github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Defend Workflows] Live queries with parameters on timelines' events (#151317)

Browse source 
Closes https://github.com/elastic/security-team/issues/5999


![test](https://user-images.githubusercontent.com/29123534/219058689-f2c423b8-b239-4ec0-b946-7b2e350749e3.gif)

**BUG***
"Take action" > "Run osquery" on timeline event that is not an alert
won't substitute params.
**CAUSE**
Lack of context connection in the component that carries `alertData`
This commit is contained in:
Konrad Szwarc 2023-02-20 12:22:28 +01:00 committed by GitHub
parent cb03bb67c1
commit 9109fd5afe
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

19
x-pack/plugins/osquery/public/live_queries/form/index.tsx
View file

@ -8,10 +8,14 @@
import { EuiButton, EuiButtonEmpty, EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
import { FormattedMessage } from '@kbn/i18n-react';
import type { ECSMapping } from '@kbn/osquery-io-ts-types';
import React, { useCallback, useEffect, useMemo, useState } from 'react';
import React, { useCallback, useContext, useEffect, useMemo, useState } from 'react';
import { useForm as useHookForm, FormProvider } from 'react-hook-form';
import { isEmpty, find, pickBy } from 'lodash';
import {
containsDynamicQuery,
replaceParamsQuery,
} from '../../../common/utils/replace_params_query';
import { PLUGIN_NAME as OSQUERY_PLUGIN_NAME } from '../../../common';
import { QueryPackSelectable } from './query_pack_selectable';
import type { SavedQuerySOFormData } from '../../saved_queries/form/use_saved_query_form';
@ -26,6 +30,7 @@ import { LiveQueryQueryField } from './live_query_query_field';
import { AgentsTableField } from './agents_table_field';
import { savedQueryDataSerializer } from '../../saved_queries/form/use_saved_query_form';
import { PackFieldWrapper } from '../../shared_components/osquery_response_action_type/pack_field_wrapper';
import { AlertAttachmentContext } from '../../common/contexts';
export interface LiveQueryFormFields {
alertIds?: string[];
@ -66,6 +71,8 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
enabled = true,
hideAgentsField = false,
}) => {
const alertAttachmentContext = useContext(AlertAttachmentContext);
const { application, appName } = useKibana().services;
const permissions = application.capabilities.osquery;
const canRunPacks = useMemo(
@ -138,11 +145,17 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
const onSubmit = useCallback(
async (values: LiveQueryFormFields) => {
// Temporary, frontend solution for params substitution. To be removed once alert_ids refactored in create_live_query_route
const query =
values.query && containsDynamicQuery(values.query) && alertAttachmentContext
? replaceParamsQuery(values.query, alertAttachmentContext).result
: values.query;
const serializedData = pickBy(
{
agentSelection: values.agentSelection,
saved_query_id: values.savedQueryId,
query: values.query,
query,
alert_ids: values.alertIds,
pack_id: values?.packId?.length ? values?.packId[0] : undefined,
ecs_mapping: values.ecs_mapping,
@ -152,7 +165,7 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
await mutateAsync(serializedData);
},
[mutateAsync]
[alertAttachmentContext, mutateAsync]
);
const serializedData: SavedQuerySOFormData = useMemo(