[SIEM][Detections Engine] - Update rule.lists to be rule.exceptions_list (#63717)

### Summary [63717]

This PR updates the rules lists param to be `exceptions_list`. This is done in an attempt to make the terminology less confusing as lists will generally be referring to the big lists values. It should also make it more clear that the `exceptions_list` logic is being applied as a double not.

Author: yctercero

x-pack/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts

@@ -448,7 +448,7 @@ export const getResult = (): RuleAlertType => ({
     references: ['http://www.example.com', 'https://ww.example.com'],
     note: '# Investigative notes',
     version: 1,
-    lists: [
+    exceptions_list: [
       {
         field: 'source.ip',
         values_operator: 'included',

x-pack/plugins/siem/server/lib/detection_engine/routes/__mocks__/utils.ts

@@ -138,7 +138,7 @@ export const getOutputRuleAlertForRest = (): Omit<
       ],
     },
   ],
-  lists: [
+  exceptions_list: [
     {
       field: 'source.ip',
       values_operator: 'included',

x-pack/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts

@@ -86,7 +86,7 @@ export const createRulesBulkRoute = (router: IRouter) => {
               timeline_id: timelineId,
               timeline_title: timelineTitle,
               version,
-              lists,
+              exceptions_list,
             } = payloadRule;
             const ruleIdOrUuid = ruleId ?? uuid.v4();
             try {
@@ -143,7 +143,7 @@ export const createRulesBulkRoute = (router: IRouter) => {
                 references,
                 note,
                 version,
-                lists,
+                exceptions_list,
                 actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is set to rule, otherwise we are a notification and should not enable it,
               });
 

x-pack/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts

@@ -66,7 +66,7 @@ export const createRulesRoute = (router: IRouter): void => {
         type,
         references,
         note,
-        lists,
+        exceptions_list,
       } = request.body;
       const siemResponse = buildSiemResponse(response);
 
@@ -131,7 +131,7 @@ export const createRulesRoute = (router: IRouter): void => {
           references,
           note,
           version: 1,
-          lists,
+          exceptions_list,
           actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is rule, otherwise we are a notification and should not enable it,
         });
 

x-pack/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts

@@ -138,7 +138,7 @@ export const importRulesRoute = (router: IRouter, config: ConfigType) => {
                     timeline_id: timelineId,
                     timeline_title: timelineTitle,
                     version,
-                    lists,
+                    exceptions_list,
                   } = parsedRule;
 
                   try {
@@ -195,7 +195,7 @@ export const importRulesRoute = (router: IRouter, config: ConfigType) => {
                         references,
                         note,
                         version,
-                        lists,
+                        exceptions_list,
                         actions: [], // Actions are not imported nor exported at this time
                       });
                       resolve({ rule_id: ruleId, status_code: 200 });
@@ -232,7 +232,7 @@ export const importRulesRoute = (router: IRouter, config: ConfigType) => {
                         references,
                         note,
                         version,
-                        lists,
+                        exceptions_list,
                         anomalyThreshold,
                         machineLearningJobId,
                       });

x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts

@@ -81,7 +81,7 @@ export const updateRulesBulkRoute = (router: IRouter) => {
             references,
             note,
             version,
-            lists,
+            exceptions_list,
           } = payloadRule;
           const finalIndex = outputIndex ?? siemClient.signalsIndex;
           const idOrRuleIdOrUnknown = id ?? ruleId ?? '(unknown id)';
@@ -121,7 +121,7 @@ export const updateRulesBulkRoute = (router: IRouter) => {
               references,
               note,
               version,
-              lists,
+              exceptions_list,
               actions,
             });
             if (rule != null) {

x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts

@@ -67,7 +67,7 @@ export const updateRulesRoute = (router: IRouter) => {
         references,
         note,
         version,
-        lists,
+        exceptions_list,
       } = request.body;
       const siemResponse = buildSiemResponse(response);
 
@@ -117,7 +117,7 @@ export const updateRulesRoute = (router: IRouter) => {
           references,
           note,
           version,
-          lists,
+          exceptions_list,
           actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is rule, otherwise we are a notification and should not enable it
         });
 

x-pack/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts

@@ -148,7 +148,7 @@ export const transformAlertToRule = (
     last_failure_message: ruleStatus?.attributes.lastFailureMessage,
     last_success_message: ruleStatus?.attributes.lastSuccessMessage,
     // TODO: (LIST-FEATURE) Remove hasListsFeature() check once we have lists available for a release
-    lists: hasListsFeature() ? alert.params.lists : null,
+    exceptions_list: hasListsFeature() ? alert.params.exceptions_list : null,
   });
 };
 

x-pack/plugins/siem/server/lib/detection_engine/routes/rules/validate.test.ts

@@ -71,7 +71,7 @@ export const ruleOutput: RulesSchema = {
       },
     },
   ],
-  lists: [
+  exceptions_list: [
     {
       field: 'source.ip',
       values_operator: 'included',

x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts

@@ -1542,8 +1542,8 @@ describe('add prepackaged rules schema', () => {
   // on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the
   // schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early,
   // you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally
-  describe.skip('lists', () => {
-    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => {
+  describe.skip('exceptions_list', () => {
+    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => {
       expect(
         addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
           rule_id: 'rule-1',
@@ -1558,7 +1558,7 @@ describe('add prepackaged rules schema', () => {
           risk_score: 50,
           note: '# some markdown',
           version: 1,
-          lists: [
+          exceptions_list: [
             {
               field: 'source.ip',
               values_operator: 'included',
@@ -1594,7 +1594,7 @@ describe('add prepackaged rules schema', () => {
       ).toBeFalsy();
     });
 
-    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => {
+    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => {
       expect(
         addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
           rule_id: 'rule-1',
@@ -1608,15 +1608,15 @@ describe('add prepackaged rules schema', () => {
           type: 'query',
           risk_score: 50,
           note: '# some markdown',
-          lists: [],
+          exceptions_list: [],
           version: 1,
         }).error
       ).toBeFalsy();
     });
 
-    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate', () => {
+    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate', () => {
       expect(
-        addPrepackagedRulesSchema.validate<Partial<Omit<PrepackagedRules, 'lists'>>>({
+        addPrepackagedRulesSchema.validate<Partial<Omit<PrepackagedRules, 'exceptions_list'>>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -1628,17 +1628,17 @@ describe('add prepackaged rules schema', () => {
           type: 'query',
           risk_score: 50,
           note: '# some markdown',
-          lists: [{ invalid_value: 'invalid value' }],
+          exceptions_list: [{ invalid_value: 'invalid value' }],
           version: 1,
         }).error.message
       ).toEqual(
-        'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]'
+        'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]'
       );
     });
 
-    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate with empty lists', () => {
+    test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate with empty exceptions_list', () => {
       expect(
-        addPrepackagedRulesSchema.validate<Partial<Omit<PrepackagedRules, 'lists'>>>({
+        addPrepackagedRulesSchema.validate<Partial<Omit<PrepackagedRules, 'exceptions_list'>>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -1651,7 +1651,7 @@ describe('add prepackaged rules schema', () => {
           risk_score: 50,
           note: '# some markdown',
           version: 1,
-        }).value.lists
+        }).value.exceptions_list
       ).toEqual([]);
     });
   });