From 47f10817aaac30f5ec6838c7a9915cdf524b5708 Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Thu, 16 Apr 2020 10:25:47 -0400 Subject: [PATCH] update rule.lists to be rule.exceptions_list --- .../routes/__mocks__/request_responses.ts | 2 +- .../routes/__mocks__/utils.ts | 2 +- .../routes/rules/create_rules_bulk_route.ts | 4 +-- .../routes/rules/create_rules_route.ts | 4 +-- .../routes/rules/import_rules_route.ts | 6 ++-- .../routes/rules/update_rules_bulk_route.ts | 4 +-- .../routes/rules/update_rules_route.ts | 4 +-- .../detection_engine/routes/rules/utils.ts | 2 +- .../routes/rules/validate.test.ts | 2 +- .../add_prepackaged_rules_schema.test.ts | 24 ++++++++-------- .../schemas/add_prepackaged_rules_schema.ts | 2 +- .../schemas/create_rules_schema.test.ts | 24 ++++++++-------- .../routes/schemas/create_rules_schema.ts | 2 +- .../schemas/import_rules_schema.test.ts | 24 ++++++++-------- .../routes/schemas/import_rules_schema.ts | 2 +- .../routes/schemas/patch_rules_schema.test.ts | 28 +++++++++---------- .../routes/schemas/patch_rules_schema.ts | 2 +- .../schemas/response/__mocks__/utils.ts | 2 +- .../schemas/response/rules_schema.test.ts | 6 ++-- .../routes/schemas/response/rules_schema.ts | 4 +-- .../schemas/update_rules_schema.test.ts | 24 ++++++++-------- .../routes/schemas/update_rules_schema.ts | 2 +- .../detection_engine/rules/create_rules.ts | 8 +++--- .../create_rules_stream_from_ndjson.test.ts | 20 ++++++------- .../rules/get_export_all.test.ts | 2 +- .../rules/get_export_by_object_ids.test.ts | 4 +-- .../rules/install_prepacked_rules.ts | 4 +-- .../lib/detection_engine/rules/patch_rules.ts | 6 ++-- .../detection_engine/rules/update_rules.ts | 8 +++--- .../signals/__mocks__/es_results.ts | 2 +- .../signals/build_bulk_body.test.ts | 8 +++--- .../signals/build_rule.test.ts | 6 ++-- .../detection_engine/signals/build_rule.ts | 2 +- .../signals/signal_params_schema.ts | 2 +- .../siem/server/lib/detection_engine/types.ts | 2 +- .../security_and_spaces/tests/utils.ts | 4 +-- 36 files changed, 127 insertions(+), 127 deletions(-) diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts index e400360a5a5b2..a36216105a30d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts @@ -448,7 +448,7 @@ export const getResult = (): RuleAlertType => ({ references: ['http://www.example.com', 'https://ww.example.com'], note: '# Investigative notes', version: 1, - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/utils.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/utils.ts index c929b0718207d..6f628170271f3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/utils.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/utils.ts @@ -138,7 +138,7 @@ export const getOutputRuleAlertForRest = (): Omit< ], }, ], - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts index 5377e9039785e..692938574592e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts @@ -86,7 +86,7 @@ export const createRulesBulkRoute = (router: IRouter) => { timeline_id: timelineId, timeline_title: timelineTitle, version, - lists, + exceptions_list, } = payloadRule; const ruleIdOrUuid = ruleId ?? uuid.v4(); try { @@ -143,7 +143,7 @@ export const createRulesBulkRoute = (router: IRouter) => { references, note, version, - lists, + exceptions_list, actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is set to rule, otherwise we are a notification and should not enable it, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts index 9a329b78b8f12..08ee63bf7a61e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts @@ -66,7 +66,7 @@ export const createRulesRoute = (router: IRouter): void => { type, references, note, - lists, + exceptions_list, } = request.body; const siemResponse = buildSiemResponse(response); @@ -131,7 +131,7 @@ export const createRulesRoute = (router: IRouter): void => { references, note, version: 1, - lists, + exceptions_list, actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is rule, otherwise we are a notification and should not enable it, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts index 29ae5056a3ae8..e8c8be509fb05 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts @@ -138,7 +138,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config timeline_id: timelineId, timeline_title: timelineTitle, version, - lists, + exceptions_list, } = parsedRule; try { @@ -195,7 +195,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config references, note, version, - lists, + exceptions_list, actions: [], // Actions are not imported nor exported at this time }); resolve({ rule_id: ruleId, status_code: 200 }); @@ -232,7 +232,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config references, note, version, - lists, + exceptions_list, anomalyThreshold, machineLearningJobId, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts index 36e15780f5cb3..4c880608033bd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts @@ -81,7 +81,7 @@ export const updateRulesBulkRoute = (router: IRouter) => { references, note, version, - lists, + exceptions_list, } = payloadRule; const finalIndex = outputIndex ?? siemClient.signalsIndex; const idOrRuleIdOrUnknown = id ?? ruleId ?? '(unknown id)'; @@ -121,7 +121,7 @@ export const updateRulesBulkRoute = (router: IRouter) => { references, note, version, - lists, + exceptions_list, actions, }); if (rule != null) { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts index 0444c757a9b31..f7e0b4d0ccc6b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts @@ -67,7 +67,7 @@ export const updateRulesRoute = (router: IRouter) => { references, note, version, - lists, + exceptions_list, } = request.body; const siemResponse = buildSiemResponse(response); @@ -117,7 +117,7 @@ export const updateRulesRoute = (router: IRouter) => { references, note, version, - lists, + exceptions_list, actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is rule, otherwise we are a notification and should not enable it }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts index 4d13fa1b6ae50..a9a3fac391415 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts @@ -148,7 +148,7 @@ export const transformAlertToRule = ( last_failure_message: ruleStatus?.attributes.lastFailureMessage, last_success_message: ruleStatus?.attributes.lastSuccessMessage, // TODO: (LIST-FEATURE) Remove hasListsFeature() check once we have lists available for a release - lists: hasListsFeature() ? alert.params.lists : null, + exceptions_list: hasListsFeature() ? alert.params.exceptions_list : null, }); }; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/validate.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/validate.test.ts index 7537401e5a366..3fd756f479466 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/validate.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/validate.test.ts @@ -71,7 +71,7 @@ export const ruleOutput: RulesSchema = { }, }, ], - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts index 8c741c937bf15..13e4e68addb60 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts @@ -1542,8 +1542,8 @@ describe('add prepackaged rules schema', () => { // on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the // schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early, // you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally - describe.skip('lists', () => { - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => { + describe.skip('exceptions_list', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => { expect( addPrepackagedRulesSchema.validate>({ rule_id: 'rule-1', @@ -1558,7 +1558,7 @@ describe('add prepackaged rules schema', () => { risk_score: 50, note: '# some markdown', version: 1, - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -1594,7 +1594,7 @@ describe('add prepackaged rules schema', () => { ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => { expect( addPrepackagedRulesSchema.validate>({ rule_id: 'rule-1', @@ -1608,15 +1608,15 @@ describe('add prepackaged rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [], + exceptions_list: [], version: 1, }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate', () => { expect( - addPrepackagedRulesSchema.validate>>({ + addPrepackagedRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1628,17 +1628,17 @@ describe('add prepackaged rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [{ invalid_value: 'invalid value' }], + exceptions_list: [{ invalid_value: 'invalid value' }], version: 1, }).error.message ).toEqual( - 'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]' + 'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]' ); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate with empty lists', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate with empty exceptions_list', () => { expect( - addPrepackagedRulesSchema.validate>>({ + addPrepackagedRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1651,7 +1651,7 @@ describe('add prepackaged rules schema', () => { risk_score: 50, note: '# some markdown', version: 1, - }).value.lists + }).value.exceptions_list ).toEqual([]); }); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts index 006fc81e3ee87..0e82a9b979c7b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts @@ -114,5 +114,5 @@ export const addPrepackagedRulesSchema = Joi.object({ version: version.required(), // TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release - lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), + exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts index e56e8e5fe34d3..64d8fa47561ed 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts @@ -1508,8 +1508,8 @@ describe('create rules schema', () => { // on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the // schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early, // you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally - describe.skip('lists', () => { - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => { + describe.skip('exceptions_list', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => { expect( createRulesSchema.validate>({ rule_id: 'rule-1', @@ -1523,7 +1523,7 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -1559,7 +1559,7 @@ describe('create rules schema', () => { ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => { expect( createRulesSchema.validate>({ rule_id: 'rule-1', @@ -1573,14 +1573,14 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [], + exceptions_list: [], }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate', () => { expect( - createRulesSchema.validate>>({ + createRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1592,16 +1592,16 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [{ invalid_value: 'invalid value' }], + exceptions_list: [{ invalid_value: 'invalid value' }], }).error.message ).toEqual( - 'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]' + 'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]' ); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate with empty lists', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate with empty exceptions_list', () => { expect( - createRulesSchema.validate>>({ + createRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1613,7 +1613,7 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - }).value.lists + }).value.exceptions_list ).toEqual([]); }); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts index 5213f3faaf486..dec8b5ccbc790 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts @@ -98,5 +98,5 @@ export const createRulesSchema = Joi.object({ version: version.default(1), // TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release - lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), + exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts index 40f7b19ea12b3..a979b2fabbb52 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts @@ -1729,8 +1729,8 @@ describe('import rules schema', () => { // on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the // schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early, // you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally - describe.skip('lists', () => { - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => { + describe.skip('exceptions_list', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => { expect( importRulesSchema.validate>({ rule_id: 'rule-1', @@ -1744,7 +1744,7 @@ describe('import rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -1780,7 +1780,7 @@ describe('import rules schema', () => { ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => { expect( importRulesSchema.validate>({ rule_id: 'rule-1', @@ -1794,14 +1794,14 @@ describe('import rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [], + exceptions_list: [], }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate and lists is empty', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate and exceptions_list is empty', () => { expect( - importRulesSchema.validate>>({ + importRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1813,16 +1813,16 @@ describe('import rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [{ invalid_value: 'invalid value' }], + exceptions_list: [{ invalid_value: 'invalid value' }], }).error.message ).toEqual( - 'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]' + 'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]' ); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate', () => { expect( - importRulesSchema.validate>>({ + importRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1834,7 +1834,7 @@ describe('import rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - }).value.lists + }).value.exceptions_list ).toEqual([]); }); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts index 56aa45659fda7..d3c728ebac1a9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts @@ -119,7 +119,7 @@ export const importRulesSchema = Joi.object({ updated_by, // TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release - lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), + exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), }); export const importRulesQuerySchema = Joi.object({ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.test.ts index e01a8f40fcea4..b877c441754c9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.test.ts @@ -1211,8 +1211,8 @@ describe('patch rules schema', () => { // on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the // schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early, // you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally - describe.skip('lists', () => { - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => { + describe.skip('exceptions_list', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => { expect( patchRulesSchema.validate>({ rule_id: 'rule-1', @@ -1226,7 +1226,7 @@ describe('patch rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -1262,11 +1262,11 @@ describe('patch rules schema', () => { ).toBeFalsy(); }); - test('lists can be patched', () => { + test('exceptions_list can be patched', () => { expect( patchRulesSchema.validate>({ rule_id: 'some id', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -1299,7 +1299,7 @@ describe('patch rules schema', () => { ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => { expect( patchRulesSchema.validate>({ rule_id: 'rule-1', @@ -1313,14 +1313,14 @@ describe('patch rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [], + exceptions_list: [], }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate', () => { expect( - patchRulesSchema.validate>>({ + patchRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1332,16 +1332,16 @@ describe('patch rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [{ invalid_value: 'invalid value' }], + exceptions_list: [{ invalid_value: 'invalid value' }], }).error.message ).toEqual( - 'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]' + 'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]' ); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate with empty lists', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate with empty exceptions_list', () => { expect( - patchRulesSchema.validate>>({ + patchRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1353,7 +1353,7 @@ describe('patch rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - }).value.lists + }).value.exceptions_list ).toEqual([]); }); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.ts index 52aefa29884c3..503bc64df237c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.ts @@ -78,5 +78,5 @@ export const patchRulesSchema = Joi.object({ version, // TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release - lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), + exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), }).xor('id', 'rule_id'); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/__mocks__/utils.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/__mocks__/utils.ts index d5ea950d163f5..21f18f9db55fb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/__mocks__/utils.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/__mocks__/utils.ts @@ -63,7 +63,7 @@ export const getBaseResponsePayload = (anchorDate: string = ANCHOR_DATE): RulesS language: 'kuery', rule_id: 'query-rule-id', interval: '5m', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.test.ts index fb9ff2c28dc44..4bfc51c1a66aa 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.test.ts @@ -207,7 +207,7 @@ describe('rules_schema', () => { }); // TODO: (LIST-FEATURE) Remove this test once the feature flag is deployed - test('it should remove lists when we need it to be removed because the feature is off but there exists a list in the data', () => { + test('it should remove exceptions_list when we need it to be removed because the feature is off but there exists a list in the data', () => { const payload = getBaseResponsePayload(); const decoded = rulesSchema.decode(payload); const listRemoved = removeList(decoded); @@ -246,9 +246,9 @@ describe('rules_schema', () => { }); }); - test('it should work with lists that are not there and not cause invalidation or errors', () => { + test('it should work with exceptions_list that are not there and not cause invalidation or errors', () => { const payload = getBaseResponsePayload(); - const { lists, ...payloadWithoutLists } = payload; + const { exceptions_list, ...payloadWithoutLists } = payload; const decoded = rulesSchema.decode(payloadWithoutLists); const listRemoved = removeList(decoded); const message = pipe(listRemoved, foldLeftRight); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.ts index 1574e8f5aa6e1..fb1ee8e670e31 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.ts @@ -87,7 +87,7 @@ export const requiredRulesSchema = t.type({ updated_at, created_by, version, - lists: ListsDefaultArray, + exceptions_list: ListsDefaultArray, }); export type RequiredRulesSchema = t.TypeOf; @@ -172,7 +172,7 @@ export const removeList = ( ): Either => { const onLeft = (errors: t.Errors): Either => left(errors); const onRight = (decodedValue: RequiredRulesSchema): Either => { - delete decodedValue.lists; + delete decodedValue.exceptions_list; return right(decodedValue); }; const folded = fold(onLeft, onRight); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts index e8f9aad620ca0..b3d8e0ea341f9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts @@ -1534,8 +1534,8 @@ describe('create rules schema', () => { // on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the // schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early, // you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally - describe.skip('lists', () => { - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => { + describe.skip('exceptions_list', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => { expect( updateRulesSchema.validate>({ rule_id: 'rule-1', @@ -1549,7 +1549,7 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -1582,7 +1582,7 @@ describe('create rules schema', () => { ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => { expect( updateRulesSchema.validate>({ rule_id: 'rule-1', @@ -1596,14 +1596,14 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [], + exceptions_list: [], }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate', () => { expect( - updateRulesSchema.validate>>({ + updateRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1615,16 +1615,16 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - lists: [{ invalid_value: 'invalid value' }], + exceptions_list: [{ invalid_value: 'invalid value' }], }).error.message ).toEqual( - 'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]' + 'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]' ); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate with empty lists', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate with empty exceptions_list', () => { expect( - updateRulesSchema.validate>>({ + updateRulesSchema.validate>>({ rule_id: 'rule-1', description: 'some description', from: 'now-5m', @@ -1636,7 +1636,7 @@ describe('create rules schema', () => { type: 'query', risk_score: 50, note: '# some markdown', - }).value.lists + }).value.exceptions_list ).toEqual([]); }); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts index f842c14f41ae6..b1b37801b644f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts @@ -107,5 +107,5 @@ export const updateRulesSchema = Joi.object({ version, // TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release - lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), + exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]), }).xor('id', 'rule_id'); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts index 91effb4741b8b..ee111873ca0bb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts @@ -42,11 +42,11 @@ export const createRules = async ({ references, note, version, - lists, + exceptions_list, actions, }: CreateRuleParams): Promise => { - // TODO: Remove this and use regular lists once the feature is stable for a release - const listsParam = hasListsFeature() ? { lists } : {}; + // TODO: Remove this and use regular exceptions_list once the feature is stable for a release + const exceptionsListParam = hasListsFeature() ? { exceptions_list } : {}; return alertsClient.create({ data: { name, @@ -79,7 +79,7 @@ export const createRules = async ({ references, note, version, - ...listsParam, + ...exceptionsListParam, }, schedule: { interval }, enabled, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts index 695057ccc2f70..8044692ab90b1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts @@ -66,7 +66,7 @@ describe('create_rules_stream_from_ndjson', () => { immutable: false, query: '', language: 'kuery', - lists: [], + exceptions_list: [], max_signals: 100, tags: [], threat: [], @@ -92,7 +92,7 @@ describe('create_rules_stream_from_ndjson', () => { immutable: false, query: '', language: 'kuery', - lists: [], + exceptions_list: [], max_signals: 100, tags: [], threat: [], @@ -158,7 +158,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - lists: [], + exceptions_list: [], threat: [], throttle: null, references: [], @@ -183,7 +183,7 @@ describe('create_rules_stream_from_ndjson', () => { query: '', language: 'kuery', max_signals: 100, - lists: [], + exceptions_list: [], tags: [], threat: [], throttle: null, @@ -230,7 +230,7 @@ describe('create_rules_stream_from_ndjson', () => { query: '', language: 'kuery', max_signals: 100, - lists: [], + exceptions_list: [], tags: [], threat: [], throttle: null, @@ -256,7 +256,7 @@ describe('create_rules_stream_from_ndjson', () => { query: '', language: 'kuery', max_signals: 100, - lists: [], + exceptions_list: [], tags: [], threat: [], throttle: null, @@ -303,7 +303,7 @@ describe('create_rules_stream_from_ndjson', () => { query: '', language: 'kuery', max_signals: 100, - lists: [], + exceptions_list: [], tags: [], threat: [], throttle: null, @@ -330,7 +330,7 @@ describe('create_rules_stream_from_ndjson', () => { query: '', language: 'kuery', max_signals: 100, - lists: [], + exceptions_list: [], tags: [], threat: [], throttle: null, @@ -376,7 +376,7 @@ describe('create_rules_stream_from_ndjson', () => { query: '', language: 'kuery', max_signals: 100, - lists: [], + exceptions_list: [], tags: [], threat: [], throttle: null, @@ -405,7 +405,7 @@ describe('create_rules_stream_from_ndjson', () => { query: '', language: 'kuery', max_signals: 100, - lists: [], + exceptions_list: [], tags: [], threat: [], throttle: null, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts index dd004e3685b1d..537078640a35b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts @@ -79,7 +79,7 @@ describe('getExportAll', () => { throttle: 'no_actions', note: '# Investigative notes', version: 1, - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts index 715cb23e8444a..5afbdd5a4a6e8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts @@ -87,7 +87,7 @@ describe('get_export_by_object_ids', () => { throttle: 'no_actions', note: '# Investigative notes', version: 1, - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -215,7 +215,7 @@ describe('get_export_by_object_ids', () => { throttle: 'no_actions', note: '# Investigative notes', version: 1, - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts index 6d4bacb9cc243..5dbd74e87f760 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts @@ -46,7 +46,7 @@ export const installPrepackagedRules = ( references, note, version, - lists, + exceptions_list, } = rule; return [ ...acc, @@ -82,7 +82,7 @@ export const installPrepackagedRules = ( references, note, version, - lists, + exceptions_list, actions: [], // At this time there is no pre-packaged actions }), ]; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/patch_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/patch_rules.ts index 5c4889ec5fd68..becfc79fa8499 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/patch_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/patch_rules.ts @@ -44,7 +44,7 @@ export const patchRules = async ({ references, note, version, - lists, + exceptions_list, anomalyThreshold, machineLearningJobId, }: PatchRuleParams): Promise => { @@ -78,7 +78,7 @@ export const patchRules = async ({ references, version, note, - lists, + exceptions_list, anomalyThreshold, machineLearningJobId, }); @@ -110,7 +110,7 @@ export const patchRules = async ({ references, note, version: calculatedVersion, - lists, + exceptions_list, anomalyThreshold, machineLearningJobId, } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts index 99326768ed33b..3eba028cc2340 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts @@ -44,7 +44,7 @@ export const updateRules = async ({ references, version, note, - lists, + exceptions_list, anomalyThreshold, machineLearningJobId, actions, @@ -83,8 +83,8 @@ export const updateRules = async ({ machineLearningJobId, }); - // TODO: Remove this and use regular lists once the feature is stable for a release - const listsParam = hasListsFeature() ? { lists } : {}; + // TODO: Remove this and use regular exceptions_list once the feature is stable for a release + const exceptionsListParam = hasListsFeature() ? { exceptions_list } : {}; const update = await alertsClient.update({ id: rule.id, @@ -120,7 +120,7 @@ export const updateRules = async ({ version: calculatedVersion, anomalyThreshold, machineLearningJobId, - ...listsParam, + ...exceptionsListParam, }, }, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts index 7a211c5631da6..ad14b6fab79a3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts @@ -44,7 +44,7 @@ export const sampleRuleAlertParams = ( meta: undefined, threat: undefined, version: 1, - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts index f1729e35ce1f0..bbd01cfaafc62 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts @@ -90,7 +90,7 @@ describe('buildBulkBody', () => { version: 1, created_at: fakeSignalSourceHit.signal.rule?.created_at, updated_at: fakeSignalSourceHit.signal.rule?.updated_at, - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -216,7 +216,7 @@ describe('buildBulkBody', () => { created_at: fakeSignalSourceHit.signal.rule?.created_at, updated_at: fakeSignalSourceHit.signal.rule?.updated_at, throttle: 'no_actions', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -340,7 +340,7 @@ describe('buildBulkBody', () => { created_at: fakeSignalSourceHit.signal.rule?.created_at, updated_at: fakeSignalSourceHit.signal.rule?.updated_at, throttle: 'no_actions', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -457,7 +457,7 @@ describe('buildBulkBody', () => { updated_at: fakeSignalSourceHit.signal.rule?.updated_at, created_at: fakeSignalSourceHit.signal.rule?.created_at, throttle: 'no_actions', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts index e5183ed4df7bd..b3586c884d0c7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts @@ -79,7 +79,7 @@ describe('buildRule', () => { query: 'host.name: Braden', }, ], - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -162,7 +162,7 @@ describe('buildRule', () => { updated_at: rule.updated_at, created_at: rule.created_at, throttle: 'no_actions', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', @@ -244,7 +244,7 @@ describe('buildRule', () => { updated_at: rule.updated_at, created_at: rule.created_at, throttle: 'no_actions', - lists: [ + exceptions_list: [ { field: 'source.ip', values_operator: 'included', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts index 9c375d7d45d5e..93d4e5e7719b2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts @@ -72,7 +72,7 @@ export const buildRule = ({ version: ruleParams.version, created_at: createdAt, updated_at: updatedAt, - lists: ruleParams.lists, + exceptions_list: ruleParams.exceptions_list, machine_learning_job_id: ruleParams.machineLearningJobId, anomaly_threshold: ruleParams.anomalyThreshold, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_params_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_params_schema.ts index 58dd53b6447c5..81a6ce9b08f02 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_params_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_params_schema.ts @@ -39,5 +39,5 @@ export const signalParamsSchema = () => type: schema.string(), references: schema.arrayOf(schema.string(), { defaultValue: [] }), version: schema.number({ defaultValue: 1 }), - lists: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))), + exceptions_list: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))), }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts index 035f1b10ff8b2..a22b45d3bcf16 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts @@ -66,7 +66,7 @@ export interface RuleAlertParams { type: RuleType; version: number; throttle: string | undefined | null; - lists: ListsDefaultArraySchema | null | undefined; + exceptions_list: ListsDefaultArraySchema | null | undefined; } export type RuleTypeParams = Omit< diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/utils.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/utils.ts index 7b725a7830c56..6ff91ea308e38 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/utils.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/utils.ts @@ -154,7 +154,7 @@ export const getSimpleRuleOutput = (ruleId = 'rule-1'): Partial