[Security Solution][Endpoint] Hide endpoint event filters list in detections tab (#102644)

* Add event filters filter on exception list to hide it in UI * Fixes unit test and added more tests for showEventFilters * fixes test adding showEventFilters test cases * Pass params as js object instead of individual variables Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
2025-04-24 09:48:58 -04:00 · 2021-06-23 16:04:23 +02:00 · 2021-06-23 16:04:23 +02:00 · eb9726987c
commit eb9726987c
parent f49ecb3d1a
8 changed files with 421 additions and 43 deletions
--- a/packages/kbn-securitysolution-io-ts-list-types/src/typescript_types/index.ts
+++ b/packages/kbn-securitysolution-io-ts-list-types/src/typescript_types/index.ts
@ -42,6 +42,7 @@ export interface UseExceptionListsProps {
  notifications: NotificationsStart;
  pagination?: Pagination;
  showTrustedApps: boolean;
+  showEventFilters: boolean;
 }

 export interface UseExceptionListProps {
--- a/packages/kbn-securitysolution-list-hooks/src/use_exception_lists/index.ts
+++ b/packages/kbn-securitysolution-list-hooks/src/use_exception_lists/index.ts
@ -28,6 +28,7 @@ export type ReturnExceptionLists = [boolean, ExceptionListSchema[], Pagination,
 * @param namespaceTypes spaces to be searched
 * @param notifications kibana service for displaying toasters
 * @param showTrustedApps boolean - include/exclude trusted app lists
+ * @param showEventFilters boolean - include/exclude event filters lists
 * @param pagination
 *
 */
@ -43,6 +44,7 @@ export const useExceptionLists = ({
  namespaceTypes,
  notifications,
  showTrustedApps = false,
+  showEventFilters = false,
 }: UseExceptionListsProps): ReturnExceptionLists => {
  const [exceptionLists, setExceptionLists] = useState<ExceptionListSchema[]>([]);
  const [paginationInfo, setPagination] = useState<Pagination>(pagination);
@ -51,8 +53,9 @@ export const useExceptionLists = ({

  const namespaceTypesAsString = useMemo(() => namespaceTypes.join(','), [namespaceTypes]);
  const filters = useMemo(
-    (): string => getFilters(filterOptions, namespaceTypes, showTrustedApps),
-    [namespaceTypes, filterOptions, showTrustedApps]
+    (): string =>
+      getFilters({ filters: filterOptions, namespaceTypes, showTrustedApps, showEventFilters }),
+    [namespaceTypes, filterOptions, showTrustedApps, showEventFilters]
  );

  useEffect(() => {
--- a/packages/kbn-securitysolution-list-utils/src/get_event_filters_filter/index.test.ts
+++ b/packages/kbn-securitysolution-list-utils/src/get_event_filters_filter/index.test.ts
@ -0,0 +1,39 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { getEventFiltersFilter } from '.';
+
+describe('getEventFiltersFilter', () => {
+  test('it returns filter to search for "exception-list" namespace trusted apps', () => {
+    const filter = getEventFiltersFilter(true, ['exception-list']);
+
+    expect(filter).toEqual('(exception-list.attributes.list_id: endpoint_event_filters*)');
+  });
+
+  test('it returns filter to search for "exception-list" and "agnostic" namespace trusted apps', () => {
+    const filter = getEventFiltersFilter(true, ['exception-list', 'exception-list-agnostic']);
+
+    expect(filter).toEqual(
+      '(exception-list.attributes.list_id: endpoint_event_filters* OR exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
+    );
+  });
+
+  test('it returns filter to exclude "exception-list" namespace trusted apps', () => {
+    const filter = getEventFiltersFilter(false, ['exception-list']);
+
+    expect(filter).toEqual('(not exception-list.attributes.list_id: endpoint_event_filters*)');
+  });
+
+  test('it returns filter to exclude "exception-list" and "agnostic" namespace trusted apps', () => {
+    const filter = getEventFiltersFilter(false, ['exception-list', 'exception-list-agnostic']);
+
+    expect(filter).toEqual(
+      '(not exception-list.attributes.list_id: endpoint_event_filters* AND not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
+    );
+  });
+});
--- a/packages/kbn-securitysolution-list-utils/src/get_event_filters_filter/index.ts
+++ b/packages/kbn-securitysolution-list-utils/src/get_event_filters_filter/index.ts
@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { ENDPOINT_EVENT_FILTERS_LIST_ID } from '@kbn/securitysolution-list-constants';
+import { SavedObjectType } from '../types';
+
+export const getEventFiltersFilter = (
+  showEventFilter: boolean,
+  namespaceTypes: SavedObjectType[]
+): string => {
+  if (showEventFilter) {
+    const filters = namespaceTypes.map((namespace) => {
+      return `${namespace}.attributes.list_id: ${ENDPOINT_EVENT_FILTERS_LIST_ID}*`;
+    });
+    return `(${filters.join(' OR ')})`;
+  } else {
+    const filters = namespaceTypes.map((namespace) => {
+      return `not ${namespace}.attributes.list_id: ${ENDPOINT_EVENT_FILTERS_LIST_ID}*`;
+    });
+    return `(${filters.join(' AND ')})`;
+  }
+};
--- a/packages/kbn-securitysolution-list-utils/src/get_filters/index.test.ts
+++ b/packages/kbn-securitysolution-list-utils/src/get_filters/index.test.ts
@ -11,106 +11,318 @@ import { getFilters } from '.';
 describe('getFilters', () => {
  describe('single', () => {
    test('it properly formats when no filters passed and "showTrustedApps" is false', () => {
-      const filter = getFilters({}, ['single'], false);
+      const filter = getFilters({
+        filters: {},
+        namespaceTypes: ['single'],
+        showTrustedApps: false,
+        showEventFilters: false,
+      });

-      expect(filter).toEqual('(not exception-list.attributes.list_id: endpoint_trusted_apps*)');
+      expect(filter).toEqual(
+        '(not exception-list.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters*)'
+      );
    });

    test('it properly formats when no filters passed and "showTrustedApps" is true', () => {
-      const filter = getFilters({}, ['single'], true);
+      const filter = getFilters({
+        filters: {},
+        namespaceTypes: ['single'],
+        showTrustedApps: true,
+        showEventFilters: false,
+      });

-      expect(filter).toEqual('(exception-list.attributes.list_id: endpoint_trusted_apps*)');
+      expect(filter).toEqual(
+        '(exception-list.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters*)'
+      );
    });

    test('it properly formats when filters passed and "showTrustedApps" is false', () => {
-      const filter = getFilters({ created_by: 'moi', name: 'Sample' }, ['single'], false);
+      const filter = getFilters({
+        filters: { created_by: 'moi', name: 'Sample' },
+        namespaceTypes: ['single'],
+        showTrustedApps: false,
+        showEventFilters: false,
+      });

      expect(filter).toEqual(
-        '(exception-list.attributes.created_by:moi) AND (exception-list.attributes.name.text:Sample) AND (not exception-list.attributes.list_id: endpoint_trusted_apps*)'
+        '(exception-list.attributes.created_by:moi) AND (exception-list.attributes.name.text:Sample) AND (not exception-list.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters*)'
      );
    });

    test('it if filters passed and "showTrustedApps" is true', () => {
-      const filter = getFilters({ created_by: 'moi', name: 'Sample' }, ['single'], true);
+      const filter = getFilters({
+        filters: { created_by: 'moi', name: 'Sample' },
+        namespaceTypes: ['single'],
+        showTrustedApps: true,
+        showEventFilters: false,
+      });

