[Security Solution][Exceptions] - Adds filtering to endpoint index pa…

…tterns by exceptional fields (#71757)
elastic · Jul 15, 2020 · 8a99880 · 8a99880
1 parent 0d1c166
commit 8a99880
Show file tree

Hide file tree

Showing 2 changed files with 141 additions and 1 deletion.
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/builder/index.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/builder/index.tsx
@@ -23,6 +23,8 @@ import { BuilderButtonOptions } from './builder_button_options';
 import { getNewExceptionItem, filterExceptionItems } from '../helpers';
 import { ExceptionsBuilderExceptionItem, CreateExceptionListItemBuilderSchema } from '../types';
 import { Loader } from '../../loader';
+// eslint-disable-next-line @kbn/eslint/no-restricted-paths
+import exceptionableFields from '../exceptionable_fields.json';
 
 const MyInvisibleAndBadge = styled(EuiFlexItem)`
   visibility: hidden;
@@ -172,6 +174,17 @@ export const ExceptionBuilder = ({
     );
   }, [exceptions]);
 
+  // Filters index pattern fields by exceptionable fields if list type is endpoint
+  const filterIndexPatterns = useCallback(() => {
+    if (listType === 'endpoint') {
+      return {
+        ...indexPatterns,
+        fields: indexPatterns.fields.filter(({ name }) => exceptionableFields.includes(name)),
+      };
+    }
+    return indexPatterns;
+  }, [indexPatterns, listType]);
+
   // The builder can have existing exception items, or new exception items that have yet
   // to be created (and thus lack an id), this was creating some React bugs with relying
   // on the index, as a result, created a temporary id when new exception items are first
@@ -216,7 +229,7 @@ export const ExceptionBuilder = ({
                 key={getExceptionListItemId(exceptionListItem, index)}
                 exceptionItem={exceptionListItem}
                 exceptionId={getExceptionListItemId(exceptionListItem, index)}
-                indexPattern={indexPatterns}
+                indexPattern={filterIndexPatterns()}
                 isLoading={indexPatternLoading}
                 exceptionItemIndex={index}
                 andLogicIncluded={andLogicIncluded}

diff --git a/...k/plugins/security_solution/public/common/components/exceptions/exceptionable_fields.json b/...k/plugins/security_solution/public/common/components/exceptions/exceptionable_fields.json
@@ -0,0 +1,127 @@
+[
+  "Endpoint.policy.applied.id",
+  "Target.process.Ext.code_signature.status",
+  "Target.process.Ext.code_signature.subject_name",
+  "Target.process.Ext.code_signature.trusted",
+  "Target.process.Ext.code_signature.valid",
+  "Target.process.Ext.services",
+  "Target.process.Ext.user",
+  "Target.process.command_line",
+  "Target.process.executable",
+  "Target.process.hash.md5",
+  "Target.process.hash.sha1",
+  "Target.process.hash.sha256",
+  "Target.process.hash.sha512",
+  "Target.process.name",
+  "Target.process.parent.Ext.code_signature.status",
+  "Target.process.parent.Ext.code_signature.subject_name",
+  "Target.process.parent.Ext.code_signature.trusted",
+  "Target.process.parent.Ext.code_signature.valid",
+  "Target.process.parent.command_line",
+  "Target.process.parent.executable",
+  "Target.process.parent.hash.md5",
+  "Target.process.parent.hash.sha1",
+  "Target.process.parent.hash.sha256",
+  "Target.process.parent.hash.sha512",
+  "Target.process.parent.name",
+  "Target.process.parent.pgid",
+  "Target.process.parent.working_directory",
+  "Target.process.pe.company",
+  "Target.process.pe.description",
+  "Target.process.pe.file_version",
+  "Target.process.pe.original_file_name",
+  "Target.process.pe.product",
+  "Target.process.pgid",
+  "Target.process.working_directory",
+  "agent.id",
+  "agent.type",
+  "agent.version",
+  "elastic.agent.id",
+  "event.action",
+  "event.category",
+  "event.code",
+  "event.hash",
+  "event.kind",
+  "event.module",
+  "event.outcome",
+  "event.provider",
+  "event.type",
+  "file.Ext.code_signature.status",
+  "file.Ext.code_signature.subject_name",
+  "file.Ext.code_signature.trusted",
+  "file.Ext.code_signature.valid",
+  "file.attributes",
+  "file.device",
+  "file.directory",
+  "file.drive_letter",
+  "file.extension",
+  "file.gid",
+  "file.group",
+  "file.hash.md5",
+  "file.hash.sha1",
+  "file.hash.sha256",
+  "file.hash.sha512",
+  "file.inode",
+  "file.mime_type",
+  "file.mode",
+  "file.name",
+  "file.owner",
+  "file.path",
+  "file.pe.company",
+  "file.pe.description",
+  "file.pe.file_version",
+  "file.pe.original_file_name",
+  "file.pe.product",
+  "file.size",
+  "file.target_path",
+  "file.type",
+  "file.uid",
+  "group.Ext.real.id",
+  "group.domain",
+  "group.id",
+  "host.architecture",
+  "host.domain",
+  "host.id",
+  "host.os.Ext.variant",
+  "host.os.family",
+  "host.os.full",
+  "host.os.kernel",
+  "host.os.name",
+  "host.os.platform",
+  "host.os.version",
+  "host.type",
+  "process.Ext.code_signature.status",
+  "process.Ext.code_signature.subject_name",
+  "process.Ext.code_signature.trusted",
+  "process.Ext.code_signature.valid",
+  "process.Ext.services",
+  "process.Ext.user",
+  "process.command_line",
+  "process.executable",
+  "process.hash.md5",
+  "process.hash.sha1",
+  "process.hash.sha256",
+  "process.hash.sha512",
+  "process.name",
+  "process.parent.Ext.code_signature.status",
+  "process.parent.Ext.code_signature.subject_name",
+  "process.parent.Ext.code_signature.trusted",
+  "process.parent.Ext.code_signature.valid",
+  "process.parent.command_line",
+  "process.parent.executable",
+  "process.parent.hash.md5",
+  "process.parent.hash.sha1",
+  "process.parent.hash.sha256",
+  "process.parent.hash.sha512",
+  "process.parent.name",
+  "process.parent.pgid",
+  "process.parent.working_directory",
+  "process.pe.company",
+  "process.pe.description",
+  "process.pe.file_version",
+  "process.pe.original_file_name",
+  "process.pe.product",
+  "process.pgid",
+  "process.working_directory",
+  "rule.uuid"
+]