[EDR Workflows] Prevent Event Filter list recreation with every new Cloud Workloads Defend integration (#221358)

szwarckonrad · web-flow · commit 539409d082f5 · 2025-06-03T13:35:12.000+03:00
This PR fixes a missing check for the existence of the event filter list before attempting to create it in the `packagePolicy` creation callback. This callback is triggered when adding the Cloud Workloads Defend integration. The fix follows the same pattern used in similar list-creation logic: https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/lists/server/handlers/create_exception_list_handler.ts#L39 https://github.com/user-attachments/assets/81495092-e682-4f2d-ba9c-c149d3c8936c
diff --git a/x-pack/solutions/security/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts b/x-pack/solutions/security/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts
@@ -395,9 +395,14 @@ describe('Fleet integrations', () => {
       soClient = savedObjectsClientMock.create();
       esClient = elasticsearchServiceMock.createClusterClient().asInternalUser;
       endpointAppContextServiceMock = createMockEndpointAppContextService();
+      jest.clearAllMocks();
       endpointAppContextServiceMock.getExceptionListsClient.mockReturnValue(exceptionListClient);
       callback = getPackagePolicyPostCreateCallback(endpointAppContextServiceMock);
       policyConfig = generator.generatePolicyPackagePolicy() as PackagePolicy;
+      // By default, simulate that the event filter list does not exist
+      (exceptionListClient.getExceptionList as jest.Mock).mockResolvedValue(null);
+      (exceptionListClient.createExceptionList as jest.Mock).mockResolvedValue({});
+      (exceptionListClient.createExceptionListItem as jest.Mock).mockResolvedValue({});
     });
 
     it('should create the Endpoint Event Filters List and add the correct Event Filters List Item attached to the policy given nonInteractiveSession parameter on integration config eventFilters', async () => {
@@ -419,6 +424,9 @@ describe('Fleet integrations', () => {
         req
       );
 
+      // Wait for all async code in createEventFilters to complete
+      await new Promise(process.nextTick);
+
       expect(exceptionListClient.createExceptionList).toHaveBeenCalledWith(
         expect.objectContaining({
           listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
@@ -446,6 +454,55 @@ describe('Fleet integrations', () => {
       );
     });
 
+    it('should NOT create the Event Filters List if it already exists, but should add the Event Filters List Item', async () => {
+      const integrationConfig = {
+        type: 'cloud',
+        eventFilters: {
+          nonInteractiveSession: true,
+        },
+      };
+
+      policyConfig.inputs[0]!.config!.integration_config = {
+        value: integrationConfig,
+      };
+
+      // Mock getExceptionList to return a non-null value (list already exists)
+      (exceptionListClient.getExceptionList as jest.Mock).mockResolvedValue({
+        id: 'existing-list-id',
+        listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
+      });
+
+      const postCreatedPolicyConfig = await callback(
+        policyConfig,
+        soClient,
+        esClient,
+        requestContextMock.convertContext(ctx),
+        req
+      );
+
+      // Should NOT attempt to create the list
+      expect(exceptionListClient.createExceptionList).not.toHaveBeenCalled();
+      // Should still create the event filter item
+      expect(exceptionListClient.createExceptionListItem).toHaveBeenCalledWith(
+        expect.objectContaining({
+          listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
+          tags: [`policy:${postCreatedPolicyConfig.id}`],
+          osTypes: ['linux'],
+          entries: [
+            {
+              field: 'process.entry_leader.interactive',
+              operator: 'included',
+              type: 'match',
+              value: 'false',
+            },
+          ],
+          itemId: 'NEW_UUID',
+          namespaceType: 'agnostic',
+          meta: undefined,
+        })
+      );
+    });
+
     it('should not call Event Filters List and Event Filters List Item if nonInteractiveSession parameter is not present on integration config eventFilters', async () => {
       const integrationConfig = {
         type: 'cloud',
diff --git a/x-pack/solutions/security/plugins/security_solution/server/fleet_integration/handlers/create_event_filters.ts b/x-pack/solutions/security/plugins/security_solution/server/fleet_integration/handlers/create_event_filters.ts
@@ -29,24 +29,45 @@ export const createEventFilters = async (
   if (!eventFilters?.nonInteractiveSession) {
     return;
   }
+
   try {
-    // Attempt to Create the Event Filter List. It won't create the list if it already exists.
-    // So we can skip the validation and ignore the conflict error
-    await exceptionsClient.createExceptionList({
-      name: ENDPOINT_ARTIFACT_LISTS.eventFilters.name,
-      namespaceType: 'agnostic',
-      description: ENDPOINT_ARTIFACT_LISTS.eventFilters.description,
+    const existingList = await exceptionsClient.getExceptionList({
       listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
-      type: ExceptionListTypeEnum.ENDPOINT_EVENTS,
-      immutable: false,
-      meta: undefined,
-      tags: [],
-      version: 1,
+      namespaceType: 'agnostic',
+      id: undefined,
     });
+
+    if (existingList) {
+      logger.debug(
+        `Event Filter List with id "${ENDPOINT_ARTIFACT_LISTS.eventFilters.id}" already exists. Skipping creation.`
+      );
+    } else {
+      logger.debug(
+        `Event Filter List with id "${ENDPOINT_ARTIFACT_LISTS.eventFilters.id}" not found. Attempting creation.`
+      );
+      await exceptionsClient.createExceptionList({
+        name: ENDPOINT_ARTIFACT_LISTS.eventFilters.name,
+        namespaceType: 'agnostic',
+        description: ENDPOINT_ARTIFACT_LISTS.eventFilters.description,
+        listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
+        type: ExceptionListTypeEnum.ENDPOINT_EVENTS,
+        immutable: false,
+        meta: undefined,
+        tags: [],
+        version: 1,
+      });
+      logger.debug(
+        `Successfully created Event Filter List with id "${ENDPOINT_ARTIFACT_LISTS.eventFilters.id}".`
+      );
+    }
   } catch (err) {
-    // Ignoring error 409 (Conflict)
-    if (!SavedObjectsErrorHelpers.isConflictError(err)) {
-      logger.error(`Error creating Event Filter List: ${wrapErrorIfNeeded(err)}`);
+    if (SavedObjectsErrorHelpers.isConflictError(err)) {
+      logger.debug(
+        `Event Filter List with id "${ENDPOINT_ARTIFACT_LISTS.eventFilters.id}" already exists. Skipping creation.`
+      );
+    } else {
+      logger.error(`Error during Event Filter List handling: ${wrapErrorIfNeeded(err)}`);
+
       return;
     }
   }
