elastic · parkiino · Jul 31, 2025 · Jun 5, 2025 · Jun 5, 2025 · Jun 8, 2025
@@ -7,7 +7,7 @@
 
 import {
   doesNotExistOperator,
-  EVENT_FILTERS_OPERATORS,
+  ENDPOINT_ARTIFACT_OPERATORS,
   ALL_OPERATORS,
   existsOperator,
   isNotOperator,
@@ -46,7 +46,7 @@ describe('#getOperators', () => {
       type: 'simple',
     });
 
-    expect(operator).toEqual(EVENT_FILTERS_OPERATORS);
+    expect(operator).toEqual(ENDPOINT_ARTIFACT_OPERATORS);
   });
 
   test('it returns all operator types when field type is not null, boolean, or nested', () => {

@@ -9,7 +9,7 @@ import { DataViewFieldBase } from '@kbn/es-query';
 
 import {
   ALL_OPERATORS,
-  EVENT_FILTERS_OPERATORS,
+  ENDPOINT_ARTIFACT_OPERATORS,
   OperatorOption,
   doesNotExistOperator,
   existsOperator,
@@ -31,7 +31,7 @@ export const getOperators = (field: DataViewFieldBase | undefined): OperatorOpti
   } else if (field.type === 'nested') {
     return [isOperator];
   } else if (field.name === 'file.path.text') {
-    return EVENT_FILTERS_OPERATORS;
+    return ENDPOINT_ARTIFACT_OPERATORS;
   } else {
     return ALL_OPERATORS;
   }

@@ -102,7 +102,10 @@ export const doesNotMatchOperator: OperatorOption = {
   value: 'does_not_match',
 };
 
-export const EVENT_FILTERS_OPERATORS: OperatorOption[] = [
+/**
+ * Operators valid for event filters, trusted apps and endpoint exceptions
+ */
+export const ENDPOINT_ARTIFACT_OPERATORS: OperatorOption[] = [
   isOperator,
   isNotOperator,
   isOneOfOperator,

@@ -21,6 +21,7 @@ import {
 import styled from 'styled-components';
 import {
   ExceptionListType,
+  ExceptionListTypeEnum,
   ListSchema,
   ListOperatorTypeEnum as OperatorTypeEnum,
   OsTypeArray,
@@ -322,12 +323,13 @@ export const BuilderEntryItem: React.FC<EntryItemProps> = ({
   );
 
   const renderOperatorInput = (isFirst: boolean): JSX.Element => {
-    // for event filters forms
-    // show extra operators for wildcards when field supports matches
+    // Extra operators for wildcards will be removed if the field does not support matches
     const doesFieldSupportMatches = entry.field !== undefined && fieldSupportsMatches(entry.field);
-    const isEventFilterList = listType === 'endpoint_events';
+    const isEventFilterList = listType === ExceptionListTypeEnum.ENDPOINT_EVENTS;
+    const isTrustedAppsList = listType === ExceptionListTypeEnum.ENDPOINT_TRUSTED_APPS;
+
     const augmentedOperatorsList =
-      operatorsList && doesFieldSupportMatches && isEventFilterList
+      operatorsList && doesFieldSupportMatches && (isEventFilterList || isTrustedAppsList)
         ? operatorsList
         : operatorsList?.filter((operator) => operator.type !== OperatorTypeEnum.WILDCARD);
 

@@ -6,7 +6,7 @@
  */
 
 import React, { ElementType, useCallback, useEffect, useMemo, useReducer, useState } from 'react';
-import { EuiFlexGroup, EuiFlexItem, EuiSpacer } from '@elastic/eui';
+import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
 import styled from 'styled-components';
 import { HttpStart } from '@kbn/core/public';
 import { addIdToItem } from '@kbn/securitysolution-utils';
@@ -53,7 +53,7 @@ const MyAndBadge = styled(AndOrBadge)`
 `;
 
 const MyButtonsContainer = styled(EuiFlexItem)`
-  margin: 16px 0;
+  margin: 8px 0;
 `;
 
 const initialState: State = {
@@ -475,8 +475,6 @@ export const ExceptionBuilderComponent = ({
         </EuiFlexItem>
       ))}
 
-      <EuiSpacer size="m" />
-
       <MyButtonsContainer data-test-subj={`andOrOperatorButtons`}>
         <EuiFlexGroup gutterSize="s">
           {andLogicIncluded && (

@@ -16,7 +16,11 @@ export const EndpointSuggestionsSchema = {
     fieldMeta: schema.maybe(schema.any()),
   }),
   params: schema.object({
-    suggestion_type: schema.oneOf([schema.literal('eventFilters'), schema.literal('endpoints')]),
+    suggestion_type: schema.oneOf([
+      schema.literal('eventFilters'),
+      schema.literal('endpoints'),
+      schema.literal('trustedApps'),
+    ]),
   }),
 };
 

