[Defend Workflows] Osquery fixes (#155020)

2025-04-24 09:48:58 -04:00 · 2023-04-26 15:34:06 +02:00 · 2023-04-26 15:34:06 +02:00 · fda5ee96b3
commit fda5ee96b3
parent 5f5aba3981
6 changed files with 41 additions and 19 deletions
--- a/x-pack/plugins/osquery/public/live_queries/form/index.tsx
+++ b/x-pack/plugins/osquery/public/live_queries/form/index.tsx
@ -82,16 +82,8 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
  );

  const hooksForm = useHookForm<LiveQueryFormFields>();
-  const {
-    handleSubmit,
-    watch,
-    setValue,
-    resetField,
-    clearErrors,
-    getFieldState,
-    register,
-    formState: { isSubmitting },
-  } = hooksForm;
+  const { handleSubmit, watch, setValue, resetField, clearErrors, getFieldState, register } =
+    hooksForm;

  const canRunSingleQuery = useMemo(
    () =>
@ -157,7 +149,7 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
          saved_query_id: values.savedQueryId,
          query,
          alert_ids: values.alertIds,
-          pack_id: values?.packId?.length ? values?.packId[0] : undefined,
+          pack_id: queryType === 'pack' && values?.packId?.length ? values?.packId[0] : undefined,
          ecs_mapping: values.ecs_mapping,
        },
        (value) => !isEmpty(value)
@ -165,7 +157,7 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({

      await mutateAsync(serializedData);
    },
-    [alertAttachmentContext, mutateAsync]
+    [alertAttachmentContext, mutateAsync, queryType]
  );

  const serializedData: SavedQuerySOFormData = useMemo(
@ -196,7 +188,7 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
            <EuiButton
              id="submit-button"
              disabled={!enabled}
-              isLoading={isSubmitting}
+              isLoading={isLoading}
              onClick={handleSubmit(onSubmit)}
            >
              <FormattedMessage
@ -215,7 +207,7 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
      resultsStatus,
      handleShowSaveQueryFlyout,
      enabled,
-      isSubmitting,
+      isLoading,
      handleSubmit,
      onSubmit,
    ]
--- a/x-pack/plugins/osquery/server/common/error.ts
+++ b/x-pack/plugins/osquery/server/common/error.ts
@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export class CustomHttpRequestError extends Error {
+  constructor(message: string, public readonly statusCode: number = 500) {
+    super(message);
+    // For debugging - capture name of subclasses
+    this.name = this.constructor.name;
+    this.message = message;
+  }
+}
--- a/x-pack/plugins/osquery/server/common/types.ts
+++ b/x-pack/plugins/osquery/server/common/types.ts
@ -56,3 +56,7 @@ export interface SavedQuerySavedObjectAttributes {
 }

 export type SavedQuerySavedObject = SavedObject<PackSavedObjectAttributes>;
+
+export interface HTTPError extends Error {
+  statusCode: number;
+}
--- a/x-pack/plugins/osquery/server/handlers/action/create_action_handler.ts
+++ b/x-pack/plugins/osquery/server/handlers/action/create_action_handler.ts
@ -21,6 +21,7 @@ import { convertSOQueriesToPack } from '../../routes/pack/utils';
 import { ACTIONS_INDEX } from '../../../common/constants';
 import { TELEMETRY_EBT_LIVE_QUERY_EVENT } from '../../lib/telemetry/constants';
 import type { PackSavedObjectAttributes } from '../../common/types';
+import { CustomHttpRequestError } from '../../common/error';

 interface Metadata {
  currentUser: string | undefined;
@ -55,7 +56,7 @@ export const createActionHandler = async (
  });

  if (!selectedAgents.length) {
-    throw new Error('No agents found for selection');
+    throw new CustomHttpRequestError('No agents found for selection', 400);
  }

  let packSO;
--- a/x-pack/plugins/osquery/server/lib/fleet_integration.ts
+++ b/x-pack/plugins/osquery/server/lib/fleet_integration.ts
@ -34,11 +34,20 @@ export const getPackagePolicyDeleteCallback =
          await Promise.all(
            map(
              foundPacks.saved_objects,
-              (pack: { id: string; references: SavedObjectReference[] }) =>
+              (pack: {
+                id: string;
+                references: SavedObjectReference[];
+                attributes: { shards: Array<{ key: string; value: string }> };
+              }) =>
                packsClient.update(
                  packSavedObjectType,
                  pack.id,
-                  {},
+                  {
+                    shards: filter(
+                      pack.attributes.shards,
+                      (shard) => shard.key !== deletedOsqueryManagerPolicy.policy_id
+                    ),
+                  },
                  {
                    references: filter(
                      pack.references,
--- a/x-pack/plugins/osquery/server/routes/live_query/create_live_query_route.ts
+++ b/x-pack/plugins/osquery/server/routes/live_query/create_live_query_route.ts
@ -113,8 +113,9 @@ export const createLiveQueryRoute = (router: IRouter, osqueryContext: OsqueryApp
          body: { data: osqueryAction },
        });
      } catch (error) {
-        // TODO validate for 400 (when agents are not found for selection)
-        // return response.badRequest({ body: new Error('No agents found for selection') });
+        if (error.statusCode === 400) {
+          return response.badRequest({ body: error });
+        }

        return response.customError({
          statusCode: 500,