elastic · paul-tavares · Jan 31, 2022 · Jan 29, 2022 · Jan 29, 2022 · Jan 29, 2022
diff --git a/...rity_solution/server/lists_integration/endpoint/handlers/exceptions_pre_create_handler.ts b/...rity_solution/server/lists_integration/endpoint/handlers/exceptions_pre_create_handler.ts
@@ -17,6 +17,10 @@ export const getExceptionsPreCreateItemHandler = (
   endpointAppContext: EndpointAppContextService
 ): ValidatorCallback => {
   return async function ({ data, context: { request } }): Promise<CreateExceptionListItemOptions> {
+    if (data.namespaceType !== 'agnostic') {
+      return data;
+    }
+
     // Validate trusted apps
     if (TrustedAppValidator.isTrustedApp(data)) {
       return new TrustedAppValidator(endpointAppContext, request).validatePreCreateItem(data);

diff --git a/...solution/server/lists_integration/endpoint/handlers/exceptions_pre_delete_item_handler.ts b/...solution/server/lists_integration/endpoint/handlers/exceptions_pre_delete_item_handler.ts
@@ -10,6 +10,7 @@ import { EndpointAppContextService } from '../../../endpoint/endpoint_app_contex
 import { ExceptionsListPreDeleteItemServerExtension } from '../../../../../lists/server';
 import { TrustedAppValidator } from '../validators/trusted_app_validator';
 import { HostIsolationExceptionsValidator } from '../validators/host_isolation_exceptions_validator';
+import { EventFilterValidator } from '../validators';
 
 type ValidatorCallback = ExceptionsListPreDeleteItemServerExtension['callback'];
 export const getExceptionsPreDeleteItemHandler = (
@@ -31,20 +32,29 @@ export const getExceptionsPreDeleteItemHandler = (
       return data;
     }
 
+    const { list_id: listId } = exceptionItem;
+
     // Validate Trusted Applications
-    if (TrustedAppValidator.isTrustedApp({ listId: exceptionItem.list_id })) {
+    if (TrustedAppValidator.isTrustedApp({ listId })) {
       await new TrustedAppValidator(endpointAppContextService, request).validatePreDeleteItem();
       return data;
     }
+
     // Host Isolation Exception
-    if (HostIsolationExceptionsValidator.isHostIsolationException(exceptionItem.list_id)) {
+    if (HostIsolationExceptionsValidator.isHostIsolationException(listId)) {
       await new HostIsolationExceptionsValidator(
         endpointAppContextService,
         request
       ).validatePreDeleteItem();
       return data;
     }
 
+    // Event Filter validation
+    if (EventFilterValidator.isEventFilter({ listId })) {
+      await new EventFilterValidator(endpointAppContextService, request).validatePreDeleteItem();
+      return data;
+    }
+
     return data;
   };
 };
diff --git a/...rity_solution/server/lists_integration/endpoint/handlers/exceptions_pre_export_handler.ts b/...rity_solution/server/lists_integration/endpoint/handlers/exceptions_pre_export_handler.ts
@@ -9,12 +9,17 @@ import { EndpointAppContextService } from '../../../endpoint/endpoint_app_contex
 import { ExceptionsListPreExportServerExtension } from '../../../../../lists/server';
 import { TrustedAppValidator } from '../validators/trusted_app_validator';
 import { HostIsolationExceptionsValidator } from '../validators/host_isolation_exceptions_validator';
+import { EventFilterValidator } from '../validators';
 
 type ValidatorCallback = ExceptionsListPreExportServerExtension['callback'];
 export const getExceptionsPreExportHandler = (
   endpointAppContextService: EndpointAppContextService
 ): ValidatorCallback => {
   return async function ({ data, context: { request, exceptionListClient } }) {
+    if (data.namespaceType !== 'agnostic') {
+      return data;
+    }
+
     const { listId: maybeListId, id } = data;
     let listId: string | null | undefined = maybeListId;
 
@@ -40,6 +45,12 @@ export const getExceptionsPreExportHandler = (
       return data;
     }
 
+    // Event Filter validations
+    if (EventFilterValidator.isEventFilter({ listId })) {
+      await new EventFilterValidator(endpointAppContextService, request).validatePreExport();
+      return data;
+    }
+
     return data;
   };
 };
diff --git a/...ity_solution/server/lists_integration/endpoint/handlers/exceptions_pre_get_one_handler.ts b/...ity_solution/server/lists_integration/endpoint/handlers/exceptions_pre_get_one_handler.ts
@@ -10,6 +10,7 @@ import { EndpointAppContextService } from '../../../endpoint/endpoint_app_contex
 import { ExceptionsListPreGetOneItemServerExtension } from '../../../../../lists/server';
 import { TrustedAppValidator } from '../validators/trusted_app_validator';
 import { HostIsolationExceptionsValidator } from '../validators/host_isolation_exceptions_validator';
+import { EventFilterValidator } from '../validators';
 
 type ValidatorCallback = ExceptionsListPreGetOneItemServerExtension['callback'];
 export const getExceptionsPreGetOneHandler = (
@@ -31,20 +32,29 @@ export const getExceptionsPreGetOneHandler = (
       return data;
     }
 
+    const listId = exceptionItem.list_id;
+
     // Validate Trusted Applications
-    if (TrustedAppValidator.isTrustedApp({ listId: exceptionItem.list_id })) {
+    if (TrustedAppValidator.isTrustedApp({ listId })) {
       await new TrustedAppValidator(endpointAppContextService, request).validatePreGetOneItem();
       return data;
     }
+
     // validate Host Isolation Exception
-    if (HostIsolationExceptionsValidator.isHostIsolationException(exceptionItem.list_id)) {
+    if (HostIsolationExceptionsValidator.isHostIsolationException(listId)) {
       await new HostIsolationExceptionsValidator(
         endpointAppContextService,
         request
       ).validatePreGetOneItem();
       return data;
     }
 
+    // Event Filters Exception
+    if (EventFilterValidator.isEventFilter({ listId })) {
+      await new EventFilterValidator(endpointAppContextService, request).validatePreGetOneItem();
+      return data;
+    }
+
     return data;
   };
 };
diff --git a/...tion/server/lists_integration/endpoint/handlers/exceptions_pre_multi_list_find_handler.ts b/...tion/server/lists_integration/endpoint/handlers/exceptions_pre_multi_list_find_handler.ts
@@ -9,6 +9,7 @@ import { EndpointAppContextService } from '../../../endpoint/endpoint_app_contex
 import { ExceptionsListPreMultiListFindServerExtension } from '../../../../../lists/server';
 import { TrustedAppValidator } from '../validators/trusted_app_validator';
 import { HostIsolationExceptionsValidator } from '../validators/host_isolation_exceptions_validator';
+import { EventFilterValidator } from '../validators';
 
 type ValidatorCallback = ExceptionsListPreMultiListFindServerExtension['callback'];
 export const getExceptionsPreMultiListFindHandler = (
@@ -33,6 +34,12 @@ export const getExceptionsPreMultiListFindHandler = (
       return data;
     }
 
+    // Event Filters Exceptions
+    if (data.listId.some((listId) => EventFilterValidator.isEventFilter({ listId }))) {
+      await new EventFilterValidator(endpointAppContextService, request).validatePreMultiListFind();
+      return data;
+    }
+
     return data;
   };
 };
diff --git a/...ion/server/lists_integration/endpoint/handlers/exceptions_pre_single_list_find_handler.ts b/...ion/server/lists_integration/endpoint/handlers/exceptions_pre_single_list_find_handler.ts
@@ -9,6 +9,7 @@ import { EndpointAppContextService } from '../../../endpoint/endpoint_app_contex
 import { ExceptionsListPreSingleListFindServerExtension } from '../../../../../lists/server';
 import { TrustedAppValidator } from '../validators/trusted_app_validator';
 import { HostIsolationExceptionsValidator } from '../validators/host_isolation_exceptions_validator';
+import { EventFilterValidator } from '../validators';
 
 type ValidatorCallback = ExceptionsListPreSingleListFindServerExtension['callback'];
 export const getExceptionsPreSingleListFindHandler = (
@@ -19,19 +20,32 @@ export const getExceptionsPreSingleListFindHandler = (
       return data;
     }
 