@@ -7,12 +7,14 @@
 
 import type { EntryMatch } from '@kbn/securitysolution-io-ts-list-types';
 import { ENDPOINT_ARTIFACT_LIST_IDS } from '@kbn/securitysolution-list-constants';
-import { EVENT_FILTERS_OPERATORS } from '@kbn/securitysolution-list-utils';
+import { ENDPOINT_ARTIFACT_OPERATORS } from '@kbn/securitysolution-list-utils';
 
 export const BY_POLICY_ARTIFACT_TAG_PREFIX = 'policy:';
 
 export const GLOBAL_ARTIFACT_TAG = `${BY_POLICY_ARTIFACT_TAG_PREFIX}all`;
 
+export const ADVANCED_MODE_TAG = 'form_mode:advanced';
+
 export const FILTER_PROCESS_DESCENDANTS_TAG = 'filter_process_descendants';
 
 /** The tag prefix that tracks the space(s) that is considered the "owner" of the artifact.  */
@@ -28,7 +30,7 @@ export const PROCESS_DESCENDANT_EVENT_FILTER_EXTRA_ENTRY: EntryMatch = Object.fr
 export const PROCESS_DESCENDANT_EVENT_FILTER_EXTRA_ENTRY_TEXT: string = `${
   PROCESS_DESCENDANT_EVENT_FILTER_EXTRA_ENTRY.field
 } ${
-  EVENT_FILTERS_OPERATORS.find(
+  ENDPOINT_ARTIFACT_OPERATORS.find(
     ({ type }) => type === PROCESS_DESCENDANT_EVENT_FILTER_EXTRA_ENTRY.type
   )?.message
 } ${PROCESS_DESCENDANT_EVENT_FILTER_EXTRA_ENTRY.value}`;

@@ -13,4 +13,4 @@ export {
   getArtifactTagsByPolicySelection,
 } from './utils';
 
-export { BY_POLICY_ARTIFACT_TAG_PREFIX, GLOBAL_ARTIFACT_TAG } from './constants';
+export { BY_POLICY_ARTIFACT_TAG_PREFIX, GLOBAL_ARTIFACT_TAG, ADVANCED_MODE_TAG } from './constants';
@@ -17,6 +17,7 @@ import {
   FILTER_PROCESS_DESCENDANTS_TAG,
   GLOBAL_ARTIFACT_TAG,
   OWNER_SPACE_ID_TAG_PREFIX,
+  ADVANCED_MODE_TAG,
 } from './constants';
 
 export type TagFilter = (tag: string) => boolean;
@@ -122,6 +123,12 @@ export const getEffectedPolicySelectionByTags = (
   };
 };
 
+export const isAdvancedModeEnabled = (
+  item: Partial<Pick<ExceptionListItemSchema, 'tags'>>
+): boolean => (item.tags ?? []).includes(ADVANCED_MODE_TAG);
+
+export const isAdvancedModeTag: TagFilter = (tag) => tag === ADVANCED_MODE_TAG;
+
 export const isFilterProcessDescendantsEnabled = (
   item: Partial<Pick<ExceptionListItemSchema, 'tags'>>
 ): boolean => (item.tags ?? []).includes(FILTER_PROCESS_DESCENDANTS_TAG);

@@ -75,3 +75,26 @@ export const parsePoliciesAndFilterToKql = ({
   const policiesKQL = parsePoliciesToKQL(policies, excludedPolicies);
   return `(${policiesKQL})${kuery ? ` AND (${kuery})` : ''}`;
 };
+
+/**
+ * Counts the number of conditions added for a new Event filter or Trusted app
+ * @param formFields
+ * @returns number of fields
+ */
+export const getAddedFieldsCounts = (formFields: string[]): { [k: string]: number } =>
+  formFields.reduce<{ [k: string]: number }>((allFields, field) => {
+    if (field in allFields) {
+      allFields[field]++;
+    } else {
+      allFields[field] = 1;
+    }
+    return allFields;
+  }, {});
+
+/**
+ * Checks if conditions in Event filters or Trusted Apps forms have duplicate fields
+ * @param formFields
+ * @returns boolean
+ */
+export const computeHasDuplicateFields = (formFieldsMap: Record<string, number>): boolean =>
+  Object.values(formFieldsMap).some((e) => e > 1);
@@ -49,7 +49,7 @@ const StyledEuiFlexItemButtonGroup = styled(EuiFlexItem)`
   }
 `;
 
-const StyledButtonGroup = styled(EuiButtonGroup)`
+export const StyledButtonGroup = styled(EuiButtonGroup)`
   display: flex;
   justify-content: right;
   .euiButtonGroupButton {

@@ -14,3 +14,4 @@ export { useSummaryArtifact } from './use_summary_artifact';
 export { useBulkUpdateArtifact } from './use_bulk_update_artifact';
 export { useBulkDeleteArtifact } from './use_bulk_delete_artifact';
 export { useGetUpdatedTags } from './use_get_updated_tags';
+export { useCanAssignArtifactPerPolicy } from './use_can_assign_artifact_per_policy';
@@ -9,6 +9,7 @@ import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-t
 import { useCallback } from 'react';
 import type { TagFilter } from '../../../../common/endpoint/service/artifacts/utils';
 import {
+  isAdvancedModeTag,
   isOwnerSpaceIdTag,
   isFilterProcessDescendantsTag,
   isPolicySelectionTag,
@@ -23,6 +24,7 @@ type GetTagsUpdatedBy<TagFilters> = (tagType: keyof TagFilters, newTags: string[
 const DEFAULT_FILTERS = Object.freeze({
   policySelection: isPolicySelectionTag,
   processDescendantsFiltering: isFilterProcessDescendantsTag,
+  advancedMode: isAdvancedModeTag,
   ownerSpaceId: isOwnerSpaceIdTag,
 } as const);
 

