[8.19] [EDR Workflows] Prevent Event Filter list recreation with every new Cloud Workloads Defend integration (#221358) (#222328)

# Backport

This will backport the following commits from `main` to `8.19`:
- [[EDR Workflows] Prevent Event Filter list recreation with every new
Cloud Workloads Defend integration
(#221358)](#221358)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Konrad
Szwarc","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-06-03T10:35:12Z","message":"[EDR
Workflows] Prevent Event Filter list recreation with every new Cloud
Workloads Defend integration (#221358)\n\nThis PR fixes a missing check
for the existence of the event filter list\nbefore attempting to create
it in the `packagePolicy` creation callback.\nThis callback is triggered
when adding the Cloud Workloads Defend\nintegration.\n\nThe fix follows
the same pattern used in similar list-creation
logic:\n\nhttps://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/lists/server/handlers/create_exception_list_handler.ts#L39\n\n\n\nhttps://github.com/user-attachments/assets/81495092-e682-4f2d-ba9c-c149d3c8936c","sha":"539409d082f5c1416e650c452ac1474ba4d26fb8","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend
Workflows","backport:version","v9.1.0","v8.19.0"],"title":"[EDR
Workflows] Prevent Event Filter list recreation with every new Cloud
Workloads Defend
integration","number":221358,"url":"https://github.com/elastic/kibana/pull/221358","mergeCommit":{"message":"[EDR
Workflows] Prevent Event Filter list recreation with every new Cloud
Workloads Defend integration (#221358)\n\nThis PR fixes a missing check
for the existence of the event filter list\nbefore attempting to create
it in the `packagePolicy` creation callback.\nThis callback is triggered
when adding the Cloud Workloads Defend\nintegration.\n\nThe fix follows
the same pattern used in similar list-creation
logic:\n\nhttps://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/lists/server/handlers/create_exception_list_handler.ts#L39\n\n\n\nhttps://github.com/user-attachments/assets/81495092-e682-4f2d-ba9c-c149d3c8936c","sha":"539409d082f5c1416e650c452ac1474ba4d26fb8"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.19"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/221358","number":221358,"mergeCommit":{"message":"[EDR
Workflows] Prevent Event Filter list recreation with every new Cloud
Workloads Defend integration (#221358)\n\nThis PR fixes a missing check
for the existence of the event filter list\nbefore attempting to create
it in the `packagePolicy` creation callback.\nThis callback is triggered
when adding the Cloud Workloads Defend\nintegration.\n\nThe fix follows
the same pattern used in similar list-creation
logic:\n\nhttps://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/lists/server/handlers/create_exception_list_handler.ts#L39\n\n\n\nhttps://github.com/user-attachments/assets/81495092-e682-4f2d-ba9c-c149d3c8936c","sha":"539409d082f5c1416e650c452ac1474ba4d26fb8"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Konrad Szwarc <[email protected]>

Author: kibanamachine

x-pack/solutions/security/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts

@@ -395,9 +395,14 @@ describe('Fleet integrations', () => {
       soClient = savedObjectsClientMock.create();
       esClient = elasticsearchServiceMock.createClusterClient().asInternalUser;
       endpointAppContextServiceMock = createMockEndpointAppContextService();
+      jest.clearAllMocks();
       endpointAppContextServiceMock.getExceptionListsClient.mockReturnValue(exceptionListClient);
       callback = getPackagePolicyPostCreateCallback(endpointAppContextServiceMock);
       policyConfig = generator.generatePolicyPackagePolicy() as PackagePolicy;
+      // By default, simulate that the event filter list does not exist
+      (exceptionListClient.getExceptionList as jest.Mock).mockResolvedValue(null);
+      (exceptionListClient.createExceptionList as jest.Mock).mockResolvedValue({});
+      (exceptionListClient.createExceptionListItem as jest.Mock).mockResolvedValue({});
     });
 
     it('should create the Endpoint Event Filters List and add the correct Event Filters List Item attached to the policy given nonInteractiveSession parameter on integration config eventFilters', async () => {
@@ -419,6 +424,9 @@ describe('Fleet integrations', () => {
         req
       );
 
+      // Wait for all async code in createEventFilters to complete
+      await new Promise(process.nextTick);
+
       expect(exceptionListClient.createExceptionList).toHaveBeenCalledWith(
         expect.objectContaining({
           listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
@@ -446,6 +454,55 @@ describe('Fleet integrations', () => {
       );
     });
 