+    const { listId } = data;
+
     // Validate Host Isolation Exceptions
-    if (TrustedAppValidator.isTrustedApp({ listId: data.listId })) {
+    if (TrustedAppValidator.isTrustedApp({ listId })) {
       await new TrustedAppValidator(endpointAppContextService, request).validatePreSingleListFind();
       return data;
     }
-    if (HostIsolationExceptionsValidator.isHostIsolationException(data.listId)) {
+
+    // Host Isolation Exceptions
+    if (HostIsolationExceptionsValidator.isHostIsolationException(listId)) {
       await new HostIsolationExceptionsValidator(
         endpointAppContextService,
         request
       ).validatePreSingleListFind();
       return data;
     }
 
+    // Event Filters Exceptions
+    if (EventFilterValidator.isEventFilter({ listId })) {
+      await new EventFilterValidator(
+        endpointAppContextService,
+        request
+      ).validatePreSingleListFind();
+      return data;
+    }
+
     return data;
   };
 };
diff --git a/...ity_solution/server/lists_integration/endpoint/handlers/exceptions_pre_summary_handler.ts b/...ity_solution/server/lists_integration/endpoint/handlers/exceptions_pre_summary_handler.ts
@@ -7,14 +7,18 @@
 
 import { EndpointAppContextService } from '../../../endpoint/endpoint_app_context_services';
 import { ExceptionsListPreSummaryServerExtension } from '../../../../../lists/server';
-import { TrustedAppValidator } from '../validators';
+import { TrustedAppValidator, EventFilterValidator } from '../validators';
 import { HostIsolationExceptionsValidator } from '../validators/host_isolation_exceptions_validator';
 
 type ValidatorCallback = ExceptionsListPreSummaryServerExtension['callback'];
 export const getExceptionsPreSummaryHandler = (
   endpointAppContextService: EndpointAppContextService
 ): ValidatorCallback => {
   return async function ({ data, context: { request, exceptionListClient } }) {
+    if (data.namespaceType !== 'agnostic') {
+      return data;
+    }
+
     const { listId: maybeListId, id } = data;
     let listId: string | null | undefined = maybeListId;
 
@@ -40,6 +44,12 @@ export const getExceptionsPreSummaryHandler = (
       return data;
     }
 
+    // Event Filter Exceptions
+    if (EventFilterValidator.isEventFilter({ listId })) {
+      await new EventFilterValidator(endpointAppContextService, request).validatePreSummary();
+      return data;
+    }
+
     return data;
   };
 };
diff --git a/.../security_solution/server/lists_integration/endpoint/validators/event_filter_validator.ts b/.../security_solution/server/lists_integration/endpoint/validators/event_filter_validator.ts
@@ -101,4 +101,34 @@ export class EventFilterValidator extends BaseValidator {
       throw new EndpointArtifactExceptionValidationError(error.message);
     }
   }
+
+  async validatePreGetOneItem(): Promise<void> {
+    await this.validateCanManageEndpointArtifacts();
+  }
+
+  async validatePreSummary(): Promise<void> {
+    await this.validateCanManageEndpointArtifacts();
+  }
+
+  async validatePreDeleteItem(): Promise<void> {
+    await this.validateCanManageEndpointArtifacts();
+  }
+
+  async validatePreExport(): Promise<void> {
+    await this.validateCanManageEndpointArtifacts();
+  }
+
+  async validatePreSingleListFind(): Promise<void> {
+    await this.validateCanManageEndpointArtifacts();
+  }
+
+  async validatePreMultiListFind(): Promise<void> {
+    await this.validateCanManageEndpointArtifacts();
+  }
+
+  async validatePreImport(): Promise<void> {
+    throw new EndpointArtifactExceptionValidationError(
+      'Import is not supported for Endpoint artifact exceptions'
+    );
+  }
 }