[Security Solution][Detection Engine] Adding validations for escaped wildcards on the match operator on rules exceptions (elastic#268397)

## Summary

Closes
[security-team#17120](elastic/security-team#17120).

When a user creates a rule exception with the `matches` operator and
types a value containing escaped wildcard metacharacters (`\*`, `\?`),
the UI saves silently. Under the hood, the Detection Engine passes the
value verbatim to an Elasticsearch `wildcard` query where `\` is the
escape character, so `\*` matches a literal asterisk, killing the
wildcard semantics the user expected from `matches`. The exception then
doesn't behave as intended.

This PR extends the existing wildcard-warning machinery (originally
added in elastic#182903 for the wrong-operator case) with a second signal that
fires when a `matches` entry contains a lone escaped metacharacter.

## Examples
### Valid usage of matches + `*` wildcard
<img width="1089" height="894" alt="Screenshot 2026-05-19 at 11 44 01"
src="https://github.com/user-attachments/assets/ec9e449b-333e-4bc7-868e-236571abfcc4"
/>

### Invalid usage of matches + `\*` escaped wildcard
<img width="1475" height="1009" alt="Screenshot 2026-05-19 at 10 55 55"
src="https://github.com/user-attachments/assets/926babf9-f393-4b0b-ae24-391088e1107f"
/>

### Invalid usage of matches + `\?` escaped wildcard
<img width="1476" height="1011" alt="Screenshot 2026-05-19 at 10 56 33"
src="https://github.com/user-attachments/assets/39a62fef-1b6e-4058-b9d2-82009c444a95"
/>

### Alert dialog before saving rule exception
<img width="1474" height="1014" alt="Screenshot 2026-05-19 at 10 56 54"
src="https://github.com/user-attachments/assets/a293383a-6441-4c90-b698-f1349fcfd0c8"
/>

### Supports multiple validation warnings
<img width="1475" height="1011" alt="Screenshot 2026-05-19 at 10 56 43"
src="https://github.com/user-attachments/assets/b8c5b4f6-9a73-4378-89b5-85e9d908b941"
/>

### Validation on Edti
<img width="1476" height="1008" alt="Screenshot 2026-05-19 at 11 44 38"
src="https://github.com/user-attachments/assets/976697ef-178f-4614-a0e1-69412d964cf3"
/>

### Backslashes handling are ignored
<img width="1068" height="468" alt="Screenshot 2026-05-18 at 17 12 10"
src="https://github.com/user-attachments/assets/c063fd00-089d-4ea2-8af8-2c2804d28fce"
/>

### Changes
  **`@kbn/securitysolution-list-utils`**
- `hasMalformedMatchesValue(items): boolean` — validator using
negative-lookbehind regex `/(?<!\\)\\[*?]/`. Fires on lone `\*` / `\?`;
deliberately does NOT fire on `\\*` (documented Windows-path pattern,
e.g. `C:\\Windows\\*.dll`).
- `getMalformedMatchesFields(items): string[]` — companion function
returning the field name of each affected entry, used to generate
per-entry modal warnings.

  **`@kbn/securitysolution-exception-list-components`**
- `<MalformedMatchesValueCallout />` — aggregate callout explaining that
escape sequences match literal characters and suggesting `is` for exact
matching.

**Both add and edit flyouts (`add_exception_flyout`,
`edit_exception_flyout`)**
- `malformedMatchesValueExists: boolean` reducer flag — submit gate: `if
(wildcardWarningExists || malformedMatchesValueExists)` shows the
confirm modal.
- `malformedMatchesFields: string[]` reducer field — list of affected
entry field names, passed to the modal to produce one warning item per
affected entry.
- Non-blocking: the modal lets the user confirm and save proceeds
unchanged.
  - Applies to both create and edit flows.

**`ArtifactConfirmModal` / `CONFIRM_WARNING_MODAL_LABELS`** (shared with
endpoint track, elastic#268477)
- Added `hasMalformedMatchesValue?: string[]` to the warnings object.
When multiