[Security Solution][Exceptions] - Fixes exception builder bug that includes matches operator (#136340)

## Summary Addresses Kibana issue #36224
2025-04-23 17:28:26 -04:00 · 2022-07-19 08:15:49 -07:00 · 2022-07-19 08:15:49 -07:00 · ff3853cfa9
commit ff3853cfa9
parent 6af683a4e0
5 changed files with 44 additions and 21 deletions
--- a/packages/kbn-securitysolution-autocomplete/src/get_operators/index.test.ts
+++ b/packages/kbn-securitysolution-autocomplete/src/get_operators/index.test.ts
@ -9,7 +9,7 @@
 import {
  doesNotExistOperator,
  EVENT_FILTERS_OPERATORS,
-  EXCEPTION_OPERATORS,
+  ALL_OPERATORS,
  existsOperator,
  isNotOperator,
  isOperator,
@ -53,6 +53,6 @@ describe('#getOperators', () => {
  test('it returns all operator types when field type is not null, boolean, or nested', () => {
    const operator = getOperators(getField('machine.os.raw'));

-    expect(operator).toEqual(EXCEPTION_OPERATORS);
+    expect(operator).toEqual(ALL_OPERATORS);
  });
 });
--- a/packages/kbn-securitysolution-autocomplete/src/get_operators/index.ts
+++ b/packages/kbn-securitysolution-autocomplete/src/get_operators/index.ts
@ -9,7 +9,7 @@
 import { DataViewFieldBase } from '@kbn/es-query';

 import {
-  EXCEPTION_OPERATORS,
+  ALL_OPERATORS,
  EVENT_FILTERS_OPERATORS,
  OperatorOption,
  doesNotExistOperator,
@ -34,6 +34,6 @@ export const getOperators = (field: DataViewFieldBase | undefined): OperatorOpti
  } else if (field.name === 'file.path.text') {
    return EVENT_FILTERS_OPERATORS;
  } else {
-    return EXCEPTION_OPERATORS;
+    return ALL_OPERATORS;
  }
 };
--- a/packages/kbn-securitysolution-list-utils/src/autocomplete_operators/index.ts
+++ b/packages/kbn-securitysolution-list-utils/src/autocomplete_operators/index.ts
@ -102,7 +102,22 @@ export const EVENT_FILTERS_OPERATORS: OperatorOption[] = [
  matchesOperator,
 ];

-export const EXCEPTION_OPERATORS: OperatorOption[] = [
+/*
+ * !IMPORTANT! - Please only add to this list if it is an operator
+ * supported by the detection engine.
+ */
+export const DETECTION_ENGINE_EXCEPTION_OPERATORS: OperatorOption[] = [
+  isOperator,
+  isNotOperator,
+  isOneOfOperator,
+  isNotOneOfOperator,
+  existsOperator,
+  doesNotExistOperator,
+  isInListOperator,
+  isNotInListOperator,
+];
+
+export const ALL_OPERATORS: OperatorOption[] = [
  isOperator,
  isNotOperator,
  isOneOfOperator,
--- a/packages/kbn-securitysolution-list-utils/src/helpers/index.ts
+++ b/packages/kbn-securitysolution-list-utils/src/helpers/index.ts
@ -36,13 +36,14 @@ import {
 } from '@kbn/es-query';

 import {
-  EXCEPTION_OPERATORS,
+  ALL_OPERATORS,
  EXCEPTION_OPERATORS_SANS_LISTS,
  doesNotExistOperator,
  existsOperator,
  isNotOperator,
  isOneOfOperator,
  isOperator,
+  DETECTION_ENGINE_EXCEPTION_OPERATORS,
 } from '../autocomplete_operators';

 import {
@ -192,7 +193,7 @@ export const getExceptionOperatorSelect = (item: BuilderEntry): OperatorOption =
    return isOperator;
  } else {
    const operatorType = getOperatorType(item);
-    const foundOperator = EXCEPTION_OPERATORS.find((operatorOption) => {
+    const foundOperator = ALL_OPERATORS.find((operatorOption) => {
      return item.operator === operatorOption.operator && operatorType === operatorOption.type;
    });

@ -687,12 +688,12 @@ export const getOperatorOptions = (
    return isBoolean ? [isOperator] : [isOperator, isOneOfOperator];
  } else if (item.nested != null && listType === 'detection') {
    return isBoolean ? [isOperator, existsOperator] : [isOperator, isOneOfOperator, existsOperator];
+  } else if (isBoolean) {
+    return [isOperator, isNotOperator, existsOperator, doesNotExistOperator];
+  } else if (!includeValueListOperators) {
+    return EXCEPTION_OPERATORS_SANS_LISTS;
  } else {
-    return isBoolean
-      ? [isOperator, isNotOperator, existsOperator, doesNotExistOperator]
-      : includeValueListOperators
-      ? EXCEPTION_OPERATORS
-      : EXCEPTION_OPERATORS_SANS_LISTS;
+    return listType === 'detection' ? DETECTION_ENGINE_EXCEPTION_OPERATORS : ALL_OPERATORS;
  }
 };

--- a/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts
+++ b/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts
@ -18,8 +18,9 @@ import {
  ListOperatorTypeEnum as OperatorTypeEnum,
 } from '@kbn/securitysolution-io-ts-list-types';
 import {
+  ALL_OPERATORS,
  BuilderEntry,
-  EXCEPTION_OPERATORS,
+  DETECTION_ENGINE_EXCEPTION_OPERATORS,
  EXCEPTION_OPERATORS_SANS_LISTS,
  EmptyEntry,
  ExceptionsBuilderExceptionItem,
@ -596,13 +597,6 @@ describe('Exception builder helpers', () => {
      expect(output).toEqual(expected);
    });

-    test('it returns all operator options if "listType" is "detection"', () => {
-      const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
-      const output = getOperatorOptions(payloadItem, 'detection', false);
-      const expected: OperatorOption[] = EXCEPTION_OPERATORS;
-      expect(output).toEqual(expected);
-    });
-
    test('it returns "isOperator", "isNotOperator", "doesNotExistOperator" and "existsOperator" if field type is boolean', () => {
      const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
      const output = getOperatorOptions(payloadItem, 'detection', true);
@ -618,7 +612,8 @@ describe('Exception builder helpers', () => {
    test('it returns list operators if specified to', () => {
      const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
      const output = getOperatorOptions(payloadItem, 'detection', false, true);
-      expect(output).toEqual(EXCEPTION_OPERATORS);
+      expect(output.some((operator) => operator.value === 'is_not_in_list')).toBeTruthy();
+      expect(output.some((operator) => operator.value === 'is_in_list')).toBeTruthy();
    });

    test('it does not return list operators if specified not to', () => {
@ -626,6 +621,18 @@ describe('Exception builder helpers', () => {
      const output = getOperatorOptions(payloadItem, 'detection', false, false);
      expect(output).toEqual(EXCEPTION_OPERATORS_SANS_LISTS);
    });
+
+    test('it returns all possible operators if list type is not "detection"', () => {
+      const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
+      const output = getOperatorOptions(payloadItem, 'endpoint_events', false, true);
+      expect(output).toEqual(ALL_OPERATORS);
+    });
+
+    test('it returns all operators supported by detection engine if list type is "detection"', () => {
+      const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
+      const output = getOperatorOptions(payloadItem, 'detection', false, true);
+      expect(output).toEqual(DETECTION_ENGINE_EXCEPTION_OPERATORS);
+    });
  });

  describe('#getEntryOnFieldChange', () => {