[Security Solution][Detections,Lists] Miscellaneous post-FF fixes (#71990)

* Overview Alerts Histogram stacking defaults to signal.rule.name

Since this is now the default for all AlertsHistograms, I've moved this
default upstream into the histogram itself.

* Replace magic strings with our constant ENDPOINT_LIST_ID

Also replaced a few unintentional uses of this string with the
non-reserved 'endpoint_list_id'.

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

x-pack/plugins/lists/common/schemas/response/exception_list_item_schema.mock.ts

@@ -16,7 +16,7 @@ export const getExceptionListItemSchemaMock = (): ExceptionListItemSchema => ({
   entries: ENTRIES,
   id: '1',
   item_id: 'endpoint_list_item',
-  list_id: 'endpoint_list',
+  list_id: 'endpoint_list_id',
   meta: {},
   name: 'Sample Endpoint Exception List',
   namespace_type: 'single',

x-pack/plugins/lists/common/schemas/response/exception_list_schema.mock.ts

@@ -4,6 +4,8 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { ENDPOINT_LIST_ID } from '../..';
+
 import { ExceptionListSchema } from './exception_list_schema';
 
 export const getExceptionListSchemaMock = (): ExceptionListSchema => ({
@@ -12,10 +14,10 @@ export const getExceptionListSchemaMock = (): ExceptionListSchema => ({
   created_by: 'user_name',
   description: 'This is a sample endpoint type exception',
   id: '1',
-  list_id: 'endpoint_list',
+  list_id: ENDPOINT_LIST_ID,
   meta: {},
   name: 'Sample Endpoint Exception List',
-  namespace_type: 'single',
+  namespace_type: 'agnostic',
   tags: ['user added string for a tag', 'malware'],
   tie_breaker_id: '77fd1909-6786-428a-a671-30229a719c1f',
   type: 'endpoint',

x-pack/plugins/lists/public/exceptions/api.test.ts

@@ -508,7 +508,7 @@ describe('Exceptions Lists API', () => {
     test('it returns expected format when call succeeds', async () => {
       const exceptionResponse = await fetchExceptionListItemsByListId({
         http: mockKibanaHttpService(),
-        listId: 'endpoint_list',
+        listId: 'endpoint_list_id',
         namespaceType: 'single',
         pagination: {
           page: 1,

x-pack/plugins/security_solution/public/detections/components/alerts_histogram_panel/index.tsx

@@ -80,10 +80,14 @@ const getHistogramOption = (fieldName: string): MatrixHistogramOption => ({
 
 const NO_LEGEND_DATA: LegendItem[] = [];
 
+const DEFAULT_STACK_BY = 'signal.rule.name';
+const getDefaultStackByOption = (): AlertsHistogramOption =>
+  alertsHistogramOptions.find(({ text }) => text === DEFAULT_STACK_BY) ?? alertsHistogramOptions[0];
+
 export const AlertsHistogramPanel = memo<AlertsHistogramPanelProps>(
   ({
     chartHeight,
-    defaultStackByOption = alertsHistogramOptions[8], // signal.rule.name
+    defaultStackByOption = getDefaultStackByOption(),
     deleteQuery,
     filters,
     headerChildren,

x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/helpers.ts

@@ -12,6 +12,7 @@ import { NOTIFICATION_THROTTLE_NO_ACTIONS } from '../../../../../../common/const
 import { transformAlertToRuleAction } from '../../../../../../common/detection_engine/transform_actions';
 import { RuleType } from '../../../../../../common/detection_engine/types';
 import { isMlRule } from '../../../../../../common/machine_learning/helpers';
+import { ENDPOINT_LIST_ID } from '../../../../../shared_imports';
 import { NewRule } from '../../../../containers/detection_engine/rules';
 
 import {
@@ -167,7 +168,7 @@ export const formatAboutStepData = (aboutStepData: AboutStepRule): AboutStepRule
     ...(isAssociatedToEndpointList
       ? {
           exceptions_list: [
-            { id: 'endpoint_list', namespace_type: 'agnostic', type: 'endpoint' },
+            { id: ENDPOINT_LIST_ID, namespace_type: 'agnostic', type: 'endpoint' },
           ] as AboutStepRuleJson['exceptions_list'],
         }
       : {}),

x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx

@@ -13,6 +13,7 @@ import { RuleAlertAction, RuleType } from '../../../../../common/detection_engin
 import { isMlRule } from '../../../../../common/machine_learning/helpers';
 import { transformRuleToAlertAction } from '../../../../../common/detection_engine/transform_actions';
 import { Filter } from '../../../../../../../../src/plugins/data/public';
+import { ENDPOINT_LIST_ID } from '../../../../shared_imports';
 import { Rule } from '../../../containers/detection_engine/rules';
 import {
   AboutStepRule,
@@ -137,7 +138,7 @@ export const getAboutStepsData = (rule: Rule, detailsView: boolean): AboutStepRu
   return {
     isNew: false,
     author,
-    isAssociatedToEndpointList: exceptionsList?.some(({ id }) => id === 'endpoint_list') ?? false,
+    isAssociatedToEndpointList: exceptionsList?.some(({ id }) => id === ENDPOINT_LIST_ID) ?? false,
     isBuildingBlock: buildingBlockType !== undefined,
     license: license ?? '',
     ruleNameOverride: ruleNameOverride ?? '',

x-pack/plugins/security_solution/public/overview/components/signals_by_category/index.tsx

@@ -17,7 +17,6 @@ import { UpdateDateRange } from '../../../common/components/charts/common';
 import { GlobalTimeArgs } from '../../../common/containers/use_global_time';
 
 const DEFAULT_QUERY: Query = { query: '', language: 'kuery' };
-const DEFAULT_STACK_BY = 'signal.rule.threat.tactic.name';
 const NO_FILTERS: Filter[] = [];
 
 interface Props extends Pick<GlobalTimeArgs, 'from' | 'to' | 'deleteQuery' | 'setQuery'> {
@@ -62,13 +61,9 @@ const SignalsByCategoryComponent: React.FC<Props> = ({
     [setAbsoluteRangeDatePicker]
   );
 
-  const defaultStackByOption =
-    alertsHistogramOptions.find((o) => o.text === DEFAULT_STACK_BY) ?? alertsHistogramOptions[0];
-
   return (
     <AlertsHistogramPanel
       deleteQuery={deleteQuery}
-      defaultStackByOption={defaultStackByOption}
       filters={filters}
       from={from}
       headerChildren={headerChildren}

x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts

@@ -12,6 +12,7 @@ import { validate } from '../../../../common/validate';
 import { Entry, EntryNested } from '../../../../../lists/common/schemas/types/entries';
 import { FoundExceptionListItemSchema } from '../../../../../lists/common/schemas/response/found_exception_list_item_schema';
 import { ExceptionListClient } from '../../../../../lists/server';
+import { ENDPOINT_LIST_ID } from '../../../../common/shared_imports';
 import {
   InternalArtifactSchema,
   TranslatedEntry,
@@ -60,7 +61,7 @@ export async function getFullEndpointExceptionList(
 
   do {
     const response = await eClient.findExceptionListItem({
-      listId: 'endpoint_list',
+      listId: ENDPOINT_LIST_ID,
       namespaceType: 'agnostic',
       filter: `exception-list-agnostic.attributes._tags:\"os:${os}\"`,
       perPage: 100,

x-pack/test/api_integration/apis/lists/create_exception_list_item.ts

@@ -6,6 +6,7 @@
 
 import expect from '@kbn/expect/expect.js';
 import { FtrProviderContext } from '../../ftr_provider_context';
+import { ENDPOINT_LIST_ID } from '../../../../plugins/lists/common';
 
 export default function ({ getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
@@ -20,7 +21,7 @@ export default function ({ getService }: FtrProviderContext) {
         namespace_type: 'agnostic',
         description: 'bad endpoint item for testing',
         name: 'bad endpoint item',
-        list_id: 'endpoint_list',
+        list_id: ENDPOINT_LIST_ID,
         type: 'simple',
         entries: [
           {
@@ -50,7 +51,7 @@ export default function ({ getService }: FtrProviderContext) {
         namespace_type: 'agnostic',
         description: 'bad endpoint item for testing',
         name: 'bad endpoint item',
-        list_id: 'endpoint_list',
+        list_id: ENDPOINT_LIST_ID,
         type: 'simple',
         entries: [
           {