[EDR Workflows] Scripts selector component in Response Console (elastic#204965)

Author: tomsonpl

x-pack/platform/plugins/shared/stack_connectors/common/crowdstrike/schema.ts

@@ -348,5 +348,45 @@ export const CrowdstrikeExecuteRTRResponseSchema = schema.object(
   { unknowns: 'allow' }
 );
 
-// TODO: will be part of a next PR
-export const CrowdstrikeGetScriptsParamsSchema = schema.any({});
+export const CrowdstrikeGetScriptsResponseSchema = schema.object(
+  {
+    meta: schema.maybe(
+      schema.object(
+        {
+          query_time: schema.maybe(schema.number()),
+          powered_by: schema.maybe(schema.string()),
+          trace_id: schema.maybe(schema.string()),
+        },
+        { unknowns: 'allow' }
+      )
+    ),
+    resources: schema.maybe(
+      schema.arrayOf(
+        schema.object(
+          {
+            content: schema.maybe(schema.string()),
+            created_by: schema.maybe(schema.string()),
+            created_by_uuid: schema.maybe(schema.string()),
+            created_timestamp: schema.maybe(schema.string()),
+            file_type: schema.maybe(schema.string()),
+            id: schema.maybe(schema.string()),
+            description: schema.maybe(schema.string()),
+            modified_by: schema.maybe(schema.string()),
+            modified_timestamp: schema.maybe(schema.string()),
+            name: schema.maybe(schema.string()),
+            permission_type: schema.maybe(schema.string()),
+            platform: schema.maybe(schema.arrayOf(schema.string())),
+            run_attempt_count: schema.maybe(schema.number()),
+            run_success_count: schema.maybe(schema.number()),
+            sha256: schema.maybe(schema.string()),
+            size: schema.maybe(schema.number()),
+            write_access: schema.maybe(schema.boolean()),
+          },
+          { unknowns: 'allow' }
+        )
+      )
+    ),
+    errors: schema.maybe(schema.arrayOf(schema.any())),
+  },
+  { unknowns: 'allow' }
+);

x-pack/platform/plugins/shared/stack_connectors/common/crowdstrike/types.ts

@@ -19,6 +19,7 @@ import type {
   RelaxedCrowdstrikeBaseApiResponseSchema,
   CrowdstrikeInitRTRParamsSchema,
   CrowdstrikeExecuteRTRResponseSchema,
+  CrowdstrikeGetScriptsResponseSchema,
 } from './schema';
 
 export type CrowdstrikeConfig = TypeOf<typeof CrowdstrikeConfigSchema>;
@@ -42,3 +43,4 @@ export type CrowdstrikeActionParams = TypeOf<typeof CrowdstrikeActionParamsSchem
 export type CrowdstrikeInitRTRParams = TypeOf<typeof CrowdstrikeInitRTRParamsSchema>;
 
 export type CrowdStrikeExecuteRTRResponse = TypeOf<typeof CrowdstrikeExecuteRTRResponseSchema>;
+export type CrowdstrikeGetScriptsResponse = TypeOf<typeof CrowdstrikeGetScriptsResponseSchema>;

x-pack/platform/plugins/shared/stack_connectors/server/connector_types/crowdstrike/crowdstrike.test.ts

@@ -458,10 +458,7 @@ describe('CrowdstrikeConnector', () => {
       mockedRequest.mockResolvedValueOnce({ data: { access_token: 'testToken' } });
       mockedRequest.mockResolvedValueOnce(mockResponse);
 
-      const result = await connector.getRTRCloudScripts(
-        { ids: ['script1', 'script2'] },
-        connectorUsageCollector
-      );
+      const result = await connector.getRTRCloudScripts({}, connectorUsageCollector);
 
       expect(mockedRequest).toHaveBeenNthCalledWith(
         1,

x-pack/platform/plugins/shared/stack_connectors/server/connector_types/crowdstrike/crowdstrike.ts

@@ -25,16 +25,17 @@ import type {
   CrowdstrikeGetAgentOnlineStatusResponse,
   RelaxedCrowdstrikeBaseApiResponse,
   CrowdStrikeExecuteRTRResponse,
+  CrowdstrikeGetScriptsResponse,
 } from '../../../common/crowdstrike/types';
 import type { CrowdstrikeGetTokenResponseSchema } from '../../../common/crowdstrike/schema';
+import { CrowdstrikeGetScriptsResponseSchema } from '../../../common/crowdstrike/schema';
 import {
   CrowdstrikeHostActionsParamsSchema,
   CrowdstrikeGetAgentsParamsSchema,
   CrowdstrikeHostActionsResponseSchema,
   RelaxedCrowdstrikeBaseApiResponseSchema,
   CrowdstrikeRTRCommandParamsSchema,
   CrowdstrikeExecuteRTRResponseSchema,
-  CrowdstrikeGetScriptsParamsSchema,
   CrowdstrikeApiDoNotValidateResponsesSchema,
 } from '../../../common/crowdstrike/schema';
 import { SUB_ACTION } from '../../../common/crowdstrike/constants';
@@ -76,7 +77,7 @@ export class CrowdstrikeConnector extends SubActionConnector<
     batchExecuteRTR: string;
     batchActiveResponderExecuteRTR: string;
     batchAdminExecuteRTR: string;
-    getRTRCloudScriptsDetails: string;
+    getRTRCloudScripts: string;
   };
 
