update action details by action id API

Only search on endpoint actions index and not `.fleet-actions` index
2025-04-24 17:59:23 -04:00 · 2022-06-09 14:59:53 +02:00 · 2022-06-09 14:59:53 +02:00 · c88dbb3c5a
commit c88dbb3c5a
parent c87d446316
5 changed files with 42 additions and 55 deletions
--- a/x-pack/plugins/security_solution/common/endpoint/data_generators/endpoint_action_generator.ts
+++ b/x-pack/plugins/security_solution/common/endpoint/data_generators/endpoint_action_generator.ts
@ -8,7 +8,7 @@
 import { DeepPartial } from 'utility-types';
 import { merge } from 'lodash';
 import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
-import { ENDPOINT_ACTION_RESPONSES_DS, ENDPOINT_ACTIONS_INDEX } from '../constants';
+import { ENDPOINT_ACTION_RESPONSES_DS, ENDPOINT_ACTIONS_DS } from '../constants';
 import { BaseDataGenerator } from './base_data_generator';
 import {
  ActionDetails,
@ -59,7 +59,7 @@ export class EndpointActionGenerator extends BaseDataGenerator {
    overrides: DeepPartial<LogsEndpointAction> = {}
  ): estypes.SearchHit<LogsEndpointAction> {
    return Object.assign(this.toEsSearchHit(this.generate(overrides)), {
-      _index: `.ds-${ENDPOINT_ACTIONS_INDEX}-some_namespace`,
+      _index: `.ds-${ENDPOINT_ACTIONS_DS}-some_namespace`,
    });
  }

--- a/x-pack/plugins/security_solution/server/endpoint/services/actions/action_details_by_id.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/actions/action_details_by_id.test.ts
@ -45,7 +45,7 @@ describe('When using `getActionDetailsById()', () => {
      command: 'isolate',
      completedAt: '2022-04-30T16:08:47.449Z',
      wasSuccessful: true,
-      error: undefined,
+      errors: undefined,
      id: '123',
      isCompleted: true,
      isExpired: false,
@ -54,20 +54,25 @@ describe('When using `getActionDetailsById()', () => {
          item: {
            data: {
              '@timestamp': '2022-04-27T16:08:47.449Z',
-              action_id: '123',
-              agents: ['agent-a'],
-              data: {
-                command: 'isolate',
-                comment: '5wb6pu6kh2xix5i',
+              EndpointActions: {
+                action_id: '123',
+                data: {
+                  command: 'isolate',
+                  comment: '5wb6pu6kh2xix5i',
+                },
+                expiration: expect.any(String),
+                input_type: 'endpoint',
+                type: 'INPUT_ACTION',
              },
-              expiration: '2022-04-29T16:08:47.449Z',
-              input_type: 'endpoint',
-              type: 'INPUT_ACTION',
-              user_id: 'elastic',
+              agent: { id: 'agent-a' },
+              user: {
+                id: expect.any(String),
+              },
+              error: undefined,
            },
-            id: '44d8b915-c69c-4c48-8c86-b57d0bd631d0',
+            id: expect.any(String),
          },
-          type: 'fleetAction',
+          type: 'action',
        },
        {
          item: {
@ -103,6 +108,7 @@ describe('When using `getActionDetailsById()', () => {
              agent: {
                id: 'agent-a',
              },
+              error: undefined,
            },
            id: expect.any(String),
          },
--- a/x-pack/plugins/security_solution/server/endpoint/services/actions/action_details_by_id.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/actions/action_details_by_id.ts
@ -7,18 +7,16 @@

 import { ElasticsearchClient } from '@kbn/core/server';

+import { ENDPOINT_ACTIONS_INDEX } from '../../../../common/endpoint/constants';
 import {
  categorizeActionResults,
  categorizeResponseResults,
  getActionCompletionInfo,
-  getUniqueLogData,
  mapToNormalizedActionRequest,
 } from './utils';
 import type {
  ActionDetails,
-  ActivityLogAction,
  ActivityLogActionResponse,
-  EndpointAction,
  EndpointActionResponse,
  EndpointActivityLogAction,
  EndpointActivityLogActionResponse,
@ -28,17 +26,13 @@ import type {
 import { catchAndWrapError } from '../../utils';
 import { EndpointError } from '../../../../common/endpoint/errors';
 import { NotFoundError } from '../../errors';
-import {
-  ACTION_REQUEST_INDICES,
-  ACTION_RESPONSE_INDICES,
-  ACTIONS_SEARCH_PAGE_SIZE,
-} from './constants';
+import { ACTION_RESPONSE_INDICES, ACTIONS_SEARCH_PAGE_SIZE } from './constants';

 export const getActionDetailsById = async (
  esClient: ElasticsearchClient,
  actionId: string
 ): Promise<ActionDetails> => {
-  let actionRequestsLogEntries: Array<ActivityLogAction | EndpointActivityLogAction>;
+  let actionRequestsLogEntries: EndpointActivityLogAction[];

  let normalizedActionRequest: ReturnType<typeof mapToNormalizedActionRequest> | undefined;
  let actionResponses: Array<ActivityLogActionResponse | EndpointActivityLogActionResponse>;
@ -48,9 +42,9 @@ export const getActionDetailsById = async (
    const [actionRequestEsSearchResults, actionResponsesEsSearchResults] = await Promise.all([
      // Get the action request(s)
      esClient
-        .search<EndpointAction | LogsEndpointAction>(
+        .search<LogsEndpointAction>(
          {
-            index: ACTION_REQUEST_INDICES,
+            index: ENDPOINT_ACTIONS_INDEX,
            body: {
              query: {
                bool: {
@ -88,11 +82,9 @@ export const getActionDetailsById = async (
        .catch(catchAndWrapError),
    ]);

