[EDR Workflows][Process descendants filter] Transform event filter entry for filtering process descendant

x-pack/plugins/security_solution/common/endpoint/service/artifacts/constants.ts

@@ -5,14 +5,31 @@
  * 2.0.
  */
 
+import type { EntryMatch } from '@kbn/securitysolution-io-ts-list-types';
 import { ENDPOINT_ARTIFACT_LIST_IDS } from '@kbn/securitysolution-list-constants';
+import { EVENT_FILTERS_OPERATORS } from '@kbn/securitysolution-list-utils';
 
 export const BY_POLICY_ARTIFACT_TAG_PREFIX = 'policy:';
 
 export const GLOBAL_ARTIFACT_TAG = `${BY_POLICY_ARTIFACT_TAG_PREFIX}all`;
 
 export const FILTER_PROCESS_DESCENDANTS_TAG = 'filter_process_descendants';
 
+export const PROCESS_DESCENDANT_EVENT_FILTER_EXTRA_ENTRY: EntryMatch = Object.freeze({
+  field: 'event.category',
+  operator: 'included',
+  type: 'match',
+  value: 'process',
+});
+
+export const PROCESS_DESCENDANT_EVENT_FILTER_EXTRA_ENTRY_TEXT: string = `${
+  PROCESS_DESCENDANT_EVENT_FILTER_EXTRA_ENTRY.field
+} ${
+  EVENT_FILTERS_OPERATORS.find(
+    ({ type }) => type === PROCESS_DESCENDANT_EVENT_FILTER_EXTRA_ENTRY.type
+  )?.message
+} ${PROCESS_DESCENDANT_EVENT_FILTER_EXTRA_ENTRY.value}`;
+
 // TODO: refact all uses of `ALL_ENDPOINT_ARTIFACTS_LIST_IDS to sue new const from shared package
 export const ALL_ENDPOINT_ARTIFACT_LIST_IDS = ENDPOINT_ARTIFACT_LIST_IDS;
 

x-pack/plugins/security_solution/common/endpoint/service/artifacts/utils.ts

@@ -23,7 +23,7 @@ export type TagFilter = (tag: string) => boolean;
 const POLICY_ID_START_POSITION = BY_POLICY_ARTIFACT_TAG_PREFIX.length;
 
 export const isArtifactGlobal = (item: Partial<Pick<ExceptionListItemSchema, 'tags'>>): boolean => {
-  return (item.tags ?? []).find((tag) => tag === GLOBAL_ARTIFACT_TAG) !== undefined;
+  return (item.tags ?? []).includes(GLOBAL_ARTIFACT_TAG);
 };
 
 export const isArtifactByPolicy = (item: Pick<ExceptionListItemSchema, 'tags'>): boolean => {
@@ -96,7 +96,7 @@ export const getEffectedPolicySelectionByTags = (
 
 export const isFilterProcessDescendantsEnabled = (
   item: Partial<Pick<ExceptionListItemSchema, 'tags'>>
-): boolean => (item.tags ?? []).find((tag) => tag === FILTER_PROCESS_DESCENDANTS_TAG) !== undefined;
+): boolean => (item.tags ?? []).includes(FILTER_PROCESS_DESCENDANTS_TAG);
 
 export const isFilterProcessDescendantsTag: TagFilter = (tag) =>
   tag === FILTER_PROCESS_DESCENDANTS_TAG;

x-pack/plugins/security_solution/public/management/pages/event_filters/view/components/form.tsx

@@ -41,7 +41,10 @@ import type { OnChangeProps } from '@kbn/lists-plugin/public';
 import type { ValueSuggestionsGetFn } from '@kbn/unified-search-plugin/public/autocomplete/providers/value_suggestion_provider';
 import { useIsExperimentalFeatureEnabled } from '../../../../../common/hooks/use_experimental_features';
 import { useGetUpdatedTags } from '../../../../hooks/artifacts';
-import { FILTER_PROCESS_DESCENDANTS_TAG } from '../../../../../../common/endpoint/service/artifacts/constants';
+import {
+  FILTER_PROCESS_DESCENDANTS_TAG,
+  PROCESS_DESCENDANT_EVENT_FILTER_EXTRA_ENTRY_TEXT,
+} from '../../../../../../common/endpoint/service/artifacts/constants';
 import {
   isFilterProcessDescendantsEnabled,
   isFilterProcessDescendantsTag,
@@ -547,12 +550,7 @@ export const EventFiltersForm: React.FC<ArtifactFormComponentProps & { allowSele
                   defaultMessage="Additional condition added:"
                 />
               </EuiText>
-              <code>
-                <FormattedMessage
-                  id="xpack.securitySolution.eventFilters.filterProcessDescendants.additionalCondition"
-                  defaultMessage="event.category is process"
-                />
-              </code>
+              <code>{PROCESS_DESCENDANT_EVENT_FILTER_EXTRA_ENTRY_TEXT}</code>
               <EuiSpacer size="m" />
             </>
           )}