diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts index 469f91c8211cc7..8c97d4436a561f 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts @@ -448,7 +448,7 @@ export const getResult = (): RuleAlertType => ({ references: ['http://www.example.com', 'https://ww.example.com'], note: '# Investigative notes', version: 1, - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/__mocks__/utils.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/__mocks__/utils.ts index c929b0718207d6..6f628170271f31 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/__mocks__/utils.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/__mocks__/utils.ts @@ -138,7 +138,7 @@ export const getOutputRuleAlertForRest = (): Omit< ], }, ], - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts index a40952c078a379..2d7ddb79e5af55 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts @@ -86,7 +86,7 @@ export const createRulesBulkRoute = (router: IRouter) => { timeline_id: timelineId, timeline_title: timelineTitle, version, - lists, + exceptions_list, } = payloadRule; const ruleIdOrUuid = ruleId ?? uuid.v4(); try { @@ -143,7 +143,7 @@ export const createRulesBulkRoute = (router: IRouter) => { references, note, version, - lists, + exceptions_list, actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is set to rule, otherwise we are a notification and should not enable it, }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts index 19c5d479deb720..1f0896686aca05 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts @@ -66,7 +66,7 @@ export const createRulesRoute = (router: IRouter): void => { type, references, note, - lists, + exceptions_list, } = request.body; const siemResponse = buildSiemResponse(response); @@ -131,7 +131,7 @@ export const createRulesRoute = (router: IRouter): void => { references, note, version: 1, - lists, + exceptions_list, actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is rule, otherwise we are a notification and should not enable it, }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts index 58da27916c1985..527fab786910fc 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts @@ -138,7 +138,7 @@ export const importRulesRoute = (router: IRouter, config: ConfigType) => { timeline_id: timelineId, timeline_title: timelineTitle, version, - lists, + exceptions_list, } = parsedRule; try { @@ -195,7 +195,7 @@ export const importRulesRoute = (router: IRouter, config: ConfigType) => { references, note, version, - lists, + exceptions_list, actions: [], // Actions are not imported nor exported at this time }); resolve({ rule_id: ruleId, status_code: 200 }); @@ -232,7 +232,7 @@ export const importRulesRoute = (router: IRouter, config: ConfigType) => { references, note, version, - lists, + exceptions_list, anomalyThreshold, machineLearningJobId, }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts index 8f319063b2a9a9..6db91d74294fc6 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts @@ -81,7 +81,7 @@ export const updateRulesBulkRoute = (router: IRouter) => { references, note, version, - lists, + exceptions_list, } = payloadRule; const finalIndex = outputIndex ?? siemClient.signalsIndex; const idOrRuleIdOrUnknown = id ?? ruleId ?? '(unknown id)'; @@ -121,7 +121,7 @@ export const updateRulesBulkRoute = (router: IRouter) => { references, note, version, - lists, + exceptions_list, actions, }); if (rule != null) { diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts index 7d69af4bcbd9bf..7dbbe5a22ab46a 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts @@ -67,7 +67,7 @@ export const updateRulesRoute = (router: IRouter) => { references, note, version, - lists, + exceptions_list, } = request.body; const siemResponse = buildSiemResponse(response); @@ -117,7 +117,7 @@ export const updateRulesRoute = (router: IRouter) => { references, note, version, - lists, + exceptions_list, actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is rule, otherwise we are a notification and should not enable it }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts index 49d40354e68afa..67b0c4462655c2 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts @@ -148,7 +148,7 @@ export const transformAlertToRule = ( last_failure_message: ruleStatus?.attributes.lastFailureMessage, last_success_message: ruleStatus?.attributes.lastSuccessMessage, // TODO: (LIST-FEATURE) Remove hasListsFeature() check once we have lists available for a release - lists: hasListsFeature() ? alert.params.lists : null, + exceptions_list: hasListsFeature() ? alert.params.exceptions_list : null, }); }; diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/validate.test.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/validate.test.ts index 3de801a5b6b173..9069202d4d3aa5 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/validate.test.