[SIEM][Detection Engine][Lists] Adds specific endpoint_list REST API and API for abilities to auto-create the endpoint_list if it gets deleted

[FrankHassanabad]

Summary

Adds specific endpoint list REST API and API for abilities to auto-create the endpoint_list if it gets deleted or to auto-provision it when a rule is first created.

When auto-creating the endpoint_list it does so using these values for the saved object:

id: 'endpoint_list'
_tags: [],
comments: undefined,
description: 'Elastic Endpoint Exception List',
list_id: 'endpoint_list',
list_type: 'list',
name: 'Elastic Endpoint Exception List',
tags: [],
type: 'endpoint',

The new API endpoints are as follows below. These endpoints are like the normal exception list item endpoints except you should not pass down any list_id or namespace_type since these are focused specific endpoints against the space agnostic endpoint_list

# This creates the endpoint_list if it does not exist. If it does exist this will return an empty body of {}
POST /api/endpoint_list

# This will create an endpoint_list item. However, if the endpoint_list does not exist then this will auto-create it first.
POST /api/endpoint_list/items

# This will read an endpoint_list item. This will _not_ auto-create the list if it does not exist.
GET /api/endpoint_list/items

# This will update an endpoint_list item. However, if the endpoint_list does not exist then this will auto-create it first.
PUT /api/endpoint_list/items

# This will delete an endpoint_list item. This will _not_ auto-create the list if it does not exist.
DELETE /api/endpoint_list/items

# This will find an endpoint_list item. However, if the endpoint_list does not exist then this will auto-create it first.
GET /api/endpoint_list/items/_find

New API within the exception_list_client plugin are:

// # This creates the endpoint_list if it does not exist. If it does exist this will return an empty body of {}
createEndpointList()
createEndpointListItem()
updateEndpointListItem()
getEndpointListItem()
deleteEndpointListItem()

Scripts for testing are:

delete_endpoint_list_item.sh 
delete_endpoint_list_item_by_id.sh
find_endpoint_list_items.sh
get_endpoint_list_item.sh
get_endpoint_list_item_by_id.sh
post_endpoint_list.sh
post_endpoint_list_item.sh
update_endpoint_item.sh

Checklist

Delete any items that are not applicable to this PR.

• Unit or functional tests were updated or added to match the most common scenarios

[spong]

Thaaaank you! 🙏

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[rylnd]

Tested the "create endpoint list during rule creation" flow, along with the "associate endpoint list to rule" flow, and both look great! 👍 👍 👍

Up to you if you wanna merge this now and add tests afterwards. Either way I'm gonna have to circle back on #71794, mainly to use the ENDPOINT_LIST_ID constant.

[spong]

@elasticmachine merge upstream

[peluja1012]

@elasticmachine merge upstream

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 0287e8a

Build metrics

@kbn/optimizer bundle module count

id	value	diff	baseline
lists	93	+5	88

miscellaneous assets size

id	value	diff	baseline
lists	55.1KB	+744.0B	54.4KB
upgradeAssistant	22.6KB	-9.0B	22.6KB
total	-	+735.0B	-

page load bundle size

id	value	diff	baseline
lists	273.2KB	+10.6KB	262.5KB

History

• 💔 Build #61780 failed 6966e92
• 💔 Build #61765 failed fb40648
• 💔 Build #61751 failed cbb2abe
• 💔 Build #61732 failed 653f20b

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)