From 22faf26bb2326beeb3bdbdbbc67f730781aeedc8 Mon Sep 17 00:00:00 2001
From: Paul Tavares <56442535+paul-tavares@users.noreply.github.com>
Date: Fri, 26 Apr 2024 08:30:02 -0400
Subject: [PATCH] [Security Solution][Endpoint] Fix index names used to query
 agents and activity indexes for SentinelOne response actions (#181765)

## Summary

- Changes the names of the Activity and Agents indexes to `*` patterns
in order to account for when the SentinelOne integration is configured
with a namespace other than `default`
---
 .../data_generators/sentinelone_data_generator.ts         | 4 ++--
 .../endpoint/service/response_actions/sentinel_one.ts     | 4 ++--
 x-pack/plugins/security_solution/common/index.ts          | 2 +-
 .../sentinelone/sentinel_one_actions_client.test.ts       | 8 ++++----
 .../clients/sentinelone/sentinel_one_actions_client.ts    | 6 +++---
 .../sentinel_one/sentinel_one_agent_status_client.ts      | 4 ++--
 6 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/x-pack/plugins/security_solution/common/endpoint/data_generators/sentinelone_data_generator.ts b/x-pack/plugins/security_solution/common/endpoint/data_generators/sentinelone_data_generator.ts
index 54862b4a51549..43384ec5bc947 100644
--- a/x-pack/plugins/security_solution/common/endpoint/data_generators/sentinelone_data_generator.ts
+++ b/x-pack/plugins/security_solution/common/endpoint/data_generators/sentinelone_data_generator.ts
@@ -9,7 +9,7 @@ import type { DeepPartial } from 'utility-types';
 import { merge } from 'lodash';
 import type { SearchResponse, SearchHit } from '@elastic/elasticsearch/lib/api/types';
 import { EndpointActionGenerator } from './endpoint_action_generator';
-import { SENTINEL_ONE_ACTIVITY_INDEX } from '../..';
+import { SENTINEL_ONE_ACTIVITY_INDEX_PATTERN } from '../..';
 import type {
   LogsEndpointAction,
   SentinelOneActivityEsDoc,
@@ -61,7 +61,7 @@ export class SentinelOneDataGenerator extends EndpointActionGenerator {
   ): SearchHit<SentinelOneActivityEsDoc> {
     const hit = this.toEsSearchHit<SentinelOneActivityEsDoc>(
       this.generateActivityEsDoc(overrides),
-      SENTINEL_ONE_ACTIVITY_INDEX
+      SENTINEL_ONE_ACTIVITY_INDEX_PATTERN
     );
 
     hit.inner_hits = {
diff --git a/x-pack/plugins/security_solution/common/endpoint/service/response_actions/sentinel_one.ts b/x-pack/plugins/security_solution/common/endpoint/service/response_actions/sentinel_one.ts
index 55892e16392ca..5fe865488347c 100644
--- a/x-pack/plugins/security_solution/common/endpoint/service/response_actions/sentinel_one.ts
+++ b/x-pack/plugins/security_solution/common/endpoint/service/response_actions/sentinel_one.ts
@@ -6,9 +6,9 @@
  */
 
 /**
- * Index name where the SentinelOne activity log is written to by the SentinelOne integration
+ * Index pattern where the SentinelOne activity log is written to by the SentinelOne integration
  */
-export const SENTINEL_ONE_ACTIVITY_INDEX = 'logs-sentinel_one.activity-default';
+export const SENTINEL_ONE_ACTIVITY_INDEX_PATTERN = 'logs-sentinel_one.activity-*';
 
 /**
  * The passcode to be used when initiating actions in SentinelOne that require a passcode to be
diff --git a/x-pack/plugins/security_solution/common/index.ts b/x-pack/plugins/security_solution/common/index.ts
index 46dfd562ee8a6..fb5caa2268f3b 100644
--- a/x-pack/plugins/security_solution/common/index.ts
+++ b/x-pack/plugins/security_solution/common/index.ts
@@ -22,7 +22,7 @@ export {
 export { ELASTIC_SECURITY_RULE_ID } from './detection_engine/constants';
 export { ENABLED_FIELD } from './detection_engine/rule_management/rule_fields';
 export { allowedExperimentalValues, type ExperimentalFeatures } from './experimental_features';
-export { SENTINEL_ONE_ACTIVITY_INDEX } from './endpoint/service/response_actions/sentinel_one';
+export { SENTINEL_ONE_ACTIVITY_INDEX_PATTERN } from './endpoint/service/response_actions/sentinel_one';
 
