[SIEM][Detections Engine] - Update rule.lists to be rule.exceptions_list

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts

@@ -448,7 +448,7 @@ export const getResult = (): RuleAlertType => ({
     references: ['http://www.example.com', 'https://ww.example.com'],
     note: '# Investigative notes',
     version: 1,
-    lists: [
+    exceptions_list: [
       {
         field: 'source.ip',
         values_operator: 'included',

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/utils.ts

@@ -138,7 +138,7 @@ export const getOutputRuleAlertForRest = (): Omit<
       ],
     },
   ],
-  lists: [
+  exceptions_list: [
     {
       field: 'source.ip',
       values_operator: 'included',

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts

@@ -86,7 +86,7 @@ export const createRulesBulkRoute = (router: IRouter) => {
               timeline_id: timelineId,
               timeline_title: timelineTitle,
               version,
-              lists,
+              exceptions_list,
             } = payloadRule;
             const ruleIdOrUuid = ruleId ?? uuid.v4();
             try {
@@ -143,7 +143,7 @@ export const createRulesBulkRoute = (router: IRouter) => {
                 references,
                 note,
                 version,
-                lists,
+                exceptions_list,
                 actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is set to rule, otherwise we are a notification and should not enable it,
               });
 

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts

@@ -66,7 +66,7 @@ export const createRulesRoute = (router: IRouter): void => {
         type,
         references,
         note,
-        lists,
+        exceptions_list,
       } = request.body;
       const siemResponse = buildSiemResponse(response);
 
@@ -131,7 +131,7 @@ export const createRulesRoute = (router: IRouter): void => {
           references,
           note,
           version: 1,
-          lists,
+          exceptions_list,
           actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is rule, otherwise we are a notification and should not enable it,
         });
 

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts

@@ -138,7 +138,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
                     timeline_id: timelineId,
                     timeline_title: timelineTitle,
                     version,
-                    lists,
+                    exceptions_list,
                   } = parsedRule;
 
                   try {
@@ -195,7 +195,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
                         references,
                         note,
                         version,
-                        lists,
+                        exceptions_list,
                         actions: [], // Actions are not imported nor exported at this time
                       });
                       resolve({ rule_id: ruleId, status_code: 200 });
@@ -232,7 +232,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
                         references,
                         note,
                         version,
-                        lists,
+                        exceptions_list,
                         anomalyThreshold,
                         machineLearningJobId,
                       });

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts

@@ -81,7 +81,7 @@ export const updateRulesBulkRoute = (router: IRouter) => {
             references,
             note,
             version,
-            lists,
+            exceptions_list,
           } = payloadRule;
           const finalIndex = outputIndex ?? siemClient.signalsIndex;
           const idOrRuleIdOrUnknown = id ?? ruleId ?? '(unknown id)';
@@ -121,7 +121,7 @@ export const updateRulesBulkRoute = (router: IRouter) => {
               references,
               note,
               version,
-              lists,
+              exceptions_list,
               actions,
             });
             if (rule != null) {

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts

@@ -67,7 +67,7 @@ export const updateRulesRoute = (router: IRouter) => {
         references,
         note,
         version,
-        lists,
+        exceptions_list,
       } = request.body;
       const siemResponse = buildSiemResponse(response);
 
@@ -117,7 +117,7 @@ export const updateRulesRoute = (router: IRouter) => {
           references,
           note,
           version,
-          lists,
+          exceptions_list,
           actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is rule, otherwise we are a notification and should not enable it
         });
 

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts

@@ -148,7 +148,7 @@ export const transformAlertToRule = (
     last_failure_message: ruleStatus?.attributes.lastFailureMessage,
     last_success_message: ruleStatus?.attributes.lastSuccessMessage,
     // TODO: (LIST-FEATURE) Remove hasListsFeature() check once we have lists available for a release
-    lists: hasListsFeature() ? alert.params.lists : null,
+    exceptions_list: hasListsFeature() ? alert.params.exceptions_list : null,
   });
 };
 

