diff --git a/x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.test.ts b/x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.test.ts index 2cebaacc67681a..2d37d4a345fa14 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.test.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.test.ts @@ -15,86 +15,13 @@ import { getLanguageBooleanOperator, buildNested, } from './build_exceptions_query'; -import { - EntryNested, - EntryExists, - EntryMatch, - EntryMatchAny, - EntriesArray, - Operator, -} from '../../../lists/common/schemas'; +import { EntryNested, EntryMatchAny, EntriesArray } from '../../../lists/common/schemas'; import { getExceptionListItemSchemaMock } from '../../../lists/common/schemas/response/exception_list_item_schema.mock'; import { getEntryMatchMock } from '../../../lists/common/schemas/types/entry_match.mock'; import { getEntryMatchAnyMock } from '../../../lists/common/schemas/types/entry_match_any.mock'; import { getEntryExistsMock } from '../../../lists/common/schemas/types/entry_exists.mock'; describe('build_exceptions_query', () => { - const makeMatchEntry = ({ - field, - value = 'value-1', - operator = 'included', - }: { - field: string; - value?: string; - operator?: Operator; - }): EntryMatch => { - return { - field, - operator, - type: 'match', - value, - }; - }; - const makeMatchAnyEntry = ({ - field, - operator = 'included', - value = ['value-1', 'value-2'], - }: { - field: string; - operator?: Operator; - value?: string[]; - }): EntryMatchAny => { - return { - field, - operator, - value, - type: 'match_any', - }; - }; - const makeExistsEntry = ({ - field, - operator = 'included', - }: { - field: string; - operator?: Operator; - }): EntryExists => { - return { - field, - operator, - type: 'exists', - }; - }; - const matchEntryWithIncluded: EntryMatch = makeMatchEntry({ - field: 'host.name', - value: 'suricata', - }); - const matchEntryWithExcluded: EntryMatch = makeMatchEntry({ - field: 'host.name', - value: 'suricata', - operator: 'excluded', - }); - const matchAnyEntryWithIncludedAndTwoValues: EntryMatchAny = makeMatchAnyEntry({ - field: 'host.name', - value: ['suricata', 'auditd'], - }); - const existsEntryWithIncluded: EntryExists = makeExistsEntry({ - field: 'host.name', - }); - const existsEntryWithExcluded: EntryExists = makeExistsEntry({ - field: 'host.name', - operator: 'excluded', - }); - describe('getLanguageBooleanOperator', () => { test('it returns value as uppercase if language is "lucene"', () => { const result = getLanguageBooleanOperator({ language: 'lucene', value: 'not' }); @@ -137,14 +64,14 @@ describe('build_exceptions_query', () => { describe('kuery', () => { test('it returns formatted wildcard string when operator is "excluded"', () => { const query = buildExists({ - entry: existsEntryWithExcluded, + entry: { ...getEntryExistsMock(), operator: 'excluded' }, language: 'kuery', }); expect(query).toEqual('not host.name:*'); }); test('it returns formatted wildcard string when operator is "included"', () => { const query = buildExists({ - entry: existsEntryWithIncluded, + entry: { ...getEntryExistsMock(), operator: 'included' }, language: 'kuery', }); expect(query).toEqual('host.name:*'); @@ -154,14 +81,14 @@ describe('build_exceptions_query', () => { describe('lucene', () => { test('it returns formatted wildcard string when operator is "excluded"', () => { const query = buildExists({ - entry: existsEntryWithExcluded, + entry: { ...getEntryExistsMock(), operator: 'excluded' }, language: 'lucene', }); expect(query).toEqual('NOT _exists_host.name'); }); test('it returns formatted wildcard string when operator is "included"', () => { const query = buildExists({ - entry: existsEntryWithIncluded, + entry: { ...getEntryExistsMock(), operator: 'included' }, language: 'lucene', }); expect(query).toEqual('_exists_host.name'); @@ -173,52 +100,55 @@ describe('build_exceptions_query', () => { describe('kuery', () => { test('it returns