From e7db631d4518b67fdc503650252b28427340d98a Mon Sep 17 00:00:00 2001
From: Madison Caldwell <madison.caldwell@elastic.co>
Date: Fri, 18 Sep 2020 15:20:15 +0000
Subject: [PATCH] Finish adding .lower to exceptionable fields

---
 .../server/saved_objects/exception_list.ts    |  6 +++
 .../exceptions/exceptionable_fields.json      | 40 +++++++++----------
 .../common/components/exceptions/helpers.tsx  |  2 +-
 .../server/endpoint/lib/artifacts/lists.ts    |  8 ++--
 4 files changed, 32 insertions(+), 24 deletions(-)

diff --git a/x-pack/plugins/lists/server/saved_objects/exception_list.ts b/x-pack/plugins/lists/server/saved_objects/exception_list.ts
index f9e408833e0697..f6d15d7e82afb6 100644
--- a/x-pack/plugins/lists/server/saved_objects/exception_list.ts
+++ b/x-pack/plugins/lists/server/saved_objects/exception_list.ts
@@ -6,6 +6,8 @@
 
 import { SavedObjectsType } from 'kibana/server';
 
+import { migrations } from './migrations';
+
 export const exceptionListSavedObjectType = 'exception-list';
 export const exceptionListAgnosticSavedObjectType = 'exception-list-agnostic';
 export type SavedObjectType = 'exception-list' | 'exception-list-agnostic';
@@ -149,6 +151,9 @@ export const exceptionListItemMapping: SavedObjectsType['mappings'] = {
     item_id: {
       type: 'keyword',
     },
+    os_types: {
+      type: 'keyword',
+    },
   },
 };
 
@@ -170,6 +175,7 @@ export const exceptionListType: SavedObjectsType = {
 export const exceptionListAgnosticType: SavedObjectsType = {
   hidden: false,
   mappings: combinedMappings,
+  migrations,
   name: exceptionListAgnosticSavedObjectType,
   namespaceType: 'agnostic',
 };
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_fields.json b/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_fields.json
index 037e340ee7fa2c..79bb8dafeab099 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_fields.json
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_fields.json
@@ -6,33 +6,33 @@
   "Target.process.Ext.code_signature.valid",
   "Target.process.Ext.services",
   "Target.process.Ext.user",
-  "Target.process.command_line.text",
-  "Target.process.executable.text",
+  "Target.process.command_line.lower",
+  "Target.process.executable.lower",
   "Target.process.hash.md5",
   "Target.process.hash.sha1",
   "Target.process.hash.sha256",
   "Target.process.hash.sha512",
-  "Target.process.name.text",
+  "Target.process.name.lower",
   "Target.process.parent.Ext.code_signature.status",
   "Target.process.parent.Ext.code_signature.subject_name",
   "Target.process.parent.Ext.code_signature.trusted",
   "Target.process.parent.Ext.code_signature.valid",
-  "Target.process.parent.command_line.text",
-  "Target.process.parent.executable.text",
+  "Target.process.parent.command_line.lower",
+  "Target.process.parent.executable.lower",
   "Target.process.parent.hash.md5",
   "Target.process.parent.hash.sha1",
   "Target.process.parent.hash.sha256",
   "Target.process.parent.hash.sha512",
-  "Target.process.parent.name.text",
+  "Target.process.parent.name.lower",
   "Target.process.parent.pgid",
-  "Target.process.parent.working_directory.text",
+  "Target.process.parent.working_directory.lower",
   "Target.process.pe.company",
   "Target.process.pe.description",
   "Target.process.pe.file_version",
   "Target.process.pe.original_file_name",
   "Target.process.pe.product",
   "Target.process.pgid",
-  "Target.process.working_directory.text",
+  "Target.process.working_directory.lower",
   "agent.id",
   "agent.type",
   "agent.version",
@@ -66,14 +66,14 @@
   "file.mode",
   "file.name",
   "file.owner",
-  "file.path.text",
+  "file.path.lower",
   "file.pe.company",
   "file.pe.description",
   "file.pe.file_version",
   "file.pe.original_file_name",
   "file.pe.product",
   "file.size",
-  "file.target_path.text",
+  "file.target_path.lower",
   "file.type",
   "file.uid",
   "group.Ext.real.id",
@@ -84,9 +84,9 @@
   "host.id",
   "host.os.Ext.variant",
   "host.os.family",
-  "host.os.full.text",
+  "host.os.full.lower",
   "host.os.kernel",
-  "host.os.name.text",
+  "host.os.name.lower",
   "host.os.platform",
   "host.os.version",
   "host.type",
@@ -96,33 +96,33 @@
   "process.Ext.code_signature.valid",
   "process.Ext.services",
   "process.Ext.user",
-  "process.command_line.text",
-  "process.executable.text",
+  "process.command_line.lower",
+  "process.executable.lower",
   "process.hash.md5",
   "process.hash.sha1",
   "process.hash.sha256",
   "process.hash.sha512",
-  "process.name.text",
+  "process.name.lower",
   "process.parent.Ext.code_signature.status",
   "process.parent.Ext.code_signature.subject_name",
   "process.parent.Ext.code_signature.trusted",
   "process.parent.Ext.code_signature.valid",
-  "process.parent.command_line.text",
-  "process.parent.executable.text",
+  "process.parent.command_line.lower",
+  "process.parent.executable.lower",
   "process.parent.hash.md5",
   "process.parent.hash.sha1",
   "process.parent.hash.sha256",
   "process.parent.hash.sha512",
-  "process.parent.name.text",
+  "process.parent.name.lower",
   "process.parent.pgid",
-  "process.parent.working_directory.text",
+  "process.parent.working_directory.lower",
   "process.pe.company",
   "process.pe.description",
   "process.pe.file_version",
   "process.pe.original_file_name",
   "process.pe.product",
   "process.pgid",
-  "process.working_directory.text",
+  "process.working_directory.lower",
   "rule.uuid",
   "user.domain",
   "user.email",
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
index 3c3c71a2b33e73..9cc42261fc519c 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
@@ -472,7 +472,7 @@ export const defaultEndpointExceptionItems = (
           ],
         },
         {
-          field: 'file.path.text',
+          field: 'file.path.lower', // TODO: file.path.lower for windows, file.path otherwise?
           operator: 'included',
           type: 'match',
           value: filePath ?? '',
diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts
index 731b083f3293c3..3062b938cd7d33 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts
@@ -141,16 +141,18 @@ export function translateToEndpointExceptions(
 
 function getMatcherFunction(field: string, matchAny?: boolean): TranslatedEntryMatcher {
   return matchAny
-    ? field.endsWith('.text')
+    ? field.endsWith('.lower') || field.endsWith('.text')
       ? 'exact_caseless_any'
       : 'exact_cased_any'
-    : field.endsWith('.text')
+    : field.endsWith('.lower') || field.endsWith('.text')
     ? 'exact_caseless'
     : 'exact_cased';
 }
 
 function normalizeFieldName(field: string): string {
-  return field.endsWith('.text') ? field.substring(0, field.length - 5) : field;
+  return field.endsWith('.lower') || field.endsWith('.text')
+    ? field.substring(0, field.lastIndexOf('.'))
+    : field;
 }
 
 function translateItem(