[9.2] [EDR Workflows] Fix event filter OS selector visibility and prepopulation from host events (#240791) (#241335)

# Backport

This will backport the following commits from `main` to `9.2`:
- [[EDR Workflows] Fix event filter OS selector visibility and
prepopulation from host events
(#240791)](#240791)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Konrad
Szwarc","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-10-30T17:02:39Z","message":"[EDR
Workflows] Fix event filter OS selector visibility and prepopulation
from host events (#240791)\n\nFixes a bug where the OS selector was
hidden when creating an event\nfilter from the Host Events tab, and the
OS defaulted to Windows\nregardless of the actual host OS. The OS
selector is now always visible\nand correctly pre-populated with the OS
value extracted from the event\ndocument's `host.os.type`
field.\n\n\n\nhttps://github.com/user-attachments/assets/e682a864-c2f4-49fa-9460-a6a2e9f2573f","sha":"319e53de7ed98d820a2874642b2a27ea305c0629","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Defend
Workflows","backport:version","v9.1.0","v8.19.0","v9.2.0","v9.3.0"],"title":"[EDR
Workflows] Fix event filter OS selector visibility and prepopulation
from host
events","number":240791,"url":"https://github.com/elastic/kibana/pull/240791","mergeCommit":{"message":"[EDR
Workflows] Fix event filter OS selector visibility and prepopulation
from host events (#240791)\n\nFixes a bug where the OS selector was
hidden when creating an event\nfilter from the Host Events tab, and the
OS defaulted to Windows\nregardless of the actual host OS. The OS
selector is now always visible\nand correctly pre-populated with the OS
value extracted from the event\ndocument's `host.os.type`
field.\n\n\n\nhttps://github.com/user-attachments/assets/e682a864-c2f4-49fa-9460-a6a2e9f2573f","sha":"319e53de7ed98d820a2874642b2a27ea305c0629"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","8.19","9.2"],"targetPullRequestStates":[{"branch":"9.1","label":"v9.1.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/240791","number":240791,"mergeCommit":{"message":"[EDR
Workflows] Fix event filter OS selector visibility and prepopulation
from host events (#240791)\n\nFixes a bug where the OS selector was
hidden when creating an event\nfilter from the Host Events tab, and the
OS defaulted to Windows\nregardless of the actual host OS. The OS
selector is now always visible\nand correctly pre-populated with the OS
value extracted from the event\ndocument's `host.os.type`
field.\n\n\n\nhttps://github.com/user-attachments/assets/e682a864-c2f4-49fa-9460-a6a2e9f2573f","sha":"319e53de7ed98d820a2874642b2a27ea305c0629"}}]}]
BACKPORT-->

Co-authored-by: Konrad Szwarc <[email protected]>

Author: kibanamachine

x-pack/solutions/security/plugins/security_solution/public/management/pages/event_filters/test_utils/index.ts

@@ -133,6 +133,7 @@ export const esResponseData = () => ({
                 Ext: {
                   variant: 'Windows Pro',
                 },
+                type: 'linux',
                 name: 'Linux',
                 family: 'Debian OS',
                 version: '10.0',

x-pack/solutions/security/plugins/security_solution/public/management/pages/event_filters/view/components/event_filters_flyout.test.tsx

@@ -254,6 +254,34 @@ describe('Event filter flyout', () => {
       expect(renderResult.getByText('Cancel')).not.toBeNull();
     });
 
+    it('should show OS selector and trigger enrichment when rendering with event data', async () => {
+      const searchMock = (useKibana as jest.Mock)().services.data.search.search;
+      const eventData = ecsEventMock();
+
+      act(() => {
+        render({ data: eventData });
+      });
+
+      // Verify enrichment was triggered with correct parameters
+      await waitFor(() => {
+        expect(searchMock).toHaveBeenCalledWith({
+          params: {
+            index: eventData._index,
+            body: {
+              query: {
+                match: {
+                  _id: eventData._id,
+                },
+              },
+            },
+          },
+        });
+      });
+
+      const osSelect = renderResult.getByTestId('eventFilters-form-os-select');
+      expect(osSelect).toBeVisible();
+    });
+
     it('should start with "add event filter" button disabled', () => {
       render();
       const confirmButton = renderResult.getByTestId('add-exception-confirm-button');

x-pack/solutions/security/plugins/security_solution/public/management/pages/event_filters/view/components/event_filters_flyout.tsx

@@ -34,7 +34,7 @@ import type {
 import { ArtifactConfirmModal } from '../../../../components/artifact_list_page/components/artifact_confirm_modal';
 import { EventFiltersForm } from './form';
 
-import { getInitialExceptionFromEvent } from '../utils';
+import { getInitialExceptionFromEvent, osTypeBasedOnAgentType } from '../utils';
 import { useHttp, useKibana, useToasts } from '../../../../../common/lib/kibana';
 
 import { EventFiltersApiClient } from '../../service/api_client';
@@ -74,6 +74,7 @@ export const EventFiltersFlyout: React.FC<EventFiltersFlyoutProps> = memo(
     useEffect(() => {
       const enrichEvent = async () => {
         if (!data || !data._index) return;
+
         const searchResponse = await lastValueFrom(
           search.search({
             params: {
@@ -88,16 +89,23 @@ export const EventFiltersFlyout: React.FC<EventFiltersFlyoutProps> = memo(
             },
           })
         );
-        setEnrichedData({
+        const enriched = {
           ...data,
           host: {
             ...data.host,
             os: {
               ...(data?.host?.os || {}),
-              name: [searchResponse.rawResponse.hits.hits[0]._source.host.os.name],
+              name: [searchResponse.rawResponse.hits.hits[0]._source.host.os.type],
             },
           },
-        });
+        };
+        setEnrichedData(enriched);
+
+        // Update the exception with the correct OS from enriched data
+        setException((prevException) => ({
+          ...prevException,
+          os_types: osTypeBasedOnAgentType(enriched) as Array<'windows' | 'linux' | 'macos'>,
+        }));
       };
 
       if (data) {
@@ -224,7 +232,7 @@ export const EventFiltersFlyout: React.FC<EventFiltersFlyoutProps> = memo(
 
         <EuiFlyoutBody>
           <EventFiltersForm
-            allowSelectOs={!data}
+            allowSelectOs
             error={undefined}
             disabled={false}
             item={exception}

x-pack/solutions/security/plugins/security_solution/public/management/pages/event_filters/view/components/form.tsx

@@ -320,10 +320,11 @@ export const EventFiltersForm: React.FC<ArtifactFormComponentProps & { allowSele
             fullWidth
             valueOfSelected={selectedOs}
             onChange={handleOnOsChange}
+            data-test-subj={getTestId('os-select')}
           />
         </EuiFormRow>
       ),
-      [handleOnOsChange, selectedOs]
+      [getTestId, handleOnOsChange, selectedOs]
     );
 
     // comments and handler

x-pack/solutions/security/plugins/security_solution/public/management/pages/event_filters/view/utils.ts

@@ -10,7 +10,7 @@ import type { CreateExceptionListItemSchema } from '@kbn/securitysolution-io-ts-
 import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
 import { ENDPOINT_EVENT_FILTERS_LIST_ID } from '../constants';
 
-const osTypeBasedOnAgentType = (data?: Ecs) => {
+export const osTypeBasedOnAgentType = (data?: Ecs) => {
   if (data?.agent?.type?.includes('endpoint')) {
     return (data?.host?.os?.name || ['windows']).map((name) => name.toLowerCase());
   } else {