Skip to content

[Defend Workflows] Fix global packs not preserving policy references when creating new integrations or deleting policies #241634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
szwarckonrad wants to merge 1 commit into from
Closed

[Defend Workflows] Fix global packs not preserving policy references when creating new integrations or deleting policies #241634

szwarckonrad wants to merge 1 commit into from

Conversation

@szwarckonrad
Copy link
Contributor

@szwarckonrad szwarckonrad commented Nov 3, 2025

Fixes two bugs in osquery global pack management:

  1. When creating a new osquery integration on a policy, global packs were losing references to existing policies because pack.references wasn't included in the SavedObject mapping
  2. When deleting a policy, the delete callback had backwards filter logic that kept deleted policy references instead of removing them

Changes include comprehensive unit tests for both bug fixes.

Closes https://github.com/elastic/security-team/issues/14422

Co-authored with Claude Code

@szwarckonrad
[Defend Workflows] Fix global packs not preserving policy references …
af2a7bf 
…when creating new integrations or deleting policies
@szwarckonrad szwarckonrad added release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting Team:Defend Workflows “EDR Workflows” sub-team of Security Solution labels Nov 3, 2025
@szwarckonrad szwarckonrad self-assigned this Nov 3, 2025
@szwarckonrad szwarckonrad requested a review from tomsonpl November 3, 2025 14:38
@szwarckonrad szwarckonrad marked this pull request as ready for review November 3, 2025 14:38
@szwarckonrad szwarckonrad requested a review from a team as a code owner November 3, 2025 14:38
@szwarckonrad szwarckonrad requested a review from pzl November 3, 2025 14:38
@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 3, 2025

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

@szwarckonrad
Copy link
Contributor Author

szwarckonrad commented Nov 3, 2025

Closing in favor of combined PR #241655 which includes this fix along with other osquery pack management improvements.

@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 3, 2025

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #101 / Agents fleet_list_agent should return metrics if available and called with withMetrics
  • [job] [logs] FTR Configs #72 / cases security and spaces enabled: basic Common migrations migrations 7.13 connector id extraction "before all" hook for "7.13 migrates user actions correctly for case with ID aa8ac630-005e-11ec-91f1-6daf2ab59fb5"

Metrics [docs]

✅ unchanged

cc @szwarckonrad

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tomsonpl tomsonpl Awaiting requested review from tomsonpl

@pzl pzl Awaiting requested review from pzl pzl is a code owner automatically assigned from elastic/security-defend-workflows

Assignees

@szwarckonrad szwarckonrad

Labels

backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@szwarckonrad @elasticmachine