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/validate.test.ts

@@ -71,7 +71,7 @@ export const ruleOutput: RulesSchema = {
       },
     },
   ],
-  lists: [
+  exceptions_list: [
     {
       field: 'source.ip',
       values_operator: 'included',

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts

@@ -1542,8 +1542,8 @@ describe('add prepackaged rules schema', () => {
   // on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the
   // schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early,
   // you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally
-  describe.skip('lists', () => {
-    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => {
+  describe.skip('exceptions_list', () => {
+    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => {
       expect(
         addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
           rule_id: 'rule-1',
@@ -1558,7 +1558,7 @@ describe('add prepackaged rules schema', () => {
           risk_score: 50,
           note: '# some markdown',
           version: 1,
-          lists: [
+          exceptions_list: [
             {
               field: 'source.ip',
               values_operator: 'included',
@@ -1594,7 +1594,7 @@ describe('add prepackaged rules schema', () => {
       ).toBeFalsy();
     });
 
-    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => {
+    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => {
       expect(
         addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
           rule_id: 'rule-1',
@@ -1608,15 +1608,15 @@ describe('add prepackaged rules schema', () => {
           type: 'query',
           risk_score: 50,
           note: '# some markdown',
-          lists: [],
+          exceptions_list: [],
           version: 1,
         }).error
       ).toBeFalsy();
     });
 
-    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate', () => {
+    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate', () => {
       expect(
-        addPrepackagedRulesSchema.validate<Partial<Omit<PrepackagedRules, 'lists'>>>({
+        addPrepackagedRulesSchema.validate<Partial<Omit<PrepackagedRules, 'exceptions_list'>>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -1628,17 +1628,17 @@ describe('add prepackaged rules schema', () => {
           type: 'query',
           risk_score: 50,
           note: '# some markdown',
-          lists: [{ invalid_value: 'invalid value' }],
+          exceptions_list: [{ invalid_value: 'invalid value' }],
           version: 1,
         }).error.message
       ).toEqual(
-        'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]'
+        'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]'
       );
     });
 
-    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate with empty lists', () => {
+    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate with empty exceptions_list', () => {
       expect(
-        addPrepackagedRulesSchema.validate<Partial<Omit<PrepackagedRules, 'lists'>>>({
+        addPrepackagedRulesSchema.validate<Partial<Omit<PrepackagedRules, 'exceptions_list'>>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -1651,7 +1651,7 @@ describe('add prepackaged rules schema', () => {
           risk_score: 50,
           note: '# some markdown',
           version: 1,
-        }).value.lists
+        }).value.exceptions_list
       ).toEqual([]);
     });
   });

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts

@@ -114,5 +114,5 @@ export const addPrepackagedRulesSchema = Joi.object({
   version: version.required(),
 
   // TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release
-  lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]),
+  exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]),
 });

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts

@@ -1508,8 +1508,8 @@ describe('create rules schema', () => {
     // on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the
     // schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early,
     // you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally
-    describe.skip('lists', () => {
-      test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => {
+    describe.skip('exceptions_list', () => {
+      test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => {
         expect(
           createRulesSchema.validate<Partial<RuleAlertParamsRest>>({
             rule_id: 'rule-1',
@@ -1523,7 +1523,7 @@ describe('create rules schema', () => {
             type: 'query',
             risk_score: 50,
             note: '# some markdown',
-            lists: [
+            exceptions_list: [
               {
                 field: 'source.ip',
                 values_operator: 'included',
@@ -1559,7 +1559,7 @@ describe('create rules schema', () => {
         ).toBeFalsy();
       });
 
-      test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => {
+      test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => {
         expect(
           createRulesSchema.validate<Partial<RuleAlertParamsRest>>({
             rule_id: 'rule-1',
@@ -1573,14 +1573,14 @@ describe('create rules schema', () => {
             type: 'query',
             risk_score: 50,
             note: '# some markdown',
-            lists: [],
+            exceptions_list: [],
           }).error
         ).toBeFalsy();
       });
 