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/validate.test.ts @@ -71,7 +71,7 @@ export const ruleOutput: RulesSchema = { }, }, ], - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts index 346da53736ad6c..226dea7c20344b 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts @@ -1542,8 +1542,8 @@ describe('add prepackaged rules schema', () => { // on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the // schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early, // you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally - describe.skip('lists', () => { - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => { + describe.skip('exceptions_list', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => { expect( addPrepackagedRulesSchema.validate>({ rule_id: 'rule-1', @@ -1558,7 +1558,7 @@ describe('add prepackaged rules schema', () => { risk_score: 50, note: '# some markdown', version: 1, - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -1594,7 +1594,7 @@ describe('add prepackaged rules schema', () => { ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => { expect( addPrepackagedRulesSchema.validate>({ rule_id: 'rule-1', @@ -1608,15 +1608,15 @@ describe('add prepackaged rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [], + exceptions_list: [], version: 1, }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate', () => { expect( - addPrepackagedRulesSchema.validate>>({ + addPrepackagedRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1628,17 +1628,17 @@ describe('add prepackaged rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [{ invalid_value: 'invalid value' }], + exceptions_list: [{ invalid_value: 'invalid value' }], version: 1, }).error.message ).toEqual( - 'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]' + 'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]' ); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate with empty lists', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate with empty exceptions_list', () => { expect( - addPrepackagedRulesSchema.validate>>({ + addPrepackagedRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1651,7 +1651,7 @@ describe('add prepackaged rules schema', () => { risk_score: 50, note: '# some markdown', version: 1, - }).value.lists + }).value.exceptions_list ).toEqual([]); }); }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts index 006fc81e3ee87a..0e82a9b979c7b9 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts @@ -114,5 +114,5 @@ export const addPrepackagedRulesSchema = Joi.object({ version: version.required(), // TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release - lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), + exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts index 0d7b562b97b2cc..1e2941015b7355 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts @@ -1510,8 +1510,8 @@ describe('create rules schema', () => { // on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the // schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early, // you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally - describe.skip('lists', () => { - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => { + describe.skip('exceptions_list', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => { expect( createRulesSchema.validate>({ rule_id: 'rule-1', @@ -1525,7 +1525,7 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -1561,7 +1561,7 @@ describe('create rules schema', () => { ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => { expect( createRulesSchema.validate>({ rule_id: 'rule-1', @@ -1575,14 +1575,14 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [], + exceptions_list: [], }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate', () => { expect( - createRulesSchema.validate>>({ + createRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1594,16 +1594,16 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [{ invalid_value: 'invalid value' }], + exceptions_list: [{ invalid_value: 'invalid value' }], }).error.message ).toEqual( - 'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]' + 'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]' ); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate with empty lists', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate with empty exceptions_list', () => { expect( - createRulesSchema.validate>>({ + createRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1615,7 +1615,7 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - }).value.lists + }).value.exceptions_list ).toEqual([]); }); }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts index 5213f3faaf4865..dec8b5ccbc790e 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts @@ -98,5 +98,5 @@ export const createRulesSchema = Joi.object({ version: version.default(1), // TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release - lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), + exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts index b8d601b7438954..d28530ffb789e3 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts @@ -1729,8 +1729,8 @@ describe('import rules schema', () => { // on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the // schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early, // you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally - describe.skip('lists', () => { - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => { + describe.skip('exceptions_list', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => { expect( importRulesSchema.validate>({ rule_id: 'rule-1', @@ -1744,7 +1744,7 @@ describe('import rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -1780,7 +1780,7 @@ describe('import rules schema', () => { ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => { expect( importRulesSchema.validate>({ rule_id: 'rule-1', @@ -1794,14 +1794,14 @@ describe('import rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [], + exceptions_list: [], }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate and lists is empty', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate and exceptions_list is empty', () => { expect( - importRulesSchema.validate>>({ + importRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1813,16 +1813,16 @@ describe('import rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [{ invalid_value: 'invalid value' }], + exceptions_list: [{ invalid_value: 'invalid value' }], }).error.message ).toEqual( - 'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]' + 'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]' ); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate', () => { expect( - importRulesSchema.validate>>({ + importRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1834,7 +1834,7 @@ describe('import rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - }).value.lists + }).value.exceptions_list ).toEqual([]); }); }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts index 56aa45659fda7e..d3c728ebac1a9d 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts @@ -119,7 +119,7 @@ export const importRulesSchema = Joi.object({ updated_by, // TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release - lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), + exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), }); export const importRulesQuerySchema = Joi.object({ diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.test.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.test.ts index 02655e3972d819..755c0b2ccaa3f9 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.test.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.test.ts @@ -1213,8 +1213,8 @@ describe('patch rules schema', () => { // on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the // schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early, // you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally - describe.skip('lists', () => { - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => { + describe.skip('exceptions_list', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => { expect( patchRulesSchema.validate>({ rule_id: 'rule-1', @@ -1228,7 +1228,7 @@ describe('patch rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -1264,11 +1264,11 @@ describe('patch rules schema', () => { ).toBeFalsy(); }); - test('lists can be patched', () => { + test('exceptions_list can be patched', () => { expect( patchRulesSchema.validate>({ rule_id: 'some id', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -1301,7 +1301,7 @@ describe('patch rules schema', () => { ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => { expect( patchRulesSchema.validate>({ rule_id: 'rule-1', @@ -1315,14 +1315,14 @@ describe('patch rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [], + exceptions_list: [], }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate', () => { expect( - patchRulesSchema.validate>>({ + patchRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1334,16 +1334,16 @@ describe('patch rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [{ invalid_value: 'invalid value' }], + exceptions_list: [{ invalid_value: 'invalid value' }], }).error.message ).toEqual( - 'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]' + 'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]' ); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate with empty lists', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate with empty exceptions_list', () => { expect( - patchRulesSchema.validate>>({ + patchRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1355,7 +1355,7 @@ describe('patch rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - }).value.lists + }).value.exceptions_list ).toEqual([]); }); }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.ts index 52aefa29884c3d..503bc64df237c8 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.ts @@ -78,5 +78,5 @@ export const patchRulesSchema = Joi.object({ version, // TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release - lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), + exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), }).xor('id', 'rule_id'); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/response/__mocks__/utils.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/response/__mocks__/utils.ts index d5ea950d163f57..21f18f9db55fba 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/response/__mocks__/utils.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/response/__mocks__/utils.ts @@ -63,7 +63,7 @@ export const getBaseResponsePayload = (anchorDate: string = ANCHOR_DATE): RulesS language: 'kuery', rule_id: 'query-rule-id', interval: '5m', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.test.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.test.ts index fb9ff2c28dc44e..4bfc51c1a66aab 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.test.