diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/builder/index.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/builder/index.tsx index d3ed1dfc944fd..6bff33afaf70c 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/builder/index.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/builder/index.tsx @@ -23,6 +23,8 @@ import { BuilderButtonOptions } from './builder_button_options'; import { getNewExceptionItem, filterExceptionItems } from '../helpers'; import { ExceptionsBuilderExceptionItem, CreateExceptionListItemBuilderSchema } from '../types'; import { Loader } from '../../loader'; +// eslint-disable-next-line @kbn/eslint/no-restricted-paths +import exceptionableFields from '../exceptionable_fields.json'; const MyInvisibleAndBadge = styled(EuiFlexItem)` visibility: hidden; @@ -172,6 +174,17 @@ export const ExceptionBuilder = ({ ); }, [exceptions]); + // Filters index pattern fields by exceptionable fields if list type is endpoint + const filterIndexPatterns = useCallback(() => { + if (listType === 'endpoint') { + return { + ...indexPatterns, + fields: indexPatterns.fields.filter(({ name }) => exceptionableFields.includes(name)), + }; + } + return indexPatterns; + }, [indexPatterns, listType]); + // The builder can have existing exception items, or new exception items that have yet // to be created (and thus lack an id), this was creating some React bugs with relying // on the index, as a result, created a temporary id when new exception items are first @@ -216,7 +229,7 @@ export const ExceptionBuilder = ({ key={getExceptionListItemId(exceptionListItem, index)} exceptionItem={exceptionListItem} exceptionId={getExceptionListItemId(exceptionListItem, index)} - indexPattern={indexPatterns} + indexPattern={filterIndexPatterns()} isLoading={indexPatternLoading} exceptionItemIndex={index} andLogicIncluded={andLogicIncluded} diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_fields.json b/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_fields.json new file mode 100644 index 0000000000000..18257b0de0a17 --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_fields.json @@ -0,0 +1,127 @@ +[ + "Endpoint.policy.applied.id", + "Target.process.Ext.code_signature.status", + "Target.process.Ext.code_signature.subject_name", + "Target.process.Ext.code_signature.trusted", + "Target.process.Ext.code_signature.valid", + "Target.process.Ext.services", + "Target.process.Ext.user", + "Target.process.command_line", + "Target.process.executable", + "Target.process.hash.md5", + "Target.process.hash.sha1", + "Target.process.hash.sha256", + "Target.process.hash.sha512", + "Target.process.name", + "Target.process.parent.Ext.code_signature.status", + "Target.process.parent.Ext.code_signature.subject_name", + "Target.process.parent.Ext.code_signature.trusted", + "Target.process.parent.Ext.code_signature.valid", + "Target.process.parent.command_line", + "Target.process.parent.executable", + "Target.process.parent.hash.md5", + "Target.process.parent.hash.sha1", + "Target.process.parent.hash.sha256", + "Target.process.parent.hash.sha512", + "Target.process.parent.name", + "Target.process.parent.pgid", + "Target.process.parent.working_directory", + "Target.process.pe.company", + "Target.process.pe.description", + "Target.process.pe.file_version", + "Target.process.pe.original_file_name", + "Target.process.pe.product", + "Target.process.pgid", + "Target.process.working_directory", + "agent.id", + "agent.type", + "agent.version", + "elastic.agent.id", + "event.action", + "event.category", + "event.code", + "event.hash", + "event.kind", + "event.module", + "event.outcome", + "event.provider", + "event.type", + "file.Ext.code_signature.status", + "file.Ext.code_signature.subject_name", + "file.Ext.code_signature.trusted", + "file.Ext.code_signature.valid", + "file.attributes", + "file.device", + "file.directory", + "file.drive_letter", + "file.extension", + "file.gid", + "file.group", + "file.hash.md5", + "file.hash.sha1", + "file.hash.sha256", + "file.hash.sha512", + "file.inode", + "file.mime_type", + "file.mode", + "file.name", + "file.owner", + "file.path", + "file.pe.company", + "file.pe.description", + "file.pe.file_version", + "file.pe.original_file_name", + "file.pe.product", + "file.size", + "file.target_path", + "file.type", + "file.uid", + "group.Ext.real.id", + "group.domain", + "group.id", + "host.architecture", + "host.domain", + "host.id", + "host.os.Ext.variant", + "host.os.family", + "host.os.full", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.type", + "process.Ext.code_signature.status", + "process.Ext.code_signature.subject_name", + "process.Ext.code_signature.trusted", + "process.Ext.code_signature.valid", + "process.Ext.services", + "process.Ext.user", + "process.command_line", + "process.executable", + "process.hash.md5", + "process.hash.sha1", + "process.hash.sha256", + "process.hash.sha512", + "process.name", + "process.parent.Ext.code_signature.status", + "process.parent.Ext.code_signature.subject_name", + "process.parent.Ext.code_signature.trusted", + "process.parent.Ext.code_signature.valid", + "process.parent.command_line", + "process.parent.executable", + "process.parent.hash.md5", + "process.parent.hash.sha1", + "process.parent.hash.sha256", + "process.parent.hash.sha512", + "process.parent.name", + "process.parent.pgid", + "process.parent.working_directory", + "process.pe.company", + "process.pe.description", + "process.pe.file_version", + "process.pe.original_file_name", + "process.pe.product", + "process.pgid", + "process.working_directory", + "rule.uuid" +] \ No newline at end of file