formatted string when operator is "included"', () => { const query = buildMatch({ - entry: matchEntryWithIncluded, + entry: { ...getEntryMatchMock(), operator: 'included' }, language: 'kuery', }); - expect(query).toEqual('host.name:"suricata"'); + expect(query).toEqual('host.name:"some host name"'); }); test('it returns formatted string when operator is "excluded"', () => { const query = buildMatch({ - entry: matchEntryWithExcluded, + entry: { ...getEntryMatchMock(), operator: 'excluded' }, language: 'kuery', }); - expect(query).toEqual('not host.name:"suricata"'); + expect(query).toEqual('not host.name:"some host name"'); }); }); describe('lucene', () => { test('it returns formatted string when operator is "included"', () => { const query = buildMatch({ - entry: matchEntryWithIncluded, + entry: { ...getEntryMatchMock(), operator: 'included' }, language: 'lucene', }); - expect(query).toEqual('host.name:"suricata"'); + expect(query).toEqual('host.name:"some host name"'); }); test('it returns formatted string when operator is "excluded"', () => { const query = buildMatch({ - entry: matchEntryWithExcluded, + entry: { ...getEntryMatchMock(), operator: 'excluded' }, language: 'lucene', }); - expect(query).toEqual('NOT host.name:"suricata"'); + expect(query).toEqual('NOT host.name:"some host name"'); }); }); }); describe('buildMatchAny', () => { - const entryWithIncludedAndNoValues: EntryMatchAny = makeMatchAnyEntry({ + const entryWithIncludedAndNoValues: EntryMatchAny = { + ...getEntryMatchAnyMock(), field: 'host.name', value: [], - }); - const entryWithIncludedAndOneValue: EntryMatchAny = makeMatchAnyEntry({ + }; + const entryWithIncludedAndOneValue: EntryMatchAny = { + ...getEntryMatchAnyMock(), field: 'host.name', - value: ['suricata'], - }); - const entryWithExcludedAndTwoValues: EntryMatchAny = makeMatchAnyEntry({ + value: ['some host name'], + }; + const entryWithExcludedAndTwoValues: EntryMatchAny = { + ...getEntryMatchAnyMock(), field: 'host.name', - value: ['suricata', 'auditd'], + value: ['some host name', 'auditd'], operator: 'excluded', - }); + }; describe('kuery', () => { test('it returns empty string if given an empty array for "values"', () => { @@ -235,16 +165,16 @@ describe('build_exceptions_query', () => { language: 'kuery', }); - expect(exceptionSegment).toEqual('host.name:("suricata")'); + expect(exceptionSegment).toEqual('host.name:("some host name")'); }); test('it returns formatted string when operator is "included"', () => { const exceptionSegment = buildMatchAny({ - entry: matchAnyEntryWithIncludedAndTwoValues, + entry: { ...getEntryMatchAnyMock(), value: ['some host name', 'auditd'] }, language: 'kuery', }); - expect(exceptionSegment).toEqual('host.name:("suricata" or "auditd")'); + expect(exceptionSegment).toEqual('host.name:("some host name" or "auditd")'); }); test('it returns formatted string when operator is "excluded"', () => { @@ -253,18 +183,18 @@ describe('build_exceptions_query', () => { language: 'kuery', }); - expect(exceptionSegment).toEqual('not host.name:("suricata" or "auditd")'); + expect(exceptionSegment).toEqual('not host.name:("some host name" or "auditd")'); }); }); describe('lucene', () => { test('it returns formatted string when operator is "included"', () => { const exceptionSegment = buildMatchAny({ - entry: matchAnyEntryWithIncludedAndTwoValues, + entry: { ...getEntryMatchAnyMock(), value: ['some host name', 'auditd'] }, language: 'lucene', }); - expect(exceptionSegment).toEqual('host.name:("suricata" OR "auditd")'); + expect(exceptionSegment).toEqual('host.name:("some host name" OR "auditd")'); }); test('it returns formatted string when operator is "excluded"', () => { const exceptionSegment = buildMatchAny({ @@ -272,7 +202,7 @@ describe('build_exceptions_query', () => { language: 'lucene', }); - expect(exceptionSegment).toEqual('NOT host.name:("suricata" OR "auditd")'); + expect(exceptionSegment).toEqual('NOT host.name:("some