update artifacts to support wildcard entries

refs elastic/security-team/issues/543
2025-04-24 01:38:56 -04:00 · 2021-04-27 11:07:39 +02:00 · 2021-04-27 11:07:39 +02:00 · 6a874c07e2
commit 6a874c07e2
parent f7448086b1
2 changed files with 36 additions and 0 deletions
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts
@ -22,6 +22,8 @@ import {
  translatedEntryMatchAnyMatcher,
  TranslatedEntryMatcher,
  translatedEntryMatchMatcher,
+  TranslatedEntryMatchWildcardMatcher,
+  translatedEntryMatchWildcardMatcher,
  TranslatedEntryNestedEntry,
  translatedEntryNestedEntry,
  TranslatedExceptionListItem,
@ -203,6 +205,10 @@ function getMatcherFunction(field: string, matchAny?: boolean): TranslatedEntryM
    : 'exact_cased';
 }

+function getMatcherWildcardFunction(field: string): TranslatedEntryMatchWildcardMatcher {
+  return field.endsWith('.caseless') ? 'wildcard_caseless' : 'wildcard_cased';
+}
+
 function normalizeFieldName(field: string): string {
  return field.endsWith('.caseless') ? field.substring(0, field.lastIndexOf('.')) : field;
 }
@ -272,6 +278,17 @@ function translateEntry(
          }
        : undefined;
    }
+    case 'wildcard': {
+      const matcher = getMatcherWildcardFunction(entry.field);
+      return translatedEntryMatchWildcardMatcher.is(matcher)
+        ? {
+            field: normalizeFieldName(entry.field),
+            operator: entry.operator,
+            type: matcher,
+            value: entry.value,
+          }
+        : undefined;
+    }
  }
 }

--- a/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.ts
@ -30,6 +30,24 @@ export const translatedEntryMatchMatcher = t.keyof({
 });
 export type TranslatedEntryMatchMatcher = t.TypeOf<typeof translatedEntryMatchMatcher>;

+export const translatedEntryMatchWildcardMatcher = t.keyof({
+  wildcard_cased: null,
+  wildcard_caseless: null,
+});
+export type TranslatedEntryMatchWildcardMatcher = t.TypeOf<
+  typeof translatedEntryMatchWildcardMatcher
+>;
+
+export const translatedEntryMatchWildcard = t.exact(
+  t.type({
+    field: t.string,
+    operator,
+    type: translatedEntryMatchWildcardMatcher,
+    value: t.string,
+  })
+);
+export type TranslatedEntryMatchWildcard = t.TypeOf<typeof translatedEntryMatchWildcard>;
+
 export const translatedEntryMatch = t.exact(
  t.type({
    field: t.string,
@ -61,6 +79,7 @@ export type TranslatedEntryNested = t.TypeOf<typeof translatedEntryNested>;
 export const translatedEntry = t.union([
  translatedEntryNested,
  translatedEntryMatch,
+  translatedEntryMatchWildcard,
  translatedEntryMatchAny,
 ]);
 export type TranslatedEntry = t.TypeOf<typeof translatedEntry>;