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.test.ts @@ -207,7 +207,7 @@ describe('rules_schema', () => { }); // TODO: (LIST-FEATURE) Remove this test once the feature flag is deployed - test('it should remove lists when we need it to be removed because the feature is off but there exists a list in the data', () => { + test('it should remove exceptions_list when we need it to be removed because the feature is off but there exists a list in the data', () => { const payload = getBaseResponsePayload(); const decoded = rulesSchema.decode(payload); const listRemoved = removeList(decoded); @@ -246,9 +246,9 @@ describe('rules_schema', () => { }); }); - test('it should work with lists that are not there and not cause invalidation or errors', () => { + test('it should work with exceptions_list that are not there and not cause invalidation or errors', () => { const payload = getBaseResponsePayload(); - const { lists, ...payloadWithoutLists } = payload; + const { exceptions_list, ...payloadWithoutLists } = payload; const decoded = rulesSchema.decode(payloadWithoutLists); const listRemoved = removeList(decoded); const message = pipe(listRemoved, foldLeftRight); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.ts index 1574e8f5aa6e1c..fb1ee8e670e312 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.ts @@ -87,7 +87,7 @@ export const requiredRulesSchema = t.type({ updated_at, created_by, version, - lists: ListsDefaultArray, + exceptions_list: ListsDefaultArray, }); export type RequiredRulesSchema = t.TypeOf; @@ -172,7 +172,7 @@ export const removeList = ( ): Either => { const onLeft = (errors: t.Errors): Either => left(errors); const onRight = (decodedValue: RequiredRulesSchema): Either => { - delete decodedValue.lists; + delete decodedValue.exceptions_list; return right(decodedValue); }; const folded = fold(onLeft, onRight); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts index 78fa7d6cc71add..b89df0fc0f3ab2 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts @@ -1536,8 +1536,8 @@ describe('create rules schema', () => { // on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the // schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early, // you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally - describe.skip('lists', () => { - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => { + describe.skip('exceptions_list', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => { expect( updateRulesSchema.validate>({ rule_id: 'rule-1', @@ -1551,7 +1551,7 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -1584,7 +1584,7 @@ describe('create rules schema', () => { ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => { expect( updateRulesSchema.validate>({ rule_id: 'rule-1', @@ -1598,14 +1598,14 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [], + exceptions_list: [], }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate', () => { expect( - updateRulesSchema.validate>>({ + updateRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1617,16 +1617,16 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [{ invalid_value: 'invalid value' }], + exceptions_list: [{ invalid_value: 'invalid value' }], }).error.message ).toEqual( - 'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]' + 'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]' ); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate with empty lists', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate with empty exceptions_list', () => { expect( - updateRulesSchema.validate>>({ + updateRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1638,7 +1638,7 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - }).value.lists + }).value.exceptions_list ).toEqual([]); }); }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts index f842c14f41ae6b..b1b37801b644f5 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts @@ -107,5 +107,5 @@ export const updateRulesSchema = Joi.object({ version, // TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release - lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), + exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), }).xor('id', 'rule_id'); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/create_rules.ts b/x-pack/plugins/siem/server/lib/detection_engine/rules/create_rules.ts index 76cfffdfe9f408..a007fe35b407ed 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/create_rules.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/create_rules.ts @@ -42,11 +42,11 @@ export const createRules = async ({ references, note, version, - lists, + exceptions_list, actions, }: CreateRuleParams): Promise => { - // TODO: Remove this and use regular lists once the feature is stable for a release - const listsParam = hasListsFeature() ? { lists } : {}; + // TODO: Remove this and use regular exceptions_list once the feature is stable for a release + const exceptionsListParam = hasListsFeature() ? { exceptions_list } : {}; return alertsClient.create({ data: { name, @@ -79,7 +79,7 @@ export const createRules = async ({ references, note, version, - ...listsParam, + ...exceptionsListParam, }, schedule: { interval }, enabled, diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts b/x-pack/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts index 695057ccc2f70c..8044692ab90b15 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts @@ -66,7 +66,7 @@ describe('create_rules_stream_from_ndjson', () => { immutable: false, query: '', language: 'kuery', - lists: [], + exceptions_list: [], max_signals: 100, tags: [], threat: [], @@ -92,7 +92,7 @@ describe('create_rules_stream_from_ndjson', () => { immutable: false, query: '', language: 'kuery', - lists: [], + exceptions_list: [], max_signals: 100, tags: [], threat: [], @@ -158,7 +158,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - lists: [], + exceptions_list: [], threat: [], throttle: null, references: [], @@ -183,7 +183,7 @@ describe('create_rules_stream_from_ndjson', () => { query: '', language: 'kuery', max_signals: 100, - lists: [], + exceptions_list: [], tags: [], threat: [], throttle: null, @@ -230,7 +230,7 @@ describe('create_rules_stream_from_ndjson', () => { query: '', language: 'kuery', max_signals: 100, - lists: [], + exceptions_list: [], tags: [], threat: [], throttle: null, @@ -256,7 +256,7 @@ describe('create_rules_stream_from_ndjson', () => { query: '', language: 'kuery', max_signals: 100, - lists: [], + exceptions_list: [], tags: [], threat: [], throttle: null, @@ -303,7 +303,7 @@ describe('create_rules_stream_from_ndjson', () => { query: '', language: 'kuery', max_signals: 100, - lists: [], + exceptions_list: [], tags: [], threat: [], throttle: null, @@ -330,7 +330,7 @@ describe('create_rules_stream_from_ndjson', () => { query: '', language: 'kuery', max_signals: 100, - lists: [], + exceptions_list: [], tags: [], threat: [], throttle: null, @@ -376,7 +376,7 @@ describe('create_rules_stream_from_ndjson', () => { query: '', language: 'kuery', max_signals: 100, - lists: [], + exceptions_list: [], tags: [], threat: [], throttle: null, @@ -405,7 +405,7 @@ describe('create_rules_stream_from_ndjson', () => { query: '', language: 'kuery', max_signals: 100, - lists: [], + exceptions_list: [], tags: [], threat: [], throttle: null, diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts b/x-pack/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts index df902854962b13..6df250f1cf513f 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts @@ -79,7 +79,7 @@ describe('getExportAll', () => { throttle: 'no_actions', note: '# Investigative notes', version: 1, - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts b/x-pack/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts index ce6819462aa276..092a9a8faf395b 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts @@ -87,7 +87,7 @@ describe('get_export_by_object_ids', () => { throttle: 'no_actions', note: '# Investigative notes', version: 1, - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -215,7 +215,7 @@ describe('get_export_by_object_ids', () => { throttle: 'no_actions', note: '# Investigative notes', version: 1, - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts b/x-pack/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts index 46d5b5fdf452e5..3d3ed52b2feb2f 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts @@ -46,7 +46,7 @@ export const installPrepackagedRules = ( references, note, version, - lists, + exceptions_list, } = rule; return [ ...acc, @@ -82,7 +82,7 @@ export const installPrepackagedRules = ( references, note, version, - lists, + exceptions_list, actions: [], // At this time there is no pre-packaged actions }), ]; diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/patch_rules.ts b/x-pack/plugins/siem/server/lib/detection_engine/rules/patch_rules.ts index 347b370c89e077..c23f539b581606 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/patch_rules.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/patch_rules.ts @@ -44,7 +44,7 @@ export const patchRules = async ({ references, note, version, - lists, + exceptions_list, anomalyThreshold, machineLearningJobId, }: PatchRuleParams): Promise => { @@ -78,7 +78,7 @@ export const patchRules = async ({ references, version, note, - lists, + exceptions_list, anomalyThreshold, machineLearningJobId, }); @@ -110,7 +110,7 @@ export const patchRules = async ({ references, note, version: calculatedVersion, - lists, + exceptions_list, anomalyThreshold, machineLearningJobId, } diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/update_rules.ts b/x-pack/plugins/siem/server/lib/detection_engine/rules/update_rules.ts index 183b81f3a3c77e..7ddbbd76b06618 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/update_rules.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/update_rules.ts @@ -44,7 +44,7 @@ export const updateRules = async ({ references, version, note, - lists, + exceptions_list, anomalyThreshold, machineLearningJobId, actions, @@ -83,8 +83,8 @@ export const updateRules = async ({ machineLearningJobId, }); - // TODO: Remove this and use regular lists once the feature is stable for a release - const listsParam = hasListsFeature() ? { lists } : {}; + // TODO: Remove this and use regular exceptions_list once the feature is stable for a release + const exceptionsListParam = hasListsFeature() ? { exceptions_list } : {}; const update = await alertsClient.update({ id: rule.id, @@ -120,7 +120,7 @@ export const updateRules = async ({ version: calculatedVersion, anomalyThreshold, machineLearningJobId, - ...listsParam, + ...exceptionsListParam, }, }, }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/patches/update_list.json b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/patches/update_list.json index 4db8724db4e13d..8d831f3a961d8d 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/patches/update_list.