host name" OR "auditd")'); }); test('it returns formatted string when "values" includes only one item', () => { const exceptionSegment = buildMatchAny({ @@ -280,7 +210,7 @@ describe('build_exceptions_query', () => { language: 'lucene', }); - expect(exceptionSegment).toEqual('host.name:("suricata")'); + expect(exceptionSegment).toEqual('host.name:("some host name")'); }); }); }); @@ -394,7 +324,7 @@ describe('build_exceptions_query', () => { describe('kuery', () => { test('it returns formatted wildcard string when "type" is "exists"', () => { const result = buildEntry({ - entry: existsEntryWithIncluded, + entry: { ...getEntryExistsMock(), operator: 'included' }, language: 'kuery', }); expect(result).toEqual('host.name:*'); @@ -402,25 +332,25 @@ describe('build_exceptions_query', () => { test('it returns formatted string when "type" is "match"', () => { const result = buildEntry({ - entry: matchEntryWithIncluded, + entry: { ...getEntryMatchMock(), operator: 'included' }, language: 'kuery', }); - expect(result).toEqual('host.name:"suricata"'); + expect(result).toEqual('host.name:"some host name"'); }); test('it returns formatted string when "type" is "match_any"', () => { const result = buildEntry({ - entry: matchAnyEntryWithIncludedAndTwoValues, + entry: { ...getEntryMatchAnyMock(), value: ['some host name', 'auditd'] }, language: 'kuery', }); - expect(result).toEqual('host.name:("suricata" or "auditd")'); + expect(result).toEqual('host.name:("some host name" or "auditd")'); }); }); describe('lucene', () => { test('it returns formatted wildcard string when "type" is "exists"', () => { const result = buildEntry({ - entry: existsEntryWithIncluded, + entry: { ...getEntryExistsMock(), operator: 'included' }, language: 'lucene', }); expect(result).toEqual('_exists_host.name'); @@ -428,18 +358,18 @@ describe('build_exceptions_query', () => { test('it returns formatted string when "type" is "match"', () => { const result = buildEntry({ - entry: matchEntryWithIncluded, + entry: { ...getEntryMatchMock(), operator: 'included' }, language: 'lucene', }); - expect(result).toEqual('host.name:"suricata"'); + expect(result).toEqual('host.name:"some host name"'); }); test('it returns formatted string when "type" is "match_any"', () => { const result = buildEntry({ - entry: matchAnyEntryWithIncludedAndTwoValues, + entry: { ...getEntryMatchAnyMock(), value: ['some host name', 'auditd'] }, language: 'lucene', }); - expect(result).toEqual('host.name:("suricata" OR "auditd")'); + expect(result).toEqual('host.name:("some host name" OR "auditd")'); }); }); }); @@ -456,26 +386,31 @@ describe('build_exceptions_query', () => { test('it returns expected query when more than one item in exception item', () => { const payload: EntriesArray = [ - makeMatchAnyEntry({ field: 'b' }), - makeMatchEntry({ field: 'c', operator: 'excluded', value: 'value-3' }), + { ...getEntryMatchAnyMock(), field: 'b' }, + { ...getEntryMatchMock(), field: 'c', operator: 'excluded', value: 'value-3' }, ]; const query = buildExceptionItem({ language: 'kuery', entries: payload, }); - const expectedQuery = 'b:("value-1" or "value-2") and not c:"value-3"'; + const expectedQuery = 'b:("some host name") and not c:"value-3"'; expect(query).toEqual(expectedQuery); }); test('it returns expected query when exception item includes nested value', () => { const entries: EntriesArray = [ - makeMatchAnyEntry({ field: 'b' }), + { ...getEntryMatchAnyMock(), field: 'b' }, { field: 'parent', type: 'nested', entries: [ - makeMatchEntry({ field: 'nestedField', operator: 'included', value: 'value-3' }), + { + ...getEntryMatchMock(), + field: 'nestedField', + operator: 'included', + value: 'value-3', + }, ], }, ]; @@ -483,56 +418,65 @@ describe('build_exceptions_query', () => { language: 'kuery', entries, }); - const expectedQuery = 'b:("value-1" or "value-2") and parent:{ nestedField:"value-3" }'; + const expectedQuery = 'b:("some host name") and parent:{ nestedField:"value-3" }'; expect(query).toEqual(expectedQuery); }); test('it returns expected query when exception item includes multiple items and nested "and" values', () => { const entries: EntriesArray = [ - makeMatchAnyEntry({ field: 'b' }), + { ...getEntryMatchAnyMock(), field: 'b' }, { field: 'parent', type: 'nested', entries: [ - makeMatchEntry({ field: 'nestedField', operator: 'included', value: 'value-3' }), + { + ...getEntryMatchMock(), + field: 'nestedField', + operator: 'included', + value: 'value-3', + }, ], }, - makeExistsEntry({ field: 'd' }), + { ...getEntryExistsMock(), field: 'd' }, ]; const query = buildExceptionItem({ language: 'kuery', entries, }); - const expectedQuery = - 'b:("value-1" or "value-2") and parent:{ nestedField:"value-3" } and d:*'; + const expectedQuery = 'b:("some host name") and parent:{ nestedField:"value-3" } and d:*'; expect(query).toEqual(expectedQuery); }); test('it returns expected query when language is "lucene"', () => { const entries: EntriesArray = [ - makeMatchAnyEntry({ field: 'b' }), + { ...getEntryMatchAnyMock(), field: 'b' }, { field: 'parent', type: 'nested', entries: [ - makeMatchEntry({ field: 'nestedField', operator: 'excluded', value: 'value-3' }), + { + ...getEntryMatchMock(), + field: 'nestedField', + operator: 'excluded', + value: 'value-3', + }, ], }, - makeExistsEntry({ field: 'e', operator: 'excluded' }), + { ...getEntryExistsMock(), field: 'e', operator: 'excluded' }, ]; const query = buildExceptionItem({ language: 'lucene', entries, }); const expectedQuery = - 'b:("value-1" OR "value-2") AND parent:{ NOT nestedField:"value-3" } AND NOT _exists_e'; + 'b:("some host name") AND parent:{ NOT nestedField:"value-3" } AND NOT _exists_e'; expect(query).toEqual(expectedQuery); }); describe('exists', () => { test('it returns expected query when list includes single list item with operator of "included"', () => { - const entries: EntriesArray = [makeExistsEntry({ field: 'b' })]; + const entries: EntriesArray = [{ ...getEntryExistsMock(), field: 'b' }]; const query = buildExceptionItem({ language: 'kuery', entries, @@ -543,7 +487,9 @@ describe('build_exceptions_query', () => { }); test('it returns expected query when list includes single list item with operator of "excluded"', () => { - const entries: EntriesArray = [makeExistsEntry({ field: 'b', operator: 'excluded' })]; + const entries: EntriesArray = [ + { ...getEntryExistsMock(), field: 'b', operator: 'excluded' }, + ]; const query = buildExceptionItem({ language: 'kuery', entries, @@ -555,11 +501,13 @@ describe('build_exceptions_query', () => { test('it returns expected query when exception item includes entry item with "and" values', () => { const entries: EntriesArray = [ - makeExistsEntry({ field: 'b', operator: 'excluded' }), + { ...getEntryExistsMock(), field: 'b', operator: 'excluded' }, { field: 'parent', type: 'nested', - entries: [makeMatchEntry({ field: 'c', operator: 'included', value: 'value-1' })], + entries: [ + { ...getEntryMatchMock(), field: 'c', operator: 'included', value: 'value-1' }, + ], }, ]; const query = buildExceptionItem({ @@ -573,16 +521,16 @@ describe('build_exceptions_query', () => { test('it returns expected query when list includes multiple items', () => { const entries: EntriesArray = [ - makeExistsEntry({ field: 'b' }), + { ...getEntryExistsMock(), field: 'b' }, { field: 'parent', type: 'nested', entries: [ - makeMatchEntry({ field: 'c', operator: 'excluded', value: 'value-1' }), - makeMatchEntry({ field: 'd', value: 'value-2' }), + { ...getEntryMatchMock(), field: 'c', operator: 'excluded', value: 'value-1' }, + { ...getEntryMatchMock(), field: 'd', value: 'value-2' }, ], }, - makeExistsEntry({ field: 'e' }), + { ...getEntryExistsMock(), field: 'e' }, ]; const query = buildExceptionItem({ language: 'kuery', @@ -596,7 +544,7 @@ describe('build_exceptions_query', () => { describe('match', () => { test('it returns expected query