesService.isEnabled(
+            ProductFeatureKey.endpointHostIsolationExceptions
+          )) ||
        (listId !== ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id &&
          this.productFeaturesService.isEnabled(ProductFeatureKey.endpointArtifactManagement))
      ) {
--- a/x-pack/plugins/security_solution_serverless/common/pli/pli_config.ts
+++ b/x-pack/plugins/security_solution_serverless/common/pli/pli_config.ts
@ -38,10 +38,10 @@ export const PLI_PRODUCT_FEATURES: PliProductFeatures = {
      ProductFeatureKey.endpointExceptions,
    ],
    complete: [
+      ProductFeatureKey.endpointHostIsolationExceptions,
      ProductFeatureKey.endpointResponseActions,
      ProductFeatureKey.osqueryAutomatedResponseActions,
      ProductFeatureKey.endpointAgentTamperProtection,
-      ProductFeatureKey.endpointExceptions,
      ProductFeatureKey.endpointProtectionUpdates,
    ],
  },