[EDR Workflows] Fix invalid event filter for cloud workloads (#208974)

## Summary Fixes the bug of the invalid event filter created automatically when creating a cloud workloads endpoint integration. The issue was a type issue: `undefined` or an object is expected, instead an array was passed. To make sure this does not happen again, the type for the `meta` field was updated from the deprecated `t.object` to `t.UnknownRecord`, which is able to catch similar issues as a type error: ca0c01b63b ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2025-04-24 01:38:56 -04:00 · 2025-02-03 14:15:17 +01:00 · 2025-02-03 14:15:17 +01:00 · 158a077731
commit 158a077731
parent e890494ea7
3 changed files with 15 additions and 15 deletions
--- a/x-pack/solutions/security/packages/kbn-securitysolution-io-ts-list-types/src/common/meta/index.ts
+++ b/x-pack/solutions/security/packages/kbn-securitysolution-io-ts-list-types/src/common/meta/index.ts
@ -7,7 +7,7 @@

 import * as t from 'io-ts';

-export const meta = t.object;
+export const meta = t.UnknownRecord;
 export type Meta = t.TypeOf<typeof meta>;
 export const metaOrUndefined = t.union([meta, t.undefined]);
 export type MetaOrUndefined = t.TypeOf<typeof metaOrUndefined>;
--- a/x-pack/solutions/security/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts
@ -69,7 +69,7 @@ import type {
 } from '@kbn/fleet-plugin/common';
 import { createMockPolicyData } from '../endpoint/services/feature_usage/mocks';
 import { ALL_ENDPOINT_ARTIFACT_LIST_IDS } from '../../common/endpoint/service/artifacts/constants';
-import { ENDPOINT_EVENT_FILTERS_LIST_ID } from '@kbn/securitysolution-list-constants';
+import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants';
 import * as PolicyConfigHelpers from '../../common/endpoint/models/policy_config_helpers';
 import { disableProtections } from '../../common/endpoint/models/policy_config_helpers';
 import type { ProductFeaturesService } from '../lib/product_features_service/product_features_service';
@ -421,12 +421,15 @@ describe('Fleet integrations', () => {
      );

      expect(exceptionListClient.createExceptionList).toHaveBeenCalledWith(
-        expect.objectContaining({ listId: ENDPOINT_EVENT_FILTERS_LIST_ID })
+        expect.objectContaining({
+          listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
+          meta: undefined,
+        })
      );

      expect(exceptionListClient.createExceptionListItem).toHaveBeenCalledWith(
        expect.objectContaining({
-          listId: ENDPOINT_EVENT_FILTERS_LIST_ID,
+          listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
          tags: [`policy:${postCreatedPolicyConfig.id}`],
          osTypes: ['linux'],
          entries: [
@ -439,6 +442,7 @@ describe('Fleet integrations', () => {
          ],
          itemId: 'NEW_UUID',
          namespaceType: 'agnostic',
+          meta: undefined,
        })
      );
    });
--- a/x-pack/solutions/security/plugins/security_solution/server/fleet_integration/handlers/create_event_filters.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/fleet_integration/handlers/create_event_filters.ts
@ -6,11 +6,7 @@
 */
 import { v4 as uuidv4 } from 'uuid';
 import { i18n } from '@kbn/i18n';
-import {
-  ENDPOINT_EVENT_FILTERS_LIST_ID,
-  ENDPOINT_EVENT_FILTERS_LIST_NAME,
-  ENDPOINT_EVENT_FILTERS_LIST_DESCRIPTION,
-} from '@kbn/securitysolution-list-constants';
+import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants';
 import { ExceptionListTypeEnum } from '@kbn/securitysolution-io-ts-list-types';
 import { SavedObjectsErrorHelpers } from '@kbn/core/server';
 import type { Logger } from '@kbn/core/server';
@ -37,10 +33,10 @@ export const createEventFilters = async (
    // Attempt to Create the Event Filter List. It won't create the list if it already exists.
    // So we can skip the validation and ignore the conflict error
    await exceptionsClient.createExceptionList({
-      name: ENDPOINT_EVENT_FILTERS_LIST_NAME,
+      name: ENDPOINT_ARTIFACT_LISTS.eventFilters.name,
      namespaceType: 'agnostic',
-      description: ENDPOINT_EVENT_FILTERS_LIST_DESCRIPTION,
-      listId: ENDPOINT_EVENT_FILTERS_LIST_ID,
+      description: ENDPOINT_ARTIFACT_LISTS.eventFilters.description,
+      listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
      type: ExceptionListTypeEnum.ENDPOINT_EVENTS,
      immutable: false,
      meta: undefined,
@ -61,14 +57,14 @@ export const createEventFilters = async (
 /**
 * Create an Event Filter for non-interactive sessions and attach it to the policy
 */
-export const createNonInteractiveSessionEventFilter = async (
+const createNonInteractiveSessionEventFilter = async (
  logger: Logger,
  exceptionsClient: ExceptionListClient,
  packagePolicy: PackagePolicy
 ): Promise<void> => {
  try {
    await exceptionsClient.createExceptionListItem({
-      listId: ENDPOINT_EVENT_FILTERS_LIST_ID,
+      listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
      description: i18n.translate(
        'xpack.securitySolution.fleetIntegration.elasticDefend.eventFilter.nonInteractiveSessions.description',
        {
@ -95,7 +91,7 @@ export const createNonInteractiveSessionEventFilter = async (
        },
      ],
      itemId: uuidv4(),
-      meta: [],
+      meta: undefined,
      comments: [],
      expireTime: undefined,
    });