      expect(filter).toEqual(
-        '(exception-list.attributes.created_by:moi) AND (exception-list.attributes.name.text:Sample) AND (exception-list.attributes.list_id: endpoint_trusted_apps*)'
+        '(exception-list.attributes.created_by:moi) AND (exception-list.attributes.name.text:Sample) AND (exception-list.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters*)'
+      );
+    });
+
+    test('it properly formats when no filters passed and "showEventFilters" is false', () => {
+      const filter = getFilters({
+        filters: {},
+        namespaceTypes: ['single'],
+        showTrustedApps: false,
+        showEventFilters: false,
+      });
+
+      expect(filter).toEqual(
+        '(not exception-list.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters*)'
+      );
+    });
+
+    test('it properly formats when no filters passed and "showEventFilters" is true', () => {
+      const filter = getFilters({
+        filters: {},
+        namespaceTypes: ['single'],
+        showTrustedApps: false,
+        showEventFilters: true,
+      });
+
+      expect(filter).toEqual(
+        '(not exception-list.attributes.list_id: endpoint_trusted_apps*) AND (exception-list.attributes.list_id: endpoint_event_filters*)'
+      );
+    });
+
+    test('it properly formats when filters passed and "showEventFilters" is false', () => {
+      const filter = getFilters({
+        filters: { created_by: 'moi', name: 'Sample' },
+        namespaceTypes: ['single'],
+        showTrustedApps: false,
+        showEventFilters: false,
+      });
+
+      expect(filter).toEqual(
+        '(exception-list.attributes.created_by:moi) AND (exception-list.attributes.name.text:Sample) AND (not exception-list.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters*)'
+      );
+    });
+
+    test('it if filters passed and "showEventFilters" is true', () => {
+      const filter = getFilters({
+        filters: { created_by: 'moi', name: 'Sample' },
+        namespaceTypes: ['single'],
+        showTrustedApps: false,
+        showEventFilters: true,
+      });
+
+      expect(filter).toEqual(
+        '(exception-list.attributes.created_by:moi) AND (exception-list.attributes.name.text:Sample) AND (not exception-list.attributes.list_id: endpoint_trusted_apps*) AND (exception-list.attributes.list_id: endpoint_event_filters*)'
      );
    });
  });

  describe('agnostic', () => {
    test('it properly formats when no filters passed and "showTrustedApps" is false', () => {
-      const filter = getFilters({}, ['agnostic'], false);
+      const filter = getFilters({
+        filters: {},
+        namespaceTypes: ['agnostic'],
+        showTrustedApps: false,
+        showEventFilters: false,
+      });

      expect(filter).toEqual(
-        '(not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*)'
+        '(not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
      );
    });

    test('it properly formats when no filters passed and "showTrustedApps" is true', () => {
-      const filter = getFilters({}, ['agnostic'], true);
+      const filter = getFilters({
+        filters: {},
+        namespaceTypes: ['agnostic'],
+        showTrustedApps: true,
+        showEventFilters: false,
+      });

      expect(filter).toEqual(
-        '(exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*)'
+        '(exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
      );
    });

    test('it properly formats when filters passed and "showTrustedApps" is false', () => {
-      const filter = getFilters({ created_by: 'moi', name: 'Sample' }, ['agnostic'], false);
+      const filter = getFilters({
+        filters: { created_by: 'moi', name: 'Sample' },
+        namespaceTypes: ['agnostic'],
+        showTrustedApps: false,
+        showEventFilters: false,
+      });

      expect(filter).toEqual(
-        '(exception-list-agnostic.attributes.created_by:moi) AND (exception-list-agnostic.attributes.name.text:Sample) AND (not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*)'
+        '(exception-list-agnostic.attributes.created_by:moi) AND (exception-list-agnostic.attributes.name.text:Sample) AND (not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
      );
    });

    test('it if filters passed and "showTrustedApps" is true', () => {
-      const filter = getFilters({ created_by: 'moi', name: 'Sample' }, ['agnostic'], true);
+      const filter = getFilters({
+        filters: { created_by: 'moi', name: 'Sample' },
+        namespaceTypes: ['agnostic'],
+        showTrustedApps: true,
+        showEventFilters: false,
+      });