-      test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate', () => {
+      test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate', () => {
         expect(
-          createRulesSchema.validate<Partial<Omit<RuleAlertParamsRest, 'lists'>>>({
+          createRulesSchema.validate<Partial<Omit<RuleAlertParamsRest, 'exceptions_list'>>>({
             rule_id: 'rule-1',
             description: 'some description',
             from: 'now-5m',
@@ -1592,16 +1592,16 @@ describe('create rules schema', () => {
             type: 'query',
             risk_score: 50,
             note: '# some markdown',
-            lists: [{ invalid_value: 'invalid value' }],
+            exceptions_list: [{ invalid_value: 'invalid value' }],
           }).error.message
         ).toEqual(
-          'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]'
+          'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]'
         );
       });
 
-      test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate with empty lists', () => {
+      test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate with empty exceptions_list', () => {
         expect(
-          createRulesSchema.validate<Partial<Omit<RuleAlertParamsRest, 'lists'>>>({
+          createRulesSchema.validate<Partial<Omit<RuleAlertParamsRest, 'exceptions_list'>>>({
             rule_id: 'rule-1',
             description: 'some description',
             from: 'now-5m',
@@ -1613,7 +1613,7 @@ describe('create rules schema', () => {
             type: 'query',
             risk_score: 50,
             note: '# some markdown',
-          }).value.lists
+          }).value.exceptions_list
         ).toEqual([]);
       });
     });

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts

@@ -98,5 +98,5 @@ export const createRulesSchema = Joi.object({
   version: version.default(1),
 
   // TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release
-  lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]),
+  exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]),
 });

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts

@@ -1729,8 +1729,8 @@ describe('import rules schema', () => {
   // on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the
   // schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early,
   // you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally
-  describe.skip('lists', () => {
-    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => {
+  describe.skip('exceptions_list', () => {
+    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => {
       expect(
         importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
@@ -1744,7 +1744,7 @@ describe('import rules schema', () => {
           type: 'query',
           risk_score: 50,
           note: '# some markdown',
-          lists: [
+          exceptions_list: [
             {
               field: 'source.ip',
               values_operator: 'included',
@@ -1780,7 +1780,7 @@ describe('import rules schema', () => {
       ).toBeFalsy();
     });
 
-    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => {
+    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => {
       expect(
         importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
@@ -1794,14 +1794,14 @@ describe('import rules schema', () => {
           type: 'query',
           risk_score: 50,
           note: '# some markdown',
-          lists: [],
+          exceptions_list: [],
         }).error
       ).toBeFalsy();
     });
 
-    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate and lists is empty', () => {
+    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate and exceptions_list is empty', () => {
       expect(
-        importRulesSchema.validate<Partial<Omit<ImportRuleAlertRest, 'lists'>>>({
+        importRulesSchema.validate<Partial<Omit<ImportRuleAlertRest, 'exceptions_list'>>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -1813,16 +1813,16 @@ describe('import rules schema', () => {
           type: 'query',
           risk_score: 50,
           note: '# some markdown',
-          lists: [{ invalid_value: 'invalid value' }],
+          exceptions_list: [{ invalid_value: 'invalid value' }],
         }).error.message
       ).toEqual(
-        'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]'
+        'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]'
       );
     });
 
-    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate', () => {
+    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate', () => {
       expect(
-        importRulesSchema.validate<Partial<Omit<ImportRuleAlertRest, 'lists'>>>({
+        importRulesSchema.validate<Partial<Omit<ImportRuleAlertRest, 'exceptions_list'>>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -1834,7 +1834,7 @@ describe('import rules schema', () => {
           type: 'query',
           risk_score: 50,
           note: '# some markdown',
-        }).value.lists
+        }).value.exceptions_list
       ).toEqual([]);
     });
   });

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts

@@ -119,7 +119,7 @@ export const importRulesSchema = Joi.object({
   updated_by,
 
   // TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release
-  lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]),
+  exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]),
 });
 
 export const importRulesQuerySchema = Joi.object({