From 66ab8ab60cb54f4c747f608b0857be8d574dc0bf Mon Sep 17 00:00:00 2001
From: Konrad Szwarc <konrad.szwarc@elastic.co>
Date: Tue, 10 Sep 2024 09:20:25 +0200
Subject: [PATCH] [EDR Workflows][Serverless] Fix Host Isolation Exceptions
 PLIs (#191954)

This PR establishes appropriate privileges across Endpoint tiers. In
Endpoint Complete, users will be able to create, update, and delete Host
Isolation Exceptions. Upon downgrading to Endpoint Essentials, users
should still be able to view and remove items from the Blocklist but
will not have the ability to edit or create new entries.

Please see linked issue for more details on current behaviour.

Expected privileges:
Endpoint Essentials - User can read and delete HIE
Endpoint Complete - User can read, delete and write HIE


https://github.com/user-attachments/assets/69d14a51-6004-45b7-9c78-62066441f4ab
---
 .../features/src/product_features_keys.ts              |  7 ++++++-
 .../features/src/security/kibana_sub_features.ts       |  4 ++--
 .../features/src/security/product_feature_config.ts    | 10 +++++++++-
 .../manifest_manager/manifest_manager.test.ts          |  4 ++--
 .../artifacts/manifest_manager/manifest_manager.ts     |  7 ++++++-
 .../common/pli/pli_config.ts                           |  2 +-
 6 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/x-pack/packages/security-solution/features/src/product_features_keys.ts b/x-pack/packages/security-solution/features/src/product_features_keys.ts
index 2bb8cdc0f1e9f..5a1a9f93d351f 100644
--- a/x-pack/packages/security-solution/features/src/product_features_keys.ts
+++ b/x-pack/packages/security-solution/features/src/product_features_keys.ts
@@ -34,6 +34,11 @@ export enum ProductFeatureSecurityKey {
    * Host Isolation Exceptions, Blocklist.
    */
   endpointArtifactManagement = 'endpoint_artifact_management',
+  /**
+   * Enables managing host isolation exceptions for serverless PLIs
+   * Allows user to create, read, update HIEs Endpoint Complete PLI
+   */
+  endpointHostIsolationExceptions = 'endpoint_host_isolation_exceptions',
   /**
    * Enables all of endpoint's supported response actions - like host isolation, file operations,
    * process operations, command execution, etc.
@@ -121,7 +126,7 @@ export enum SecuritySubFeatureId {
   endpointList = 'endpointListSubFeature',
   endpointExceptions = 'endpointExceptionsSubFeature',
   trustedApplications = 'trustedApplicationsSubFeature',
-  hostIsolationExceptions = 'hostIsolationExceptionsSubFeature',
+  hostIsolationExceptionsBasic = 'hostIsolationExceptionsBasicSubFeature',
   blocklist = 'blocklistSubFeature',
   eventFilters = 'eventFiltersSubFeature',
   policyManagement = 'policyManagementSubFeature',
diff --git a/x-pack/packages/security-solution/features/src/security/kibana_sub_features.ts b/x-pack/packages/security-solution/features/src/security/kibana_sub_features.ts
index fe0354b34a558..d2efada7b3eac 100644
--- a/x-pack/packages/security-solution/features/src/security/kibana_sub_features.ts
+++ b/x-pack/packages/security-solution/features/src/security/kibana_sub_features.ts
@@ -125,7 +125,7 @@ const trustedApplicationsSubFeature: SubFeatureConfig = {
     },
   ],
 };
-const hostIsolationExceptionsSubFeature: SubFeatureConfig = {
+const hostIsolationExceptionsBasicSubFeature: SubFeatureConfig = {
   requireAllSpaces: true,
   privilegesTooltip: i18n.translate(
     'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolationExceptions.privilegesTooltip',
@@ -664,7 +664,7 @@ export const getSecuritySubFeaturesMap = ({
     [SecuritySubFeatureId.endpointList, endpointListSubFeature],
     [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature],
     [SecuritySubFeatureId.trustedApplications, trustedApplicationsSubFeature],
-    [SecuritySubFeatureId.hostIsolationExceptions, hostIsolationExceptionsSubFeature],
+    [SecuritySubFeatureId.hostIsolationExceptionsBasic, hostIsolationExceptionsBasicSubFeature],
     [SecuritySubFeatureId.blocklist, blocklistSubFeature],
     [SecuritySubFeatureId.eventFilters, eventFiltersSubFeature],
     [SecuritySubFeatureId.policyManagement, policyManagementSubFeature],
diff --git a/x-pack/packages/security-solution/features/src/security/product_feature_config.ts b/x-pack/packages/security-solution/features/src/security/product_feature_config.ts
index 8445a00fecc6c..2859f359f27c6 100644
--- a/x-pack/packages/security-solution/features/src/security/product_feature_config.ts
+++ b/x-pack/packages/security-solution/features/src/security/product_feature_config.ts
@@ -79,10 +79,16 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature
 