when list includes single list item with operator of "included"', () => { - const entries: EntriesArray = [makeMatchEntry({ field: 'b', value: 'value' })]; + const entries: EntriesArray = [{ ...getEntryMatchMock(), field: 'b', value: 'value' }]; const query = buildExceptionItem({ language: 'kuery', entries, @@ -608,7 +556,7 @@ describe('build_exceptions_query', () => { test('it returns expected query when list includes single list item with operator of "excluded"', () => { const entries: EntriesArray = [ - makeMatchEntry({ field: 'b', operator: 'excluded', value: 'value' }), + { ...getEntryMatchMock(), field: 'b', operator: 'excluded', value: 'value' }, ]; const query = buildExceptionItem({ language: 'kuery', @@ -621,11 +569,13 @@ describe('build_exceptions_query', () => { test('it returns expected query when list includes list item with "and" values', () => { const entries: EntriesArray = [ - makeMatchEntry({ field: 'b', operator: 'excluded', value: 'value' }), + { ...getEntryMatchMock(), field: 'b', operator: 'excluded', value: 'value' }, { field: 'parent', type: 'nested', - entries: [makeMatchEntry({ field: 'c', operator: 'included', value: 'valueC' })], + entries: [ + { ...getEntryMatchMock(), field: 'c', operator: 'included', value: 'valueC' }, + ], }, ]; const query = buildExceptionItem({ @@ -639,16 +589,16 @@ describe('build_exceptions_query', () => { test('it returns expected query when list includes multiple items', () => { const entries: EntriesArray = [ - makeMatchEntry({ field: 'b', value: 'value' }), + { ...getEntryMatchMock(), field: 'b', value: 'value' }, { field: 'parent', type: 'nested', entries: [ - makeMatchEntry({ field: 'c', operator: 'excluded', value: 'valueC' }), - makeMatchEntry({ field: 'd', operator: 'excluded', value: 'valueD' }), + { ...getEntryMatchMock(), field: 'c', operator: 'excluded', value: 'valueC' }, + { ...getEntryMatchMock(), field: 'd', operator: 'excluded', value: 'valueD' }, ], }, - makeMatchEntry({ field: 'e', value: 'valueE' }), + { ...getEntryMatchMock(), field: 'e', value: 'valueE' }, ]; const query = buildExceptionItem({ language: 'kuery', @@ -663,55 +613,59 @@ describe('build_exceptions_query', () => { describe('match_any', () => { test('it returns expected query when list includes single list item with operator of "included"', () => { - const entries: EntriesArray = [makeMatchAnyEntry({ field: 'b' })]; + const entries: EntriesArray = [{ ...getEntryMatchAnyMock(), field: 'b' }]; const query = buildExceptionItem({ language: 'kuery', entries, }); - const expectedQuery = 'b:("value-1" or "value-2")'; + const expectedQuery = 'b:("some host name")'; expect(query).toEqual(expectedQuery); }); test('it returns expected query when list includes single list item with operator of "excluded"', () => { - const entries: EntriesArray = [makeMatchAnyEntry({ field: 'b', operator: 'excluded' })]; + const entries: EntriesArray = [ + { ...getEntryMatchAnyMock(), field: 'b', operator: 'excluded' }, + ]; const query = buildExceptionItem({ language: 'kuery', entries, }); - const expectedQuery = 'not b:("value-1" or "value-2")'; + const expectedQuery = 'not b:("some host name")'; expect(query).toEqual(expectedQuery); }); test('it returns expected query when list includes list item with nested values', () => { const entries: EntriesArray = [ - makeMatchAnyEntry({ field: 'b', operator: 'excluded' }), + { ...getEntryMatchAnyMock(), field: 'b', operator: 'excluded' }, { field: 'parent', type: 'nested', - entries: [makeMatchEntry({ field: 'c', operator: 'excluded', value: 'valueC' })], + entries: [ + { ...getEntryMatchMock(), field: 'c', operator: 'excluded', value: 'valueC' }, + ], }, ]; const query = buildExceptionItem({ language: 'kuery', entries, }); - const expectedQuery = 'not b:("value-1" or "value-2") and parent:{ not c:"valueC" }'; + const expectedQuery = 'not b:("some host name") and parent:{ not c:"valueC" }'; expect(query).toEqual(expectedQuery); }); test('it