[Osquery] [Fix] Response action pack's queries update (#146782)

2025-04-24 01:38:56 -04:00 · 2022-12-01 21:30:20 +01:00 · 2022-12-01 21:30:20 +01:00 · ec7ba49dca
commit ec7ba49dca
parent d3b4d39099
2 changed files with 57 additions and 8 deletions
--- a/x-pack/plugins/osquery/cypress/e2e/all/alerts.cy.ts
+++ b/x-pack/plugins/osquery/cypress/e2e/all/alerts.cy.ts
@ -31,6 +31,7 @@ describe('Alert Event Details', () => {

  before(() => {
    runKbnArchiverScript(ArchiverMethod.LOAD, 'pack');
+    runKbnArchiverScript(ArchiverMethod.LOAD, 'example_pack');
    runKbnArchiverScript(ArchiverMethod.LOAD, 'rule');
  });
  beforeEach(() => {
@ -39,6 +40,7 @@ describe('Alert Event Details', () => {

  after(() => {
    runKbnArchiverScript(ArchiverMethod.UNLOAD, 'pack');
+    runKbnArchiverScript(ArchiverMethod.UNLOAD, 'example_pack');
    runKbnArchiverScript(ArchiverMethod.UNLOAD, 'rule');
  });

@ -144,19 +146,54 @@ describe('Alert Event Details', () => {
      cy.contains('Log message optimized for viewing in a log viewer');
      cy.contains('Days of uptime');
    });
+    cy.intercept('PUT', '/api/detection_engine/rules').as('saveRule');
    cy.contains('Save changes').click();
+    cy.wait('@saveRule').should(({ request }) => {
+      const oneQuery = [
+        {
+          interval: 10,
+          query: 'select * from uptime;',
+          id: 'fds',
+        },
+      ];
+      expect(request.body.response_actions[0].params.queries).to.deep.equal(oneQuery);
+    });
+
    cy.contains(`${RULE_NAME} was saved`).should('exist');
    cy.getBySel('toastCloseButton').click();
    cy.contains('Edit rule settings').click();
    cy.getBySel('edit-rule-actions-tab').wait(500).click();
    cy.getBySel(RESPONSE_ACTIONS_ITEM_0).within(() => {
      cy.contains('testpack');
+      cy.getBySel('comboBoxInput').type('Example{downArrow}{enter}');
    });
    cy.getBySel(RESPONSE_ACTIONS_ITEM_1).within(() => {
      cy.contains('select * from uptime');
      cy.contains('Log message optimized for viewing in a log viewer');
      cy.contains('Days of uptime');
    });
+    cy.contains('Save changes').click();
+    cy.wait('@saveRule').should(({ request }) => {
+      const threeQueries = [
+        {
+          interval: 3600,
+          query: 'SELECT * FROM memory_info;',
+          platform: 'linux',
+          id: 'system_memory_linux_elastic',
+        },
+        {
+          interval: 3600,
+          query: 'SELECT * FROM system_info;',
+          id: 'system_info_elastic',
+        },
+        {
+          interval: 10,
+          query: 'select opera_extensions.* from users join opera_extensions using (uid);',
+          id: 'failingQuery',
+        },
+      ];
+      expect(request.body.response_actions[0].params.queries).to.deep.equal(threeQueries);
+    });
  });

  it('should be able to run live query and add to timeline (-depending on the previous test)', () => {
--- a/x-pack/plugins/osquery/public/shared_components/osquery_response_action_type/index.tsx
+++ b/x-pack/plugins/osquery/public/shared_components/osquery_response_action_type/index.tsx
@ -9,15 +9,16 @@ import React, { useEffect, useMemo } from 'react';
 import { EuiSpacer } from '@elastic/eui';
 import uuid from 'uuid';
 import type { FieldErrors } from 'react-hook-form';
+import { useFieldArray } from 'react-hook-form';
 import { useForm as useHookForm, FormProvider } from 'react-hook-form';
 import { map, omit } from 'lodash';

 import type { ECSMapping } from '@kbn/osquery-io-ts-types';
+import { usePack } from '../../packs/use_pack';
 import { QueryPackSelectable } from '../../live_queries/form/query_pack_selectable';
 import { useKibana } from '../../common/lib/kibana';
 import { LiveQueryQueryField } from '../../live_queries/form/live_query_query_field';
 import { PackFieldWrapper } from './pack_field_wrapper';
-import { usePack } from '../../packs/use_pack';

 interface OsqueryResponseActionsValues {
  savedQueryId?: string | null;
@ -74,7 +75,7 @@ const OsqueryResponseActionParamsFormComponent = ({
        },
  });

-  const { watch, register, formState } = hooksForm;
+  const { watch, register, formState, control } = hooksForm;

  const [packId, queryType, queries, id] = watch(['packId', 'queryType', 'queries', 'id']);
  const { data: packData } = usePack({
@ -82,6 +83,22 @@ const OsqueryResponseActionParamsFormComponent = ({
    skip: !packId?.[0],
  });

+  const { replace } = useFieldArray({
+    name: 'queries',
+    control,
+  });
+
+  useEffect(() => {
+    if (packData?.queries) {
+      const queriesArray = map(packData?.queries, (query, queryId: string) => ({
+        ...query,
+        id: queryId,
+      }));
+
+      replace(queriesArray);
+    }
+  }, [packData, replace]);
+
  useEffect(() => {
    onError(formState.errors);
  }, [onError, formState]);
@ -99,12 +116,7 @@ const OsqueryResponseActionParamsFormComponent = ({
          ? {
              id: formData.id,
              packId: formData?.packId?.length ? formData?.packId[0] : undefined,
-              queries: packData
-                ? map(packData.queries, (query, queryId: string) => ({
-                    ...query,
-                    id: queryId,
-                  }))
-                : formData.queries,
+              queries: formData.queries,
            }
          : {
              id: formData.id,