Finish adding .lower to exceptionable fields

x-pack/plugins/lists/server/saved_objects/exception_list.ts

@@ -6,6 +6,8 @@
 
 import { SavedObjectsType } from 'kibana/server';
 
+import { migrations } from './migrations';
+
 export const exceptionListSavedObjectType = 'exception-list';
 export const exceptionListAgnosticSavedObjectType = 'exception-list-agnostic';
 export type SavedObjectType = 'exception-list' | 'exception-list-agnostic';
@@ -149,6 +151,9 @@ export const exceptionListItemMapping: SavedObjectsType['mappings'] = {
     item_id: {
       type: 'keyword',
     },
+    os_types: {
+      type: 'keyword',
+    },
   },
 };
 
@@ -170,6 +175,7 @@ export const exceptionListType: SavedObjectsType = {
 export const exceptionListAgnosticType: SavedObjectsType = {
   hidden: false,
   mappings: combinedMappings,
+  migrations,
   name: exceptionListAgnosticSavedObjectType,
   namespaceType: 'agnostic',
 };

x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_fields.json

@@ -6,33 +6,33 @@
   "Target.process.Ext.code_signature.valid",
   "Target.process.Ext.services",
   "Target.process.Ext.user",
-  "Target.process.command_line.text",
-  "Target.process.executable.text",
+  "Target.process.command_line.lower",
+  "Target.process.executable.lower",
   "Target.process.hash.md5",
   "Target.process.hash.sha1",
   "Target.process.hash.sha256",
   "Target.process.hash.sha512",
-  "Target.process.name.text",
+  "Target.process.name.lower",
   "Target.process.parent.Ext.code_signature.status",
   "Target.process.parent.Ext.code_signature.subject_name",
   "Target.process.parent.Ext.code_signature.trusted",
   "Target.process.parent.Ext.code_signature.valid",
-  "Target.process.parent.command_line.text",
-  "Target.process.parent.executable.text",
+  "Target.process.parent.command_line.lower",
+  "Target.process.parent.executable.lower",
   "Target.process.parent.hash.md5",
   "Target.process.parent.hash.sha1",
   "Target.process.parent.hash.sha256",
   "Target.process.parent.hash.sha512",
-  "Target.process.parent.name.text",
+  "Target.process.parent.name.lower",
   "Target.process.parent.pgid",
-  "Target.process.parent.working_directory.text",
+  "Target.process.parent.working_directory.lower",
   "Target.process.pe.company",
   "Target.process.pe.description",
   "Target.process.pe.file_version",
   "Target.process.pe.original_file_name",
   "Target.process.pe.product",
   "Target.process.pgid",
-  "Target.process.working_directory.text",
+  "Target.process.working_directory.lower",
   "agent.id",
   "agent.type",
   "agent.version",
@@ -66,14 +66,14 @@
   "file.mode",
   "file.name",
   "file.owner",
-  "file.path.text",
+  "file.path.lower",
   "file.pe.company",
   "file.pe.description",
   "file.pe.file_version",
   "file.pe.original_file_name",
   "file.pe.product",
   "file.size",
-  "file.target_path.text",
+  "file.target_path.lower",
   "file.type",
   "file.uid",
   "group.Ext.real.id",
@@ -84,9 +84,9 @@
   "host.id",
   "host.os.Ext.variant",
   "host.os.family",
-  "host.os.full.text",
+  "host.os.full.lower",
   "host.os.kernel",
-  "host.os.name.text",
+  "host.os.name.lower",
   "host.os.platform",
   "host.os.version",
   "host.type",
@@ -96,33 +96,33 @@
   "process.Ext.code_signature.valid",
   "process.Ext.services",
   "process.Ext.user",
-  "process.command_line.text",
-  "process.executable.text",
+  "process.command_line.lower",
+  "process.executable.lower",
   "process.hash.md5",
   "process.hash.sha1",
   "process.hash.sha256",
   "process.hash.sha512",
-  "process.name.text",
+  "process.name.lower",
   "process.parent.Ext.code_signature.status",
   "process.parent.Ext.code_signature.subject_name",
   "process.parent.Ext.code_signature.trusted",
   "process.parent.Ext.code_signature.valid",
-  "process.parent.command_line.text",
-  "process.parent.executable.text",
+  "process.parent.command_line.lower",
+  "process.parent.executable.lower",
   "process.parent.hash.md5",
   "process.parent.hash.sha1",
   "process.parent.hash.sha256",
   "process.parent.hash.sha512",
-  "process.parent.name.text",
+  "process.parent.name.lower",
   "process.parent.pgid",
-  "process.parent.working_directory.text",
+  "process.parent.working_directory.lower",
   "process.pe.company",
   "process.pe.description",
   "process.pe.file_version",
   "process.pe.original_file_name",
   "process.pe.product",
   "process.pgid",
-  "process.working_directory.text",
+  "process.working_directory.lower",
   "rule.uuid",
   "user.domain",
   "user.email",

x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx

@@ -472,7 +472,7 @@ export const defaultEndpointExceptionItems = (
           ],
         },
         {
-          field: 'file.path.text',
+          field: 'file.path.lower', // TODO: file.path.lower for windows, file.path otherwise?
           operator: 'included',
           type: 'match',
           value: filePath ?? '',

x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts

@@ -141,16 +141,18 @@ export function translateToEndpointExceptions(
 
 function getMatcherFunction(field: string, matchAny?: boolean): TranslatedEntryMatcher {
   return matchAny
-    ? field.endsWith('.text')
+    ? field.endsWith('.lower') || field.endsWith('.text')
       ? 'exact_caseless_any'
       : 'exact_cased_any'
-    : field.endsWith('.text')
+    : field.endsWith('.lower') || field.endsWith('.text')
     ? 'exact_caseless'
     : 'exact_cased';
 }
 
 function normalizeFieldName(field: string): string {
-  return field.endsWith('.text') ? field.substring(0, field.length - 5) : field;
+  return field.endsWith('.lower') || field.endsWith('.text')
+    ? field.substring(0, field.lastIndexOf('.'))
+    : field;
 }
 
 function translateItem(