returns expected query when list includes multiple items', () => { const entries: EntriesArray = [ - makeMatchAnyEntry({ field: 'b' }), - makeMatchAnyEntry({ field: 'c' }), + { ...getEntryMatchAnyMock(), field: 'b' }, + { ...getEntryMatchAnyMock(), field: 'c' }, ]; const query = buildExceptionItem({ language: 'kuery', entries, }); - const expectedQuery = 'b:("value-1" or "value-2") and c:("value-1" or "value-2")'; + const expectedQuery = 'b:("some host name") and c:("some host name")'; expect(query).toEqual(expectedQuery); }); @@ -735,16 +689,16 @@ describe('build_exceptions_query', () => { const payload = getExceptionListItemSchemaMock(); const payload2 = getExceptionListItemSchemaMock(); payload2.entries = [ - makeMatchAnyEntry({ field: 'b' }), + { ...getEntryMatchAnyMock(), field: 'b' }, { field: 'parent', type: 'nested', entries: [ - makeMatchEntry({ field: 'c', operator: 'included', value: 'valueC' }), - makeMatchEntry({ field: 'd', operator: 'included', value: 'valueD' }), + { ...getEntryMatchMock(), field: 'c', operator: 'included', value: 'valueC' }, + { ...getEntryMatchMock(), field: 'd', operator: 'included', value: 'valueD' }, ], }, - makeMatchAnyEntry({ field: 'e', operator: 'excluded' }), + { ...getEntryMatchAnyMock(), field: 'e', operator: 'excluded' }, ]; const queries = buildExceptionListQueries({ language: 'kuery', @@ -758,7 +712,7 @@ describe('build_exceptions_query', () => { }, { query: - 'b:("value-1" or "value-2") and parent:{ c:"valueC" and d:"valueD" } and not e:("value-1" or "value-2")', + 'b:("some host name") and parent:{ c:"valueC" and d:"valueD" } and not e:("some host name")', language: 'kuery', }, ]; @@ -768,20 +722,26 @@ describe('build_exceptions_query', () => { test('it returns expected query when lists exist and language is "lucene"', () => { const payload = getExceptionListItemSchemaMock(); - payload.entries = [makeMatchAnyEntry({ field: 'a' }), makeMatchAnyEntry({ field: 'b' })]; + payload.entries = [ + { ...getEntryMatchAnyMock(), field: 'a' }, + { ...getEntryMatchAnyMock(), field: 'b' }, + ]; const payload2 = getExceptionListItemSchemaMock(); - payload2.entries = [makeMatchAnyEntry({ field: 'c' }), makeMatchAnyEntry({ field: 'd' })]; + payload2.entries = [ + { ...getEntryMatchAnyMock(), field: 'c' }, + { ...getEntryMatchAnyMock(), field: 'd' }, + ]; const queries = buildExceptionListQueries({ language: 'lucene', lists: [payload, payload2], }); const expectedQueries = [ { - query: 'a:("value-1" OR "value-2") AND b:("value-1" OR "value-2")', + query: 'a:("some host name") AND b:("some host name")', language: 'lucene', }, { - query: 'c:("value-1" OR "value-2") AND d:("value-1" OR "value-2")', + query: 'c:("some host name") AND d:("some host name")', language: 'lucene', }, ]; @@ -793,17 +753,17 @@ describe('build_exceptions_query', () => { const payload = getExceptionListItemSchemaMock(); const payload2 = getExceptionListItemSchemaMock(); payload2.entries = [ - makeMatchAnyEntry({ field: 'b' }), + { ...getEntryMatchAnyMock(), field: 'b' }, { field: 'parent', type: 'nested', entries: [ // TODO: these operators are not being respected. buildNested needs to be updated - makeMatchEntry({ field: 'c', operator: 'excluded', value: 'valueC' }), - makeMatchEntry({ field: 'd', operator: 'excluded', value: 'valueD' }), + { ...getEntryMatchMock(), field: 'c', operator: 'excluded', value: 'valueC' }, + { ...getEntryMatchMock(), field: 'd', operator: 'excluded', value: 'valueD' }, ], }, - makeMatchAnyEntry({ field: 'e' }), + { ...getEntryMatchAnyMock(), field: 'e' }, ]; const queries = buildExceptionListQueries({ language: 'kuery', @@ -817,7 +777,7 @@ describe('build_exceptions_query', () => { }, { query: - 'b:("value-1" or "value-2") and parent:{ not c:"valueC" and not d:"valueD" } and e:("value-1" or "value-2")', + 'b:("some host name") and parent:{ not c:"valueC" and not d:"valueD" } and e:("some host name")', language: 'kuery', }, ];