[8.17] [EDR Workflows] Fix invalid event filter for cloud workloads (#208974) (#209284)

# Backport

This will backport the following commits from `main` to `8.17`:
- [[EDR Workflows] Fix invalid event filter for cloud workloads
(#208974)](https://github.com/elastic/kibana/pull/208974)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Gergő
Ábrahám","email":"gergo.abraham@elastic.co"},"sourceCommit":{"committedDate":"2025-02-03T13:15:17Z","message":"[EDR
Workflows] Fix invalid event filter for cloud workloads (#208974)\n\n##
Summary\r\n\r\nFixes the bug of the invalid event filter created
automatically when\r\ncreating a cloud workloads endpoint integration.
The issue was a type\r\nissue: `undefined` or an object is expected,
instead an array was\r\npassed.\r\n\r\nTo make sure this does not happen
again, the type for the `meta` field\r\nwas updated from the deprecated
`t.object` to `t.UnknownRecord`, which\r\nis able to catch similar
issues as a type
error:\r\nca0c01b63beb40fb19188deae2257d89d8b3ba90\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"158a0777319175b64311c3344dc5cf12e1e6ccc7","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Defend
Workflows","backport:prev-minor","backport:prev-major","v9.1.0"],"title":"[EDR
Workflows] Fix invalid event filter for cloud
workloads","number":208974,"url":"https://github.com/elastic/kibana/pull/208974","mergeCommit":{"message":"[EDR
Workflows] Fix invalid event filter for cloud workloads (#208974)\n\n##
Summary\r\n\r\nFixes the bug of the invalid event filter created
automatically when\r\ncreating a cloud workloads endpoint integration.
The issue was a type\r\nissue: `undefined` or an object is expected,
instead an array was\r\npassed.\r\n\r\nTo make sure this does not happen
again, the type for the `meta` field\r\nwas updated from the deprecated
`t.object` to `t.UnknownRecord`, which\r\nis able to catch similar
issues as a type
error:\r\nca0c01b63beb40fb19188deae2257d89d8b3ba90\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"158a0777319175b64311c3344dc5cf12e1e6ccc7"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/208974","number":208974,"mergeCommit":{"message":"[EDR
Workflows] Fix invalid event filter for cloud workloads (#208974)\n\n##
Summary\r\n\r\nFixes the bug of the invalid event filter created
automatically when\r\ncreating a cloud workloads endpoint integration.
The issue was a type\r\nissue: `undefined` or an object is expected,
instead an array was\r\npassed.\r\n\r\nTo make sure this does not happen
again, the type for the `meta` field\r\nwas updated from the deprecated
`t.object` to `t.UnknownRecord`, which\r\nis able to catch similar
issues as a type
error:\r\nca0c01b63beb40fb19188deae2257d89d8b3ba90\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"158a0777319175b64311c3344dc5cf12e1e6ccc7"}}]}]
BACKPORT-->

Co-authored-by: Gergő Ábrahám <gergo.abraham@elastic.co>

packages/kbn-securitysolution-io-ts-list-types/src/common/meta/index.ts

@@ -9,7 +9,7 @@
 
 import * as t from 'io-ts';
 
-export const meta = t.object;
+export const meta = t.UnknownRecord;
 export type Meta = t.TypeOf<typeof meta>;
 export const metaOrUndefined = t.union([meta, t.undefined]);
 export type MetaOrUndefined = t.TypeOf<typeof metaOrUndefined>;

x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts

@@ -69,7 +69,7 @@ import type {
 } from '@kbn/fleet-plugin/common';
 import { createMockPolicyData } from '../endpoint/services/feature_usage/mocks';
 import { ALL_ENDPOINT_ARTIFACT_LIST_IDS } from '../../common/endpoint/service/artifacts/constants';
-import { ENDPOINT_EVENT_FILTERS_LIST_ID } from '@kbn/securitysolution-list-constants';
+import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants';
 import * as PolicyConfigHelpers from '../../common/endpoint/models/policy_config_helpers';
 import { disableProtections } from '../../common/endpoint/models/policy_config_helpers';
 import type { ProductFeaturesService } from '../lib/product_features_service/product_features_service';
@@ -403,12 +403,15 @@ describe('Fleet integrations', () => {
       );
 
       expect(exceptionListClient.createExceptionList).toHaveBeenCalledWith(
-        expect.objectContaining({ listId: ENDPOINT_EVENT_FILTERS_LIST_ID })
+        expect.objectContaining({
+          listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
+          meta: undefined,
+        })
       );
 
       expect(exceptionListClient.createExceptionListItem).toHaveBeenCalledWith(
         expect.objectContaining({
-          listId: ENDPOINT_EVENT_FILTERS_LIST_ID,
+          listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
           tags: [`policy:${postCreatedPolicyConfig.id}`],
           osTypes: ['linux'],
           entries: [
@@ -421,6 +424,7 @@ describe('Fleet integrations', () => {
           ],
           itemId: 'NEW_UUID',
           namespaceType: 'agnostic',
+          meta: undefined,
         })
       );
     });

x-pack/plugins/security_solution/server/fleet_integration/handlers/create_event_filters.ts

@@ -6,11 +6,7 @@
  */
 import { v4 as uuidv4 } from 'uuid';
 import { i18n } from '@kbn/i18n';
-import {
-  ENDPOINT_EVENT_FILTERS_LIST_ID,
-  ENDPOINT_EVENT_FILTERS_LIST_NAME,
-  ENDPOINT_EVENT_FILTERS_LIST_DESCRIPTION,
-} from '@kbn/securitysolution-list-constants';
+import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants';
 import { ExceptionListTypeEnum } from '@kbn/securitysolution-io-ts-list-types';
 import { SavedObjectsErrorHelpers } from '@kbn/core/server';
 import type { Logger } from '@kbn/core/server';
@@ -37,10 +33,10 @@ export const createEventFilters = async (
     // Attempt to Create the Event Filter List. It won't create the list if it already exists.
     // So we can skip the validation and ignore the conflict error
     await exceptionsClient.createExceptionList({
-      name: ENDPOINT_EVENT_FILTERS_LIST_NAME,
+      name: ENDPOINT_ARTIFACT_LISTS.eventFilters.name,
       namespaceType: 'agnostic',
-      description: ENDPOINT_EVENT_FILTERS_LIST_DESCRIPTION,
-      listId: ENDPOINT_EVENT_FILTERS_LIST_ID,
+      description: ENDPOINT_ARTIFACT_LISTS.eventFilters.description,
+      listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
       type: ExceptionListTypeEnum.ENDPOINT_EVENTS,
       immutable: false,
       meta: undefined,
@@ -61,14 +57,14 @@ export const createEventFilters = async (
 /**
  * Create an Event Filter for non-interactive sessions and attach it to the policy
  */
-export const createNonInteractiveSessionEventFilter = async (
+const createNonInteractiveSessionEventFilter = async (
   logger: Logger,
   exceptionsClient: ExceptionListClient,
   packagePolicy: PackagePolicy
 ): Promise<void> => {
   try {
     await exceptionsClient.createExceptionListItem({
-      listId: ENDPOINT_EVENT_FILTERS_LIST_ID,
+      listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
       description: i18n.translate(
         'xpack.securitySolution.fleetIntegration.elasticDefend.eventFilter.nonInteractiveSessions.description',
         {
@@ -95,7 +91,7 @@ export const createNonInteractiveSessionEventFilter = async (
         },
       ],
       itemId: uuidv4(),
-      meta: [],
+      meta: undefined,
       comments: [],
       expireTime: undefined,
     });