   constructor(
@@ -95,7 +96,7 @@ export class CrowdstrikeConnector extends SubActionConnector<
       batchExecuteRTR: `${this.config.url}/real-time-response/combined/batch-command/v1`,
       batchActiveResponderExecuteRTR: `${this.config.url}/real-time-response/combined/batch-active-responder-command/v1`,
       batchAdminExecuteRTR: `${this.config.url}/real-time-response/combined/batch-admin-command/v1`,
-      getRTRCloudScriptsDetails: `${this.config.url}/real-time-response/entities/scripts/v1`,
+      getRTRCloudScripts: `${this.config.url}/real-time-response/entities/scripts/v1`,
     };
 
     if (!CrowdstrikeConnector.base64encodedToken) {
@@ -146,11 +147,10 @@ export class CrowdstrikeConnector extends SubActionConnector<
         method: 'batchAdminExecuteRTR',
         schema: CrowdstrikeRTRCommandParamsSchema, // Define a proper schema for the command
       });
-      // temporary to fetch scripts and help testing
       this.registerSubAction({
         name: SUB_ACTION.GET_RTR_CLOUD_SCRIPTS,
         method: 'getRTRCloudScripts',
-        schema: CrowdstrikeGetScriptsParamsSchema,
+        schema: CrowdstrikeRTRCommandParamsSchema, // Empty schema - this request do not have any parameters
       });
     }
   }
@@ -371,18 +371,16 @@ export class CrowdstrikeConnector extends SubActionConnector<
     );
   }
 
-  // TODO: for now just for testing purposes, will be a part of a following PR
   public async getRTRCloudScripts(
-    payload: CrowdstrikeGetAgentsParams,
+    payload: {},
     connectorUsageCollector: ConnectorUsageCollector
-  ): Promise<CrowdstrikeGetAgentOnlineStatusResponse> {
-    // @ts-expect-error will be a part of the next PR
-    return this.crowdstrikeApiRequest(
+  ): Promise<CrowdstrikeGetScriptsResponse> {
+    return await this.crowdstrikeApiRequest(
       {
-        url: this.urls.getRTRCloudScriptsDetails,
+        url: this.urls.getRTRCloudScripts,
         method: 'GET',
         paramsSerializer,
-        responseSchema: RelaxedCrowdstrikeBaseApiResponseSchema,
+        responseSchema: CrowdstrikeGetScriptsResponseSchema,
       },
       connectorUsageCollector
     );

x-pack/solutions/security/plugins/security_solution/common/api/endpoint/custom_scripts/get_custom_scripts_route.ts

@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { schema, type TypeOf } from '@kbn/config-schema';
+import { AgentTypeSchemaLiteral } from '..';
+
+export const CustomScriptsRequestSchema = {
+  query: schema.object({
+    agentType: schema.maybe(
+      schema.oneOf(
+        // @ts-expect-error TS2769: No overload matches this call
+        AgentTypeSchemaLiteral,
+        {
+          defaultValue: 'endpoint',
+        }
+      )
+    ),
+  }),
+};
+
+export type CustomScriptsRequestQueryParams = TypeOf<typeof CustomScriptsRequestSchema.query>;

x-pack/solutions/security/plugins/security_solution/common/endpoint/constants.ts

@@ -97,6 +97,7 @@ export const EXECUTE_ROUTE = `${BASE_ENDPOINT_ACTION_ROUTE}/execute`;
 export const UPLOAD_ROUTE = `${BASE_ENDPOINT_ACTION_ROUTE}/upload`;
 export const SCAN_ROUTE = `${BASE_ENDPOINT_ACTION_ROUTE}/scan`;
 export const RUN_SCRIPT_ROUTE = `${BASE_ENDPOINT_ACTION_ROUTE}/run_script`;
+export const CUSTOM_SCRIPTS_ROUTE = `${BASE_ENDPOINT_ACTION_ROUTE}/custom_scripts`;
 
 /** Endpoint Actions Routes */
 export const ENDPOINT_ACTION_LOG_ROUTE = `${BASE_ENDPOINT_ROUTE}/action_log/{agent_id}`;