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/patches/update_list.json @@ -1,6 +1,6 @@ { "rule_id": "query-with-list", - "lists": [ + "exceptions_list": [ { "field": "source.ip", "values_operator": "excluded", diff --git a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_and.json b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_and.json index 33ae8df87e3c82..1575a712e2cbaa 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_and.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_and.json @@ -8,7 +8,7 @@ "query": "host.name: *", "interval": "30s", "language": "kuery", - "lists": [ + "exceptions_list": [ { "field": "event.module", "values_operator": "excluded", diff --git a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_excluded.json b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_excluded.json index 8ce9440fce2193..4e6d9403a276f4 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_excluded.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_excluded.json @@ -8,7 +8,7 @@ "query": "host.name: *", "interval": "30s", "language": "kuery", - "lists": [ + "exceptions_list": [ { "field": "event.module", "values_operator": "excluded", diff --git a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_exists.json b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_exists.json index 4ec014422a61b2..97beace37633fd 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_exists.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_exists.json @@ -8,7 +8,7 @@ "query": "host.name: *", "interval": "30s", "language": "kuery", - "lists": [ + "exceptions_list": [ { "field": "event.action", "values_operator": "included", diff --git a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_list.json b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_list.json index ce4bf80b0a7222..ad0585b5a2ec50 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_list.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_list.json @@ -8,7 +8,7 @@ "query": "host.name: *", "interval": "30s", "language": "kuery", - "lists": [ + "exceptions_list": [ { "field": "event.module", "values_operator": "excluded", diff --git a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_match.json b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_match.json index e1abac19b51e5a..6e6880cc28f24a 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_match.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_match.json @@ -8,7 +8,7 @@ "query": "host.name: *", "interval": "30s", "language": "kuery", - "lists": [ + "exceptions_list": [ { "field": "event.module", "values_operator": "included", diff --git a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_match_all.json b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_match_all.json index 1afbb1fee4785d..44cc26ac3315e4 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_match_all.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_match_all.json @@ -8,7 +8,7 @@ "query": "host.name: *", "interval": "30s", "language": "kuery", - "lists": [ + "exceptions_list": [ { "field": "event.module", "values_operator": "included", diff --git a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_or.json b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_or.json index 08e38e9ffa53d3..9c4eda559d5bc0 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_or.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_or.json @@ -7,7 +7,7 @@ "type": "query", "query": "host.name: *", "interval": "30s", - "lists": [ + "exceptions_list": [ { "field": "event.module", "values_operator": "excluded", diff --git a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_list.json b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_list.json index 66b198974f5743..df22dff5c046e9 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_list.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_list.json @@ -6,7 +6,7 @@ "severity": "high", "type": "query", "query": "user.name: root or user.name: admin", - "lists": [ + "exceptions_list": [ { "field": "source.ip", "values_operator": "excluded", diff --git a/x-pack/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts b/x-pack/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts index d361e424f01e3f..8a5da8e8597216 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts @@ -44,7 +44,7 @@ export const sampleRuleAlertParams = ( meta: undefined, threat: undefined, version: 1, - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts b/x-pack/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts index f1729e35ce1f07..bbd01cfaafc624 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts @@ -90,7 +90,7 @@ describe('buildBulkBody', () => { version: 1, created_at: fakeSignalSourceHit.signal.rule?.created_at, updated_at: fakeSignalSourceHit.signal.rule?.updated_at, - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -216,7 +216,7 @@ describe('buildBulkBody', () => { created_at: fakeSignalSourceHit.signal.rule?.created_at, updated_at: fakeSignalSourceHit.signal.rule?.updated_at, throttle: 'no_actions', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -340,7 +340,7 @@ describe('buildBulkBody', () => { created_at: fakeSignalSourceHit.signal.rule?.created_at, updated_at: fakeSignalSourceHit.signal.rule?.updated_at, throttle: 'no_actions', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -457,7 +457,7 @@ describe('buildBulkBody', () => { updated_at: fakeSignalSourceHit.signal.rule?.updated_at, created_at: fakeSignalSourceHit.signal.rule?.created_at, throttle: 'no_actions', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/plugins/siem/server/lib/detection_engine/signals/build_exceptions_query.ts b/x-pack/plugins/siem/server/lib/detection_engine/signals/build_exceptions_query.ts index 22a57db87afb03..7a1564bb695467 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/signals/build_exceptions_query.