+    it('should NOT create the Event Filters List if it already exists, but should add the Event Filters List Item', async () => {
+      const integrationConfig = {
+        type: 'cloud',
+        eventFilters: {
+          nonInteractiveSession: true,
+        },
+      };
+
+      policyConfig.inputs[0]!.config!.integration_config = {
+        value: integrationConfig,
+      };
+
+      // Mock getExceptionList to return a non-null value (list already exists)
+      (exceptionListClient.getExceptionList as jest.Mock).mockResolvedValue({
+        id: 'existing-list-id',
+        listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
+      });
+
+      const postCreatedPolicyConfig = await callback(
+        policyConfig,
+        soClient,
+        esClient,
+        requestContextMock.convertContext(ctx),
+        req
+      );
+
+      // Should NOT attempt to create the list
+      expect(exceptionListClient.createExceptionList).not.toHaveBeenCalled();
+      // Should still create the event filter item
+      expect(exceptionListClient.createExceptionListItem).toHaveBeenCalledWith(
+        expect.objectContaining({
+          listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
+          tags: [`policy:${postCreatedPolicyConfig.id}`],
+          osTypes: ['linux'],
+          entries: [
+            {
+              field: 'process.entry_leader.interactive',
+              operator: 'included',
+              type: 'match',
+              value: 'false',
+            },
+          ],
+          itemId: 'NEW_UUID',
+          namespaceType: 'agnostic',
+          meta: undefined,
+        })
+      );
+    });
+
     it('should not call Event Filters List and Event Filters List Item if nonInteractiveSession parameter is not present on integration config eventFilters', async () => {
       const integrationConfig = {
         type: 'cloud',

x-pack/solutions/security/plugins/security_solution/server/fleet_integration/handlers/create_event_filters.ts

@@ -29,24 +29,45 @@ export const createEventFilters = async (
   if (!eventFilters?.nonInteractiveSession) {
     return;
   }
+
   try {
-    // Attempt to Create the Event Filter List. It won't create the list if it already exists.
-    // So we can skip the validation and ignore the conflict error
-    await exceptionsClient.createExceptionList({
-      name: ENDPOINT_ARTIFACT_LISTS.eventFilters.name,
-      namespaceType: 'agnostic',
-      description: ENDPOINT_ARTIFACT_LISTS.eventFilters.description,
+    const existingList = await exceptionsClient.getExceptionList({
       listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
-      type: ExceptionListTypeEnum.ENDPOINT_EVENTS,
-      immutable: false,
-      meta: undefined,
-      tags: [],
-      version: 1,
+      namespaceType: 'agnostic',
+      id: undefined,
     });
+
+    if (existingList) {
+      logger.debug(
+        `Event Filter List with id "${ENDPOINT_ARTIFACT_LISTS.eventFilters.id}" already exists. Skipping creation.`
+      );
+    } else {
+      logger.debug(
+        `Event Filter List with id "${ENDPOINT_ARTIFACT_LISTS.eventFilters.id}" not found. Attempting creation.`
+      );
+      await exceptionsClient.createExceptionList({
+        name: ENDPOINT_ARTIFACT_LISTS.eventFilters.name,
+        namespaceType: 'agnostic',
+        description: ENDPOINT_ARTIFACT_LISTS.eventFilters.description,
+        listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
+        type: ExceptionListTypeEnum.ENDPOINT_EVENTS,
+        immutable: false,
+        meta: undefined,
+        tags: [],
+        version: 1,
+      });
+      logger.debug(
+        `Successfully created Event Filter List with id "${ENDPOINT_ARTIFACT_LISTS.eventFilters.id}".`
+      );
+    }
   } catch (err) {
-    // Ignoring error 409 (Conflict)
-    if (!SavedObjectsErrorHelpers.isConflictError(err)) {
-      logger.error(`Error creating Event Filter List: ${wrapErrorIfNeeded(err)}`);
+    if (SavedObjectsErrorHelpers.isConflictError(err)) {
+      logger.debug(
+        `Event Filter List with id "${ENDPOINT_ARTIFACT_LISTS.eventFilters.id}" already exists. Skipping creation.`
+      );
+    } else {
+      logger.error(`Error during Event Filter List handling: ${wrapErrorIfNeeded(err)}`);
+
       return;
     }
   }