   [ProductFeatureSecurityKey.endpointArtifactManagement]: {
     subFeatureIds: [
+      SecuritySubFeatureId.hostIsolationExceptionsBasic,
       SecuritySubFeatureId.trustedApplications,
       SecuritySubFeatureId.blocklist,
       SecuritySubFeatureId.eventFilters,
     ],
+  },
+
+  // Endpoint Complete Tier:
+  // Allows access to create/update HIEs
+  [ProductFeatureSecurityKey.endpointHostIsolationExceptions]: {
     subFeaturesPrivileges: [
       {
         id: 'host_isolation_exceptions_all',
@@ -99,7 +105,6 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature
 
   [ProductFeatureSecurityKey.endpointResponseActions]: {
     subFeatureIds: [
-      SecuritySubFeatureId.hostIsolationExceptions,
       SecuritySubFeatureId.responseActionsHistory,
       SecuritySubFeatureId.hostIsolation,
       SecuritySubFeatureId.processOperations,
@@ -117,10 +122,13 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature
   },
 
   // Product features without RBAC
+  // Endpoint/Osquery PLIs
   [ProductFeatureSecurityKey.osqueryAutomatedResponseActions]: {},
   [ProductFeatureSecurityKey.endpointProtectionUpdates]: {},
   [ProductFeatureSecurityKey.endpointAgentTamperProtection]: {},
   [ProductFeatureSecurityKey.externalRuleActions]: {},
   [ProductFeatureSecurityKey.cloudSecurityPosture]: {},
+
+  // Security PLIs
   [ProductFeatureSecurityKey.integrationAssistant]: {},
 };
diff --git a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts
index 22e113f05de13..88c89b0259f91 100644
--- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts
@@ -911,7 +911,7 @@ describe('ManifestManager', () => {
       }
     });
 
-    test(`when it has endpoint artifact management and response actions app features it should generate all exceptions`, async () => {
+    test(`when it has endpoint artifact management and endpoint host isolation exceptions app features it should generate all exceptions`, async () => {
       const exceptionListItem = getExceptionListItemSchemaMock({ os_types: ['macos'] });
       const trustedAppListItem = getExceptionListItemSchemaMock({
         os_types: ['linux'],
@@ -931,7 +931,7 @@ describe('ManifestManager', () => {
       });
       const context = buildManifestManagerContextMock({}, [
         ProductFeatureSecurityKey.endpointArtifactManagement,
-        ProductFeatureSecurityKey.endpointResponseActions,
+        ProductFeatureSecurityKey.endpointHostIsolationExceptions,
       ]);
       const manifestManager = new ManifestManager(context);
 
diff --git a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts
index 63a2b56cb8525..1a613e8f9c4b5 100644
--- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts
@@ -157,9 +157,14 @@ export class ManifestManager {
   }): Promise<WrappedTranslatedExceptionList> {
     if (!this.cachedExceptionsListsByOs.has(`${listId}-${os}`)) {
       let itemsByListId: ExceptionListItemSchema[] = [];
+      // endpointHostIsolationExceptions includes full CRUD support for Host Isolation Exceptions
+      // endpointArtifactManagement includes full CRUD support for all other exception lists + RD support for Host Isolation Exceptions
+      // If there are host isolation exceptions in place but there is a downgrade scenario, those shouldn't be taken into account when generating artifacts.
       if (
         (listId === ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id &&
-          this.productFeaturesService.isEnabled(ProductFeatureKey.endpointResponseActions)) ||
+          this.productFeaturesService.isEnabled(
+            ProductFeatureKey.endpointHostIsolationExceptions
+          )) ||
         (listId !== ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id &&
           this.productFeaturesService.isEnabled(ProductFeatureKey.endpointArtifactManagement))
       ) {
diff --git a/x-pack/plugins/security_solution_serverless/common/pli/pli_config.ts b/x-pack/plugins/security_solution_serverless/common/pli/pli_config.ts
index 42cdf7589fb35..e817679db1c31 100644
--- a/x-pack/plugins/security_solution_serverless/common/pli/pli_config.ts
+++ b/x-pack/plugins/security_solution_serverless/common/pli/pli_config.ts
@@ -38,10 +38,10 @@ export const PLI_PRODUCT_FEATURES: PliProductFeatures = {
       ProductFeatureKey.endpointExceptions,
     ],
     complete: [
+      ProductFeatureKey.endpointHostIsolationExceptions,
       ProductFeatureKey.endpointResponseActions,
       ProductFeatureKey.osqueryAutomatedResponseActions,
       ProductFeatureKey.endpointAgentTamperProtection,
-      ProductFeatureKey.endpointExceptions,
       ProductFeatureKey.endpointProtectionUpdates,
     ],
   },