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/signals/build_exceptions_query.ts @@ -185,7 +185,7 @@ export const buildQueryExceptions = ({ }: { query: string; language: Language; - lists: RuleAlertParams['lists']; + lists: RuleAlertParams['exceptions_list']; }): Query[] => { if (lists && lists !== null) { const exceptions = buildExceptions({ lists, language, query }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts b/x-pack/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts index e5183ed4df7bd9..b3586c884d0c7f 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts @@ -79,7 +79,7 @@ describe('buildRule', () => { query: 'host.name: Braden', }, ], - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -162,7 +162,7 @@ describe('buildRule', () => { updated_at: rule.updated_at, created_at: rule.created_at, throttle: 'no_actions', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -244,7 +244,7 @@ describe('buildRule', () => { updated_at: rule.updated_at, created_at: rule.created_at, throttle: 'no_actions', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/plugins/siem/server/lib/detection_engine/signals/build_rule.ts b/x-pack/plugins/siem/server/lib/detection_engine/signals/build_rule.ts index 9c375d7d45d5e7..93d4e5e7719b22 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/signals/build_rule.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/signals/build_rule.ts @@ -72,7 +72,7 @@ export const buildRule = ({ version: ruleParams.version, created_at: createdAt, updated_at: updatedAt, - lists: ruleParams.lists, + exceptions_list: ruleParams.exceptions_list, machine_learning_job_id: ruleParams.machineLearningJobId, anomaly_threshold: ruleParams.anomalyThreshold, }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/signals/get_filter.ts b/x-pack/plugins/siem/server/lib/detection_engine/signals/get_filter.ts index c685ce4567afa3..d8fdab55bddebc 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/signals/get_filter.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/signals/get_filter.ts @@ -22,7 +22,7 @@ export const getQueryFilter = ( language: Language, filters: PartialFilter[], index: string[], - lists: RuleAlertParams['lists'] + lists: RuleAlertParams['exceptions_list'] ) => { const indexPattern = { fields: [], @@ -53,7 +53,7 @@ interface GetFilterArgs { savedId: string | undefined | null; services: AlertServices; index: string[] | undefined | null; - lists: RuleAlertParams['lists']; + lists: RuleAlertParams['exceptions_list']; } interface QueryAttributes { diff --git a/x-pack/plugins/siem/server/lib/detection_engine/signals/signal_params_schema.ts b/x-pack/plugins/siem/server/lib/detection_engine/signals/signal_params_schema.ts index 58dd53b6447c51..81a6ce9b08f02d 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/signals/signal_params_schema.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/signals/signal_params_schema.ts @@ -39,5 +39,5 @@ export const signalParamsSchema = () => type: schema.string(), references: schema.arrayOf(schema.string(), { defaultValue: [] }), version: schema.number({ defaultValue: 1 }), - lists: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))), + exceptions_list: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))), }); diff --git a/x-pack/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts b/x-pack/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts index efb1338fd480ee..137603741dc8f2 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts @@ -66,7 +66,7 @@ export const signalRulesAlertType = ({ query, to, type, - lists, + exceptions_list, } = params; const searchAfterSize = Math.min(maxSignals, DEFAULT_SEARCH_AFTER_PAGE_SIZE); let hasError: boolean = false; @@ -201,7 +201,7 @@ export const signalRulesAlertType = ({ savedId, services, index: inputIndex, - lists, + lists: exceptions_list, }); const noReIndex = buildEventsSearchQuery({ diff --git a/x-pack/plugins/siem/server/lib/detection_engine/types.ts b/x-pack/plugins/siem/server/lib/detection_engine/types.ts index 357a2ab39e3fb4..f2026804da51ab 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/types.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/types.ts @@ -68,7 +68,7 @@ export interface RuleAlertParams { type: RuleType; version: number; throttle: string | undefined | null; - lists: ListsDefaultArraySchema | null | undefined; + exceptions_list: ListsDefaultArraySchema | null | undefined; } export type RuleTypeParams = Omit< diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/utils.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/utils.ts index cebe24dc5ccc28..e508cf1aaa2e03 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/utils.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/utils.ts @@ -154,7 +154,7 @@ export const getSimpleRuleOutput = (ruleId = 'rule-1'): Partial