-    actionRequestsLogEntries = getUniqueLogData(
-      categorizeActionResults({
-        results: actionRequestEsSearchResults?.hits?.hits ?? [],
-      })
-    ) as Array<ActivityLogAction | EndpointActivityLogAction>;
+    actionRequestsLogEntries = categorizeActionResults({
+      results: actionRequestEsSearchResults?.hits?.hits ?? [],
+    }) as EndpointActivityLogAction[];

    // Multiple Action records could have been returned, but we only really
    // need one since they both hold similar data
--- a/x-pack/plugins/security_solution/server/endpoint/services/actions/action_list.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/actions/action_list.ts
@ -9,7 +9,6 @@ import { ElasticsearchClient, Logger } from '@kbn/core/server';
 import { EndpointError } from '../../../../common/endpoint/errors';
 import type { ActionDetails, ActionListApiResponse } from '../../../../common/endpoint/types';
 import { wrapErrorIfNeeded } from '../../utils';
-import { NotFoundError } from '../../errors';

 import {
  getActions,
--- a/x-pack/plugins/security_solution/server/endpoint/services/actions/mocks.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/actions/mocks.ts
@ -7,11 +7,10 @@

 import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { ElasticsearchClientMock } from '@kbn/core/server/mocks';
-import { AGENT_ACTIONS_INDEX, AGENT_ACTIONS_RESULTS_INDEX } from '@kbn/fleet-plugin/common';
+import { AGENT_ACTIONS_RESULTS_INDEX } from '@kbn/fleet-plugin/common';
 import { EndpointActionGenerator } from '../../../../common/endpoint/data_generators/endpoint_action_generator';
 import { FleetActionGenerator } from '../../../../common/endpoint/data_generators/fleet_action_generator';
 import {
-  EndpointAction,
  EndpointActionResponse,
  LogsEndpointAction,
  LogsEndpointActionResponse,
@ -21,25 +20,18 @@ import {
  ENDPOINT_ACTIONS_INDEX,
 } from '../../../../common/endpoint/constants';

-export const createActionRequestsEsSearchResultsMock = (): estypes.SearchResponse<
-  EndpointAction | LogsEndpointAction
-> => {
-  const endpointActionGenerator = new EndpointActionGenerator('seed');
-  const fleetActionGenerator = new FleetActionGenerator('seed');
+export const createActionRequestsEsSearchResultsMock =
+  (): estypes.SearchResponse<LogsEndpointAction> => {
+    const endpointActionGenerator = new EndpointActionGenerator('seed');

-  return endpointActionGenerator.toEsSearchResponse<EndpointAction | LogsEndpointAction>([
-    fleetActionGenerator.generateActionEsHit({
-      action_id: '123',
-      agents: ['agent-a'],
-      '@timestamp': '2022-04-27T16:08:47.449Z',
-    }),
-    endpointActionGenerator.generateActionEsHit({
-      EndpointActions: { action_id: '123' },
-      agent: { id: 'agent-a' },
-      '@timestamp': '2022-04-27T16:08:47.449Z',
-    }),
-  ]);
-};
+    return endpointActionGenerator.toEsSearchResponse<LogsEndpointAction>([
+      endpointActionGenerator.generateActionEsHit({
+        EndpointActions: { action_id: '123' },
+        agent: { id: 'agent-a' },
+        '@timestamp': '2022-04-27T16:08:47.449Z',
+      }),
+    ]);
+  };

 export const createActionResponsesEsSearchResultsMock = (): estypes.SearchResponse<
  LogsEndpointActionResponse | EndpointActionResponse
@ -73,9 +65,7 @@ export const createActionResponsesEsSearchResultsMock = (): estypes.SearchRespon
 */
 export const applyActionsEsSearchMock = (
  esClient: ElasticsearchClientMock,
-  actionRequests: estypes.SearchResponse<
-    EndpointAction | LogsEndpointAction
-  > = createActionRequestsEsSearchResultsMock(),
+  actionRequests: estypes.SearchResponse<LogsEndpointAction> = createActionRequestsEsSearchResultsMock(),
  actionResponses: estypes.SearchResponse<
    LogsEndpointActionResponse | EndpointActionResponse
  > = createActionResponsesEsSearchResultsMock()
@ -86,7 +76,7 @@ export const applyActionsEsSearchMock = (
    const params = args[0] ?? {};
    const indexes = Array.isArray(params.index) ? params.index : [params.index];

-    if (indexes.includes(AGENT_ACTIONS_INDEX) || indexes.includes(ENDPOINT_ACTIONS_INDEX)) {
+    if (indexes.includes(ENDPOINT_ACTIONS_INDEX)) {
      return actionRequests;
    } else if (
      indexes.includes(AGENT_ACTIONS_RESULTS_INDEX) ||