[EDR Workflows] Fix invalid event filter for cloud workloads (#208974)

## Summary Fixes the bug of the invalid event filter created automatically when creating a cloud workloads endpoint integration. The issue was a type issue: `undefined` or an object is expected, instead an array was passed. To make sure this does not happen again, the type for the `meta` field was updated from the deprecated `t.object` to `t.UnknownRecord`, which is able to catch similar issues as a type error: ca0c01b ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit 158a077)
elastic · Feb 3, 2025 · 2555cc1 · 2555cc1
1 parent 0832e88
commit 2555cc1
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 15 deletions.
diff --git a/...olutions/security/packages/kbn-securitysolution-io-ts-list-types/src/common/meta/index.ts b/...olutions/security/packages/kbn-securitysolution-io-ts-list-types/src/common/meta/index.ts
@@ -7,7 +7,7 @@
 
 import * as t from 'io-ts';
 
-export const meta = t.object;
+export const meta = t.UnknownRecord;
 export type Meta = t.TypeOf<typeof meta>;
 export const metaOrUndefined = t.union([meta, t.undefined]);
 export type MetaOrUndefined = t.TypeOf<typeof metaOrUndefined>;

diff --git a/...ons/security/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts b/...ons/security/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts
@@ -69,7 +69,7 @@ import type {
 } from '@kbn/fleet-plugin/common';
 import { createMockPolicyData } from '../endpoint/services/feature_usage/mocks';
 import { ALL_ENDPOINT_ARTIFACT_LIST_IDS } from '../../common/endpoint/service/artifacts/constants';
-import { ENDPOINT_EVENT_FILTERS_LIST_ID } from '@kbn/securitysolution-list-constants';
+import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants';
 import * as PolicyConfigHelpers from '../../common/endpoint/models/policy_config_helpers';
 import { disableProtections } from '../../common/endpoint/models/policy_config_helpers';
 import type { ProductFeaturesService } from '../lib/product_features_service/product_features_service';
@@ -421,12 +421,15 @@ describe('Fleet integrations', () => {
       );
 
       expect(exceptionListClient.createExceptionList).toHaveBeenCalledWith(
-        expect.objectContaining({ listId: ENDPOINT_EVENT_FILTERS_LIST_ID })
+        expect.objectContaining({
+          listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
+          meta: undefined,
+        })
       );
 
       expect(exceptionListClient.createExceptionListItem).toHaveBeenCalledWith(
         expect.objectContaining({
-          listId: ENDPOINT_EVENT_FILTERS_LIST_ID,
+          listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
           tags: [`policy:${postCreatedPolicyConfig.id}`],
           osTypes: ['linux'],
           entries: [
@@ -439,6 +442,7 @@ describe('Fleet integrations', () => {
           ],
           itemId: 'NEW_UUID',
           namespaceType: 'agnostic',
+          meta: undefined,
         })
       );
     });

diff --git a/...urity/plugins/security_solution/server/fleet_integration/handlers/create_event_filters.ts b/...urity/plugins/security_solution/server/fleet_integration/handlers/create_event_filters.ts
@@ -6,11 +6,7 @@
  */
 import { v4 as uuidv4 } from 'uuid';
 import { i18n } from '@kbn/i18n';
-import {
-  ENDPOINT_EVENT_FILTERS_LIST_ID,
-  ENDPOINT_EVENT_FILTERS_LIST_NAME,
-  ENDPOINT_EVENT_FILTERS_LIST_DESCRIPTION,
-} from '@kbn/securitysolution-list-constants';
+import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants';
 import { ExceptionListTypeEnum } from '@kbn/securitysolution-io-ts-list-types';
 import { SavedObjectsErrorHelpers } from '@kbn/core/server';
 import type { Logger } from '@kbn/core/server';
@@ -37,10 +33,10 @@ export const createEventFilters = async (
     // Attempt to Create the Event Filter List. It won't create the list if it already exists.
     // So we can skip the validation and ignore the conflict error
     await exceptionsClient.createExceptionList({
-      name: ENDPOINT_EVENT_FILTERS_LIST_NAME,
+      name: ENDPOINT_ARTIFACT_LISTS.eventFilters.name,
       namespaceType: 'agnostic',
-      description: ENDPOINT_EVENT_FILTERS_LIST_DESCRIPTION,
-      listId: ENDPOINT_EVENT_FILTERS_LIST_ID,
+      description: ENDPOINT_ARTIFACT_LISTS.eventFilters.description,
+      listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
       type: ExceptionListTypeEnum.ENDPOINT_EVENTS,
       immutable: false,
       meta: undefined,
@@ -61,14 +57,14 @@ export const createEventFilters = async (
 /**
  * Create an Event Filter for non-interactive sessions and attach it to the policy
  */
-export const createNonInteractiveSessionEventFilter = async (
+const createNonInteractiveSessionEventFilter = async (
   logger: Logger,
   exceptionsClient: ExceptionListClient,
   packagePolicy: PackagePolicy
 ): Promise<void> => {
   try {
     await exceptionsClient.createExceptionListItem({
-      listId: ENDPOINT_EVENT_FILTERS_LIST_ID,
+      listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
       description: i18n.translate(
         'xpack.securitySolution.fleetIntegration.elasticDefend.eventFilter.nonInteractiveSessions.description',
         {
@@ -95,7 +91,7 @@ export const createNonInteractiveSessionEventFilter = async (
         },
       ],
       itemId: uuidv4(),
-      meta: [],
+      meta: undefined,
       comments: [],
       expireTime: undefined,
     });