diff --git a/x-pack/packages/security-solution/features/src/product_features_keys.ts b/x-pack/packages/security-solution/features/src/product_features_keys.ts index 2bb8cdc0f1e9f..5a1a9f93d351f 100644 --- a/x-pack/packages/security-solution/features/src/product_features_keys.ts +++ b/x-pack/packages/security-solution/features/src/product_features_keys.ts @@ -34,6 +34,11 @@ export enum ProductFeatureSecurityKey { * Host Isolation Exceptions, Blocklist. */ endpointArtifactManagement = 'endpoint_artifact_management', + /** + * Enables managing host isolation exceptions for serverless PLIs + * Allows user to create, read, update HIEs Endpoint Complete PLI + */ + endpointHostIsolationExceptions = 'endpoint_host_isolation_exceptions', /** * Enables all of endpoint's supported response actions - like host isolation, file operations, * process operations, command execution, etc. @@ -121,7 +126,7 @@ export enum SecuritySubFeatureId { endpointList = 'endpointListSubFeature', endpointExceptions = 'endpointExceptionsSubFeature', trustedApplications = 'trustedApplicationsSubFeature', - hostIsolationExceptions = 'hostIsolationExceptionsSubFeature', + hostIsolationExceptionsBasic = 'hostIsolationExceptionsBasicSubFeature', blocklist = 'blocklistSubFeature', eventFilters = 'eventFiltersSubFeature', policyManagement = 'policyManagementSubFeature', diff --git a/x-pack/packages/security-solution/features/src/security/kibana_sub_features.ts b/x-pack/packages/security-solution/features/src/security/kibana_sub_features.ts index fe0354b34a558..d2efada7b3eac 100644 --- a/x-pack/packages/security-solution/features/src/security/kibana_sub_features.ts +++ b/x-pack/packages/security-solution/features/src/security/kibana_sub_features.ts @@ -125,7 +125,7 @@ const trustedApplicationsSubFeature: SubFeatureConfig = { }, ], }; -const hostIsolationExceptionsSubFeature: SubFeatureConfig = { +const hostIsolationExceptionsBasicSubFeature: SubFeatureConfig = { requireAllSpaces: true, privilegesTooltip: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolationExceptions.privilegesTooltip', @@ -664,7 +664,7 @@ export const getSecuritySubFeaturesMap = ({ [SecuritySubFeatureId.endpointList, endpointListSubFeature], [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature], [SecuritySubFeatureId.trustedApplications, trustedApplicationsSubFeature], - [SecuritySubFeatureId.hostIsolationExceptions, hostIsolationExceptionsSubFeature], + [SecuritySubFeatureId.hostIsolationExceptionsBasic, hostIsolationExceptionsBasicSubFeature], [SecuritySubFeatureId.blocklist, blocklistSubFeature], [SecuritySubFeatureId.eventFilters, eventFiltersSubFeature], [SecuritySubFeatureId.policyManagement, policyManagementSubFeature], diff --git a/x-pack/packages/security-solution/features/src/security/product_feature_config.ts b/x-pack/packages/security-solution/features/src/security/product_feature_config.ts index 8445a00fecc6c..2859f359f27c6 100644 --- a/x-pack/packages/security-solution/features/src/security/product_feature_config.ts +++ b/x-pack/packages/security-solution/features/src/security/product_feature_config.ts @@ -79,10 +79,16 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature [ProductFeatureSecurityKey.endpointArtifactManagement]: { subFeatureIds: [ + SecuritySubFeatureId.hostIsolationExceptionsBasic, SecuritySubFeatureId.trustedApplications, SecuritySubFeatureId.blocklist, SecuritySubFeatureId.eventFilters, ], + }, + + // Endpoint Complete Tier: + // Allows access to create/update HIEs + [ProductFeatureSecurityKey.endpointHostIsolationExceptions]: { subFeaturesPrivileges: [ { id: 'host_isolation_exceptions_all', @@ -99,7 +105,6 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature [ProductFeatureSecurityKey.endpointResponseActions]: { subFeatureIds: [ - SecuritySubFeatureId.hostIsolationExceptions, SecuritySubFeatureId.responseActionsHistory, SecuritySubFeatureId.hostIsolation, SecuritySubFeatureId.processOperations, @@ -117,10 +122,13 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature }, // Product features without RBAC + // Endpoint/Osquery PLIs [ProductFeatureSecurityKey.osqueryAutomatedResponseActions]: {}, [ProductFeatureSecurityKey.endpointProtectionUpdates]: {}, [ProductFeatureSecurityKey.endpointAgentTamperProtection]: {}, [ProductFeatureSecurityKey.externalRuleActions]: {}, [ProductFeatureSecurityKey.cloudSecurityPosture]: {}, + + // Security PLIs [ProductFeatureSecurityKey.integrationAssistant]: {}, }; diff --git a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts index 22e113f05de13..88c89b0259f91 100644 --- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts @@ -911,7 +911,7 @@ describe('ManifestManager', () => { } }); - test(`when it has endpoint artifact management and response actions app features it should generate all exceptions`, async () => { + test(`when it has endpoint artifact management and endpoint host isolation exceptions app features it should generate all exceptions`, async () => { const exceptionListItem = getExceptionListItemSchemaMock({ os_types: ['macos'] }); const trustedAppListItem = getExceptionListItemSchemaMock({ os_types: ['linux'], @@ -931,7 +931,7 @@ describe('ManifestManager', () => { }); const context = buildManifestManagerContextMock({}, [ ProductFeatureSecurityKey.endpointArtifactManagement, - ProductFeatureSecurityKey.endpointResponseActions, + ProductFeatureSecurityKey.endpointHostIsolationExceptions, ]); const manifestManager = new ManifestManager(context); diff --git a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts index 63a2b56cb8525..1a613e8f9c4b5 100644 --- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts +++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts @@ -157,9 +157,14 @@ export class ManifestManager { }): Promise { if (!this.cachedExceptionsListsByOs.has(`${listId}-${os}`)) { let itemsByListId: ExceptionListItemSchema[] = []; + // endpointHostIsolationExceptions includes full CRUD support for Host Isolation Exceptions + // endpointArtifactManagement includes full CRUD support for all other exception lists + RD support for Host Isolation Exceptions + // If there are host isolation exceptions in place but there is a downgrade scenario, those shouldn't be taken into account when generating artifacts. if ( (listId === ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id && - this.productFeaturesService.isEnabled(ProductFeatureKey.endpointResponseActions)) || + this.productFeaturesService.isEnabled( + ProductFeatureKey.endpointHostIsolationExceptions + )) || (listId !== ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id && this.productFeaturesService.isEnabled(ProductFeatureKey.endpointArtifactManagement)) ) { diff --git a/x-pack/plugins/security_solution_serverless/common/pli/pli_config.ts b/x-pack/plugins/security_solution_serverless/common/pli/pli_config.ts index 42cdf7589fb35..e817679db1c31 100644 --- a/x-pack/plugins/security_solution_serverless/common/pli/pli_config.ts +++ b/x-pack/plugins/security_solution_serverless/common/pli/pli_config.ts @@ -38,10 +38,10 @@ export const PLI_PRODUCT_FEATURES: PliProductFeatures = { ProductFeatureKey.endpointExceptions, ], complete: [ + ProductFeatureKey.endpointHostIsolationExceptions, ProductFeatureKey.endpointResponseActions, ProductFeatureKey.osqueryAutomatedResponseActions, ProductFeatureKey.endpointAgentTamperProtection, - ProductFeatureKey.endpointExceptions, ProductFeatureKey.endpointProtectionUpdates, ], },