[Security solution][Endpoint] Get os name from host.os.name when agent type endpoint (#103450) (#103506)

* When type endpoint gets os type from os name instead of os family * Allow users add event filters only for endpoint events * Fixes error with wrong map function Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: David Sánchez <davidsansol92@gmail.com>
2025-04-24 17:59:23 -04:00 · 2021-06-28 13:50:38 -04:00 · 2021-06-28 13:50:38 -04:00 · bd7e1d6d2d
commit bd7e1d6d2d
parent 1da8a0e7c9
3 changed files with 14 additions and 11 deletions
--- a/x-pack/plugins/security_solution/public/management/pages/event_filters/store/utils.ts
+++ b/x-pack/plugins/security_solution/public/management/pages/event_filters/store/utils.ts
@ -10,6 +10,14 @@ import type { CreateExceptionListItemSchema } from '@kbn/securitysolution-io-ts-
 import { Ecs } from '../../../../../common/ecs';
 import { ENDPOINT_EVENT_FILTERS_LIST_ID } from '../constants';

+const osTypeBasedOnAgentType = (data?: Ecs) => {
+  if (data?.agent?.type?.includes('endpoint')) {
+    return (data?.host?.os?.name || ['windows']).map((name) => name.toLowerCase());
+  } else {
+    return data?.host?.os?.family ?? ['windows'];
+  }
+};
+
 export const getInitialExceptionFromEvent = (data?: Ecs): CreateExceptionListItemSchema => ({
  comments: [],
  description: '',
@ -46,11 +54,5 @@ export const getInitialExceptionFromEvent = (data?: Ecs): CreateExceptionListIte
  namespace_type: 'agnostic',
  tags: ['policy:all'],
  type: 'simple',
-  // TODO: Try to fix this type casting
-  os_types: [
-    (data && data.host ? data.host.os?.family ?? ['windows'] : ['windows'])[0] as
-      | 'windows'
-      | 'linux'
-      | 'macos',
-  ],
+  os_types: osTypeBasedOnAgentType(data) as Array<'windows' | 'linux' | 'macos'>,
 });
--- a/x-pack/plugins/security_solution/public/management/pages/event_filters/test_utils/index.ts
+++ b/x-pack/plugins/security_solution/public/management/pages/event_filters/test_utils/index.ts
@ -50,6 +50,7 @@ export const ecsEventMock = (): Ecs => ({
    name: ['Host-tvs68wo3qc'],
    os: {
      family: ['windows'],
+      name: ['Windows'],
    },
    id: ['a563b365-2bee-40df-adcd-ae84d889f523'],
    ip: ['10.242.233.187'],
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/actions/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/actions/index.tsx
@ -87,9 +87,9 @@ const ActionsComponent: React.FC<ActionProps> = ({
  );
  const eventType = getEventType(ecsData);

-  const isEventContextMenuEnabled = useMemo(
-    () => !!ecsData.event?.kind && ecsData.event?.kind[0] === 'event',
-    [ecsData.event?.kind]
+  const isEventContextMenuEnabledForEndpoint = useMemo(
+    () => ecsData.event?.kind?.includes('event') && ecsData.agent?.type?.includes('endpoint'),
+    [ecsData.event?.kind, ecsData.agent?.type]
  );

  return (
@ -174,7 +174,7 @@ const ActionsComponent: React.FC<ActionProps> = ({
          key="alert-context-menu"
          ecsRowData={ecsData}
          timelineId={timelineId}
-          disabled={eventType !== 'signal' && !isEventContextMenuEnabled}
+          disabled={eventType !== 'signal' && !isEventContextMenuEnabledForEndpoint}
          refetch={refetch ?? noop}
          onRuleChange={onRuleChange}
        />