@@ -28,7 +28,7 @@ import { css } from '@emotion/react';
 
 import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types';
 import {
-  EVENT_FILTERS_OPERATORS,
+  ENDPOINT_ARTIFACT_OPERATORS,
   hasWrongOperatorWithWildcard,
   hasPartialCodeSignatureEntry,
 } from '@kbn/securitysolution-list-utils';
@@ -61,6 +61,7 @@ import { useFetchIndex } from '../../../../../common/containers/source';
 import { Loader } from '../../../../../common/components/loader';
 import { useKibana } from '../../../../../common/lib/kibana';
 import type { ArtifactFormComponentProps } from '../../../../components/artifact_list_page';
+import { getAddedFieldsCounts, computeHasDuplicateFields } from '../../../../common/utils';
 
 import {
   ABOUT_EVENT_FILTERS,
@@ -92,19 +93,6 @@ const osOptions: Array<EuiSuperSelectOption<OperatingSystem>> = OPERATING_SYSTEM
   inputDisplay: OS_TITLES[os],
 }));
 
-const getAddedFieldsCounts = (formFields: string[]): { [k: string]: number } =>
-  formFields.reduce<{ [k: string]: number }>((allFields, field) => {
-    if (field in allFields) {
-      allFields[field]++;
-    } else {
-      allFields[field] = 1;
-    }
-    return allFields;
-  }, {});
-
-const computeHasDuplicateFields = (formFieldsList: Record<string, number>): boolean =>
-  Object.values(formFieldsList).some((e) => e > 1);
-
 const defaultConditionEntry = (): ExceptionListItemSchema['entries'] => [
   {
     field: '',
@@ -586,7 +574,7 @@ export const EventFiltersForm: React.FC<ArtifactFormComponentProps & { allowSele
           dataTestSubj: 'alert-exception-builder',
           idAria: 'alert-exception-builder',
           onChange: handleOnBuilderChange,
-          operatorsList: EVENT_FILTERS_OPERATORS,
+          operatorsList: ENDPOINT_ARTIFACT_OPERATORS,
           osTypes: exception.os_types,
           showValueListModal: ShowValueListModal,
         }),

@@ -5,14 +5,20 @@
  * 2.0.
  */
 
-import type { CreateExceptionListSchema } from '@kbn/securitysolution-io-ts-list-types';
+import type {
+  CreateExceptionListSchema,
+  ExceptionListType,
+} from '@kbn/securitysolution-io-ts-list-types';
 import { ExceptionListTypeEnum } from '@kbn/securitysolution-io-ts-list-types';
 import {
   ENDPOINT_TRUSTED_APPS_LIST_DESCRIPTION,
   ENDPOINT_TRUSTED_APPS_LIST_ID,
   ENDPOINT_TRUSTED_APPS_LIST_NAME,
 } from '@kbn/securitysolution-list-constants';
 
+export const TRUSTED_APPS_LIST_TYPE: ExceptionListType =
+  ExceptionListTypeEnum.ENDPOINT_TRUSTED_APPS;
+
 export const SEARCHABLE_FIELDS: Readonly<string[]> = [
   `name`,
   `description`,

@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { HttpSetup } from '@kbn/core-http-browser';
+import { TrustedAppsApiClient } from './api_client';
+import { coreMock } from '@kbn/core/public/mocks';
+import { SUGGESTIONS_INTERNAL_ROUTE } from '../../../../../common/endpoint/constants';
+import { resolvePathVariables } from '../../../../common/utils/resolve_path_variables';
+
+describe('TrustedAppsApiClient', () => {
+  let fakeHttpServices: jest.Mocked<HttpSetup>;
+  let trustedAppsApiClient: TrustedAppsApiClient;
+
+  beforeAll(() => {
+    fakeHttpServices = coreMock.createStart().http as jest.Mocked<HttpSetup>;
+    trustedAppsApiClient = new TrustedAppsApiClient(fakeHttpServices);
+  });
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('should call the SUGGESTIONS_INTERNAL_ROUTE with correct URL and body', async () => {
+    await trustedAppsApiClient.getSuggestions({
+      field: 'host.name',
+      query: 'test',
+    });
+
+    expect(fakeHttpServices.post).toHaveBeenCalledWith(
+      resolvePathVariables(SUGGESTIONS_INTERNAL_ROUTE, { suggestion_type: 'trustedApps' }),
+      {
+        version: '1',
+        body: JSON.stringify({
+          field: 'host.name',
+          query: 'test',
+        }),
+      }
+    );
+  });
+});