[Security Solution][Exceptions] - Fixes exception builder bug that includes matches operator (#136340) (#136652)

## Summary

Addresses Kibana issue #36224

(cherry picked from commit ff3853c)

Co-authored-by: Yara Tercero <[email protected]>

Author: kibanamachine

packages/kbn-securitysolution-autocomplete/src/get_operators/index.test.ts

@@ -9,7 +9,7 @@
 import {
   doesNotExistOperator,
   EVENT_FILTERS_OPERATORS,
-  EXCEPTION_OPERATORS,
+  ALL_OPERATORS,
   existsOperator,
   isNotOperator,
   isOperator,
@@ -53,6 +53,6 @@ describe('#getOperators', () => {
   test('it returns all operator types when field type is not null, boolean, or nested', () => {
     const operator = getOperators(getField('machine.os.raw'));
 
-    expect(operator).toEqual(EXCEPTION_OPERATORS);
+    expect(operator).toEqual(ALL_OPERATORS);
   });
 });

packages/kbn-securitysolution-autocomplete/src/get_operators/index.ts

@@ -9,7 +9,7 @@
 import { DataViewFieldBase } from '@kbn/es-query';
 
 import {
-  EXCEPTION_OPERATORS,
+  ALL_OPERATORS,
   EVENT_FILTERS_OPERATORS,
   OperatorOption,
   doesNotExistOperator,
@@ -34,6 +34,6 @@ export const getOperators = (field: DataViewFieldBase | undefined): OperatorOpti
   } else if (field.name === 'file.path.text') {
     return EVENT_FILTERS_OPERATORS;
   } else {
-    return EXCEPTION_OPERATORS;
+    return ALL_OPERATORS;
   }
 };

packages/kbn-securitysolution-list-utils/src/autocomplete_operators/index.ts

@@ -102,7 +102,22 @@ export const EVENT_FILTERS_OPERATORS: OperatorOption[] = [
   matchesOperator,
 ];
 
-export const EXCEPTION_OPERATORS: OperatorOption[] = [
+/*
+ * !IMPORTANT! - Please only add to this list if it is an operator
+ * supported by the detection engine.
+ */
+export const DETECTION_ENGINE_EXCEPTION_OPERATORS: OperatorOption[] = [
+  isOperator,
+  isNotOperator,
+  isOneOfOperator,
+  isNotOneOfOperator,
+  existsOperator,
+  doesNotExistOperator,
+  isInListOperator,
+  isNotInListOperator,
+];
+
+export const ALL_OPERATORS: OperatorOption[] = [
   isOperator,
   isNotOperator,
   isOneOfOperator,

packages/kbn-securitysolution-list-utils/src/helpers/index.ts

@@ -36,13 +36,14 @@ import {
 } from '@kbn/es-query';
 
 import {
-  EXCEPTION_OPERATORS,
+  ALL_OPERATORS,
   EXCEPTION_OPERATORS_SANS_LISTS,
   doesNotExistOperator,
   existsOperator,
   isNotOperator,
   isOneOfOperator,
   isOperator,
+  DETECTION_ENGINE_EXCEPTION_OPERATORS,
 } from '../autocomplete_operators';
 
 import {
@@ -192,7 +193,7 @@ export const getExceptionOperatorSelect = (item: BuilderEntry): OperatorOption =
     return isOperator;
   } else {
     const operatorType = getOperatorType(item);
-    const foundOperator = EXCEPTION_OPERATORS.find((operatorOption) => {
+    const foundOperator = ALL_OPERATORS.find((operatorOption) => {
       return item.operator === operatorOption.operator && operatorType === operatorOption.type;
     });
 
@@ -687,12 +688,12 @@ export const getOperatorOptions = (
     return isBoolean ? [isOperator] : [isOperator, isOneOfOperator];
   } else if (item.nested != null && listType === 'detection') {
     return isBoolean ? [isOperator, existsOperator] : [isOperator, isOneOfOperator, existsOperator];
+  } else if (isBoolean) {
+    return [isOperator, isNotOperator, existsOperator, doesNotExistOperator];
+  } else if (!includeValueListOperators) {
+    return EXCEPTION_OPERATORS_SANS_LISTS;
   } else {
-    return isBoolean
-      ? [isOperator, isNotOperator, existsOperator, doesNotExistOperator]
-      : includeValueListOperators
-      ? EXCEPTION_OPERATORS
-      : EXCEPTION_OPERATORS_SANS_LISTS;
+    return listType === 'detection' ? DETECTION_ENGINE_EXCEPTION_OPERATORS : ALL_OPERATORS;
   }
 };
 

x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts

@@ -18,8 +18,9 @@ import {
   ListOperatorTypeEnum as OperatorTypeEnum,
 } from '@kbn/securitysolution-io-ts-list-types';
 import {
+  ALL_OPERATORS,
   BuilderEntry,
-  EXCEPTION_OPERATORS,
+  DETECTION_ENGINE_EXCEPTION_OPERATORS,
   EXCEPTION_OPERATORS_SANS_LISTS,
   EmptyEntry,
   ExceptionsBuilderExceptionItem,
@@ -596,13 +597,6 @@ describe('Exception builder helpers', () => {
       expect(output).toEqual(expected);
     });
 
-    test('it returns all operator options if "listType" is "detection"', () => {
-      const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
-      const output = getOperatorOptions(payloadItem, 'detection', false);
-      const expected: OperatorOption[] = EXCEPTION_OPERATORS;
-      expect(output).toEqual(expected);
-    });
-
     test('it returns "isOperator", "isNotOperator", "doesNotExistOperator" and "existsOperator" if field type is boolean', () => {
       const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
       const output = getOperatorOptions(payloadItem, 'detection', true);
@@ -618,14 +612,27 @@ describe('Exception builder helpers', () => {
     test('it returns list operators if specified to', () => {
       const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
       const output = getOperatorOptions(payloadItem, 'detection', false, true);
-      expect(output).toEqual(EXCEPTION_OPERATORS);
+      expect(output.some((operator) => operator.value === 'is_not_in_list')).toBeTruthy();
+      expect(output.some((operator) => operator.value === 'is_in_list')).toBeTruthy();
     });
 
     test('it does not return list operators if specified not to', () => {
       const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
       const output = getOperatorOptions(payloadItem, 'detection', false, false);
       expect(output).toEqual(EXCEPTION_OPERATORS_SANS_LISTS);
     });
+
+    test('it returns all possible operators if list type is not "detection"', () => {
+      const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
+      const output = getOperatorOptions(payloadItem, 'endpoint_events', false, true);
+      expect(output).toEqual(ALL_OPERATORS);
+    });
+
+    test('it returns all operators supported by detection engine if list type is "detection"', () => {
+      const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
+      const output = getOperatorOptions(payloadItem, 'detection', false, true);
+      expect(output).toEqual(DETECTION_ENGINE_EXCEPTION_OPERATORS);
+    });
   });
 
   describe('#getEntryOnFieldChange', () => {