 // Careful of exporting anything from this file as any file(s) you export here will cause your page bundle size to increase.
 // If you're using functions/types/etc... internally it's best to import directly from their paths than expose the functions/types/etc... here.
diff --git a/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.test.ts b/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.test.ts
index 00a84b5495464..9c0e60ec837fe 100644
--- a/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.test.ts
@@ -19,7 +19,7 @@ import {
 } from '../../../../../../common/endpoint/constants';
 import type { NormalizedExternalConnectorClient } from '../../..';
 import { applyEsClientSearchMock } from '../../../../mocks/utils.mock';
-import { SENTINEL_ONE_ACTIVITY_INDEX } from '../../../../../../common';
+import { SENTINEL_ONE_ACTIVITY_INDEX_PATTERN } from '../../../../../../common';
 import { SentinelOneDataGenerator } from '../../../../../../common/endpoint/data_generators/sentinelone_data_generator';
 import type {
   EndpointActionResponse,
@@ -407,7 +407,7 @@ describe('SentinelOneActionsClient class', () => {
 
         applyEsClientSearchMock({
           esClientMock: classConstructorOptions.esClient,
-          index: SENTINEL_ONE_ACTIVITY_INDEX,
+          index: SENTINEL_ONE_ACTIVITY_INDEX_PATTERN,
           response: s1ActivitySearchResponse,
         });
       });
@@ -488,7 +488,7 @@ describe('SentinelOneActionsClient class', () => {
               sort: [{ 'sentinel_one.activity.updated_at': 'asc' }],
             },
           },
-          index: SENTINEL_ONE_ACTIVITY_INDEX,
+          index: SENTINEL_ONE_ACTIVITY_INDEX_PATTERN,
           query: {
             bool: {
               minimum_should_match: 1,
@@ -528,7 +528,7 @@ describe('SentinelOneActionsClient class', () => {
               sort: [{ 'sentinel_one.activity.updated_at': 'asc' }],
             },
           },
-          index: SENTINEL_ONE_ACTIVITY_INDEX,
+          index: SENTINEL_ONE_ACTIVITY_INDEX_PATTERN,
           query: {
             bool: {
               minimum_should_match: 1,
diff --git a/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.ts b/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.ts
index bf2c04940a549..89d35353ed1d0 100644
--- a/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/actions/clients/sentinelone/sentinel_one_actions_client.ts
@@ -27,7 +27,7 @@ import type {
   NormalizedExternalConnectorClient,
   NormalizedExternalConnectorClientExecuteOptions,
 } from '../lib/normalized_external_connector_client';
-import { SENTINEL_ONE_ACTIVITY_INDEX } from '../../../../../../common';
+import { SENTINEL_ONE_ACTIVITY_INDEX_PATTERN } from '../../../../../../common';
 import { catchAndWrapError } from '../../../../utils';
 import type {
   CommonResponseActionMethodOptions,
@@ -601,7 +601,7 @@ export class SentinelOneActionsClient extends ResponseActionsClientImpl {
       };
 
       const searchRequestOptions: SearchRequest = {
-        index: SENTINEL_ONE_ACTIVITY_INDEX,
+        index: SENTINEL_ONE_ACTIVITY_INDEX_PATTERN,
         query,
         // There may be many documents for each host/agent, so we collapse it and only get back the
         // first one that came in after the isolate request was sent
@@ -621,7 +621,7 @@ export class SentinelOneActionsClient extends ResponseActionsClientImpl {
       };
 
       this.log.debug(
-        `searching for ${command} responses from [${SENTINEL_ONE_ACTIVITY_INDEX}] index with:\n${stringify(
+        `searching for ${command} responses from [${SENTINEL_ONE_ACTIVITY_INDEX_PATTERN}] index with:\n${stringify(
           searchRequestOptions,
           15
         )}`
diff --git a/x-pack/plugins/security_solution/server/endpoint/services/agent/clients/sentinel_one/sentinel_one_agent_status_client.ts b/x-pack/plugins/security_solution/server/endpoint/services/agent/clients/sentinel_one/sentinel_one_agent_status_client.ts
index 0fdf57d873443..2335cff5db8d3 100644
--- a/x-pack/plugins/security_solution/server/endpoint/services/agent/clients/sentinel_one/sentinel_one_agent_status_client.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/agent/clients/sentinel_one/sentinel_one_agent_status_client.ts
@@ -13,7 +13,7 @@ import type { ResponseActionAgentType } from '../../../../../../common/endpoint/
 import { AgentStatusClient } from '../lib/base_agent_status_client';
 import { AgentStatusClientError } from '../errors';
 
-const SENTINEL_ONE_AGENT_INDEX = `logs-sentinel_one.agent-default`;
+const SENTINEL_ONE_AGENT_INDEX_PATTERN = `logs-sentinel_one.agent-*`;
 
 enum SENTINEL_ONE_NETWORK_STATUS {
   CONNECTING = 'connecting',
@@ -52,7 +52,7 @@ export class SentinelOneAgentStatusClient extends AgentStatusClient {
       const [searchResponse, allPendingActions] = await Promise.all([
         esClient.search(
           {
-            index: SENTINEL_ONE_AGENT_INDEX,
+            index: SENTINEL_ONE_AGENT_INDEX_PATTERN,
             from: 0,
             size: 10000,
             query,