      expect(filter).toEqual(
-        '(exception-list-agnostic.attributes.created_by:moi) AND (exception-list-agnostic.attributes.name.text:Sample) AND (exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*)'
+        '(exception-list-agnostic.attributes.created_by:moi) AND (exception-list-agnostic.attributes.name.text:Sample) AND (exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
+      );
+    });
+
+    test('it properly formats when no filters passed and "showEventFilters" is false', () => {
+      const filter = getFilters({
+        filters: {},
+        namespaceTypes: ['agnostic'],
+        showTrustedApps: false,
+        showEventFilters: false,
+      });
+
+      expect(filter).toEqual(
+        '(not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
+      );
+    });
+
+    test('it properly formats when no filters passed and "showEventFilters" is true', () => {
+      const filter = getFilters({
+        filters: {},
+        namespaceTypes: ['agnostic'],
+        showTrustedApps: false,
+        showEventFilters: true,
+      });
+
+      expect(filter).toEqual(
+        '(not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
+      );
+    });
+
+    test('it properly formats when filters passed and "showEventFilters" is false', () => {
+      const filter = getFilters({
+        filters: { created_by: 'moi', name: 'Sample' },
+        namespaceTypes: ['agnostic'],
+        showTrustedApps: false,
+        showEventFilters: false,
+      });
+
+      expect(filter).toEqual(
+        '(exception-list-agnostic.attributes.created_by:moi) AND (exception-list-agnostic.attributes.name.text:Sample) AND (not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
+      );
+    });
+
+    test('it if filters passed and "showEventFilters" is true', () => {
+      const filter = getFilters({
+        filters: { created_by: 'moi', name: 'Sample' },
+        namespaceTypes: ['agnostic'],
+        showTrustedApps: false,
+        showEventFilters: true,
+      });
+
+      expect(filter).toEqual(
+        '(exception-list-agnostic.attributes.created_by:moi) AND (exception-list-agnostic.attributes.name.text:Sample) AND (not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
      );
    });
  });

  describe('single, agnostic', () => {
    test('it properly formats when no filters passed and "showTrustedApps" is false', () => {
-      const filter = getFilters({}, ['single', 'agnostic'], false);
+      const filter = getFilters({
+        filters: {},
+        namespaceTypes: ['single', 'agnostic'],
+        showTrustedApps: false,
+        showEventFilters: false,
+      });

      expect(filter).toEqual(
-        '(not exception-list.attributes.list_id: endpoint_trusted_apps* AND not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*)'
+        '(not exception-list.attributes.list_id: endpoint_trusted_apps* AND not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters* AND not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
      );
    });

    test('it properly formats when no filters passed and "showTrustedApps" is true', () => {
-      const filter = getFilters({}, ['single', 'agnostic'], true);
+      const filter = getFilters({
+        filters: {},
+        namespaceTypes: ['single', 'agnostic'],
+        showTrustedApps: true,
+        showEventFilters: false,
+      });

      expect(filter).toEqual(
-        '(exception-list.attributes.list_id: endpoint_trusted_apps* OR exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*)'
+        '(exception-list.attributes.list_id: endpoint_trusted_apps* OR exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters* AND not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
      );
    });

    test('it properly formats when filters passed and "showTrustedApps" is false', () => {
-      const filter = getFilters(
-        { created_by: 'moi', name: 'Sample' },
-        ['single', 'agnostic'],
-        false
-      );
+      const filter = getFilters({
+        filters: { created_by: 'moi', name: 'Sample' },
+        namespaceTypes: ['single', 'agnostic'],
+        showTrustedApps: false,
+        showEventFilters: false,
+      });

      expect(filter).toEqual(
-        '(exception-list.attributes.created_by:moi OR exception-list-agnostic.attributes.created_by:moi) AND (exception-list.attributes.name.text:Sample OR exception-list-agnostic.attributes.name.text:Sample) AND (not exception-list.attributes.list_id: endpoint_trusted_apps* AND not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*)'
+        '(exception-list.attributes.created_by:moi OR exception-list-agnostic.attributes.created_by:moi) AND (exception-list.attributes.name.text:Sample OR exception-list-agnostic.attributes.name.text:Sample) AND (not exception-list.attributes.list_id: endpoint_trusted_apps* AND not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters* AND not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
      );
    });

    test('it properly formats when filters passed and "showTrustedApps" is true', () => {
-      const filter = getFilters(
-        { created_by: 'moi', name: 'Sample' },
-        ['single', 'agnostic'],
-        true
-      );
+      const filter = getFilters({
+        filters: { created_by: 'moi', name: 'Sample' },
+        namespaceTypes: ['single', 'agnostic'],
+        showTrustedApps: true,
+        showEventFilters: false,
+      });

      expect(filter).toEqual(
-        '(exception-list.attributes.created_by:moi OR exception-list-agnostic.attributes.created_by:moi) AND (exception-list.attributes.name.text:Sample OR exception-list-agnostic.attributes.name.text:Sample) AND (exception-list.attributes.list_id: endpoint_trusted_apps* OR exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*)'
+        '(exception-list.attributes.created_by:moi OR exception-list-agnostic.attributes.created_by:moi) AND (exception-list.attributes.name.text:Sample OR exception-list-agnostic.attributes.name.text:Sample) AND (exception-list.attributes.list_id: endpoint_trusted_apps* OR exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters* AND not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
+      );
+    });
+
+    test('it properly formats when no filters passed and "showEventFilters" is false', () => {
+      const filter = getFilters({
+        filters: {},
+        namespaceTypes: ['single', 'agnostic'],
+        showTrustedApps: false,
+        showEventFilters: false,
+      });
+
+      expect(filter).toEqual(
+        '(not exception-list.attributes.list_id: endpoint_trusted_apps* AND not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters* AND not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
+      );
+    });
+
+    test('it properly formats when no filters passed and "showEventFilters" is true', () => {
+      const filter = getFilters({
+        filters: {},
+        namespaceTypes: ['single', 'agnostic'],
+        showTrustedApps: false,
+        showEventFilters: true,
+      });
+
+      expect(filter).toEqual(
+        '(not exception-list.attributes.list_id: endpoint_trusted_apps* AND not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (exception-list.attributes.list_id: endpoint_event_filters* OR exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
+      );
+    });
+
+    test('it properly formats when filters passed and "showEventFilters" is false', () => {
+      const filter = getFilters({
+        filters: { created_by: 'moi', name: 'Sample' },
+        namespaceTypes: ['single', 'agnostic'],
+        showTrustedApps: false,
+        showEventFilters: false,
+      });
+
+      expect(filter).toEqual(
+        '(exception-list.attributes.created_by:moi OR exception-list-agnostic.attributes.created_by:moi) AND (exception-list.attributes.name.text:Sample OR exception-list-agnostic.attributes.name.text:Sample) AND (not exception-list.attributes.list_id: endpoint_trusted_apps* AND not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters* AND not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
+      );
+    });
+
+    test('it properly formats when filters passed and "showEventFilters" is true', () => {
+      const filter = getFilters({
+        filters: { created_by: 'moi', name: 'Sample' },
+        namespaceTypes: ['single', 'agnostic'],
+        showTrustedApps: false,
+        showEventFilters: true,
+      });
+
+      expect(filter).toEqual(
+        '(exception-list.attributes.created_by:moi OR exception-list-agnostic.attributes.created_by:moi) AND (exception-list.attributes.name.text:Sample OR exception-list-agnostic.attributes.name.text:Sample) AND (not exception-list.attributes.list_id: endpoint_trusted_apps* AND not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (exception-list.attributes.list_id: endpoint_event_filters* OR exception-list-agnostic.attributes.list_id: endpoint_event_filters*)'
      );
    });
  });
--- a/packages/kbn-securitysolution-list-utils/src/get_filters/index.ts
+++ b/packages/kbn-securitysolution-list-utils/src/get_filters/index.ts
@ -10,14 +10,26 @@ import { ExceptionListFilter, NamespaceType } from '@kbn/securitysolution-io-ts-
 import { getGeneralFilters } from '../get_general_filters';
 import { getSavedObjectTypes } from '../get_saved_object_types';
 import { getTrustedAppsFilter } from '../get_trusted_apps_filter';
+import { getEventFiltersFilter } from '../get_event_filters_filter';

-export const getFilters = (
-  filters: ExceptionListFilter,
-  namespaceTypes: NamespaceType[],
-  showTrustedApps: boolean
-): string => {
+export interface GetFiltersParams {
+  filters: ExceptionListFilter;
+  namespaceTypes: NamespaceType[];
+  showTrustedApps: boolean;
+  showEventFilters: boolean;
+}
+
+export const getFilters = ({
+  filters,
+  namespaceTypes,
+  showTrustedApps,
+  showEventFilters,
+}: GetFiltersParams): string => {
  const namespaces = getSavedObjectTypes({ namespaceType: namespaceTypes });
  const generalFilters = getGeneralFilters(filters, namespaces);
  const trustedAppsFilter = getTrustedAppsFilter(showTrustedApps, namespaces);
-  return [generalFilters, trustedAppsFilter].filter((filter) => filter.trim() !== '').join(' AND ');
+  const eventFiltersFilter = getEventFiltersFilter(showEventFilters, namespaces);
+  return [generalFilters, trustedAppsFilter, eventFiltersFilter]
+    .filter((filter) => filter.trim() !== '')
+    .join(' AND ');
 };
--- a/x-pack/plugins/lists/public/exceptions/hooks/use_exception_lists.test.ts
+++ b/x-pack/plugins/lists/public/exceptions/hooks/use_exception_lists.test.ts
@ -48,6 +48,7 @@ describe('useExceptionLists', () => {
            perPage: 20,
            total: 0,
          },
+          showEventFilters: false,
          showTrustedApps: false,
        })
      );
@ -83,6 +84,7 @@ describe('useExceptionLists', () => {
            perPage: 20,
            total: 0,
          },
+          showEventFilters: false,
          showTrustedApps: false,
        })
      );
@ -122,6 +124,7 @@ describe('useExceptionLists', () => {
            perPage: 20,
            total: 0,
          },
+          showEventFilters: false,
          showTrustedApps: true,
        })
      );
@ -132,7 +135,7 @@ describe('useExceptionLists', () => {

      expect(spyOnfetchExceptionLists).toHaveBeenCalledWith({
        filters:
-          '(exception-list.attributes.list_id: endpoint_trusted_apps* OR exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*)',
+          '(exception-list.attributes.list_id: endpoint_trusted_apps* OR exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters* AND not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)',
        http: mockKibanaHttpService,
        namespaceTypes: 'single,agnostic',
        pagination: { page: 1, perPage: 20 },
@ -157,6 +160,7 @@ describe('useExceptionLists', () => {
            perPage: 20,
            total: 0,
          },
+          showEventFilters: false,
          showTrustedApps: false,
        })
      );
@ -167,7 +171,79 @@ describe('useExceptionLists', () => {

      expect(spyOnfetchExceptionLists).toHaveBeenCalledWith({
        filters:
-          '(not exception-list.attributes.list_id: endpoint_trusted_apps* AND not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*)',
+          '(not exception-list.attributes.list_id: endpoint_trusted_apps* AND not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters* AND not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)',
+        http: mockKibanaHttpService,
+        namespaceTypes: 'single,agnostic',
+        pagination: { page: 1, perPage: 20 },
+        signal: new AbortController().signal,
+      });
+    });
+  });
+
+  test('fetches event filters lists if "showEventFilters" is true', async () => {
+    const spyOnfetchExceptionLists = jest.spyOn(api, 'fetchExceptionLists');
+
+    await act(async () => {
+      const { waitForNextUpdate } = renderHook<UseExceptionListsProps, ReturnExceptionLists>(() =>
+        useExceptionLists({
+          errorMessage: 'Uh oh',
+          filterOptions: {},
+          http: mockKibanaHttpService,
+          namespaceTypes: ['single', 'agnostic'],
+          notifications: mockKibanaNotificationsService,
+          pagination: {
+            page: 1,
+            perPage: 20,
+            total: 0,
+          },
+          showEventFilters: true,
+          showTrustedApps: false,
+        })
+      );
+      // NOTE: First `waitForNextUpdate` is initialization
+      // Second call applies the params
+      await waitForNextUpdate();
+      await waitForNextUpdate();
+
+      expect(spyOnfetchExceptionLists).toHaveBeenCalledWith({
+        filters:
+          '(not exception-list.attributes.list_id: endpoint_trusted_apps* AND not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (exception-list.attributes.list_id: endpoint_event_filters* OR exception-list-agnostic.attributes.list_id: endpoint_event_filters*)',
+        http: mockKibanaHttpService,
+        namespaceTypes: 'single,agnostic',
+        pagination: { page: 1, perPage: 20 },
+        signal: new AbortController().signal,
+      });
+    });
+  });
+
+  test('does not fetch event filters lists if "showEventFilters" is false', async () => {
+    const spyOnfetchExceptionLists = jest.spyOn(api, 'fetchExceptionLists');
+
+    await act(async () => {
+      const { waitForNextUpdate } = renderHook<UseExceptionListsProps, ReturnExceptionLists>(() =>
+        useExceptionLists({
+          errorMessage: 'Uh oh',
+          filterOptions: {},
+          http: mockKibanaHttpService,
+          namespaceTypes: ['single', 'agnostic'],
+          notifications: mockKibanaNotificationsService,
+          pagination: {
+            page: 1,
+            perPage: 20,
+            total: 0,
+          },
+          showEventFilters: false,
+          showTrustedApps: false,
+        })
+      );
+      // NOTE: First `waitForNextUpdate` is initialization
+      // Second call applies the params
+      await waitForNextUpdate();
+      await waitForNextUpdate();
+
+      expect(spyOnfetchExceptionLists).toHaveBeenCalledWith({
+        filters:
+          '(not exception-list.attributes.list_id: endpoint_trusted_apps* AND not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters* AND not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)',
        http: mockKibanaHttpService,
        namespaceTypes: 'single,agnostic',
        pagination: { page: 1, perPage: 20 },
@ -195,6 +271,7 @@ describe('useExceptionLists', () => {
            perPage: 20,
            total: 0,
          },
+          showEventFilters: false,
          showTrustedApps: false,
        })
      );
@ -205,7 +282,7 @@ describe('useExceptionLists', () => {

      expect(spyOnfetchExceptionLists).toHaveBeenCalledWith({
        filters:
-          '(exception-list.attributes.created_by:Moi OR exception-list-agnostic.attributes.created_by:Moi) AND (exception-list.attributes.name.text:Sample Endpoint OR exception-list-agnostic.attributes.name.text:Sample Endpoint) AND (not exception-list.attributes.list_id: endpoint_trusted_apps* AND not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*)',
+          '(exception-list.attributes.created_by:Moi OR exception-list-agnostic.attributes.created_by:Moi) AND (exception-list.attributes.name.text:Sample Endpoint OR exception-list-agnostic.attributes.name.text:Sample Endpoint) AND (not exception-list.attributes.list_id: endpoint_trusted_apps* AND not exception-list-agnostic.attributes.list_id: endpoint_trusted_apps*) AND (not exception-list.attributes.list_id: endpoint_event_filters* AND not exception-list-agnostic.attributes.list_id: endpoint_event_filters*)',
        http: mockKibanaHttpService,
        namespaceTypes: 'single,agnostic',
        pagination: { page: 1, perPage: 20 },
@ -228,6 +305,7 @@ describe('useExceptionLists', () => {
          namespaceTypes,
          notifications,
          pagination,
+          showEventFilters,
          showTrustedApps,
        }) =>
          useExceptionLists({
@ -237,6 +315,7 @@ describe('useExceptionLists', () => {
            namespaceTypes,
            notifications,
            pagination,
+            showEventFilters,
            showTrustedApps,
          }),
        {
@ -251,6 +330,7 @@ describe('useExceptionLists', () => {
              perPage: 20,
              total: 0,
            },
+            showEventFilters: false,
            showTrustedApps: false,
          },
        }
@ -271,6 +351,7 @@ describe('useExceptionLists', () => {
          perPage: 20,
          total: 0,
        },
+        showEventFilters: false,
        showTrustedApps: false,
      });
      // NOTE: Only need one call here because hook already initilaized
@ -298,6 +379,7 @@ describe('useExceptionLists', () => {
            perPage: 20,
            total: 0,
          },
+          showEventFilters: false,
          showTrustedApps: false,
        })
      );
@ -336,6 +418,7 @@ describe('useExceptionLists', () => {
            perPage: 20,
            total: 0,
          },
+          showEventFilters: false,
          showTrustedApps: false,
        })
      );
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/exceptions/exceptions_table.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/exceptions/exceptions_table.tsx
@ -77,6 +77,7 @@ export const ExceptionListsTable = React.memo<ExceptionListsTableProps>(
      namespaceTypes: ['single', 'agnostic'],
      notifications,
      showTrustedApps: false,
+      showEventFilters: false,
    });
    const [loadingTableInfo, exceptionListsWithRuleRefs, exceptionsListsRef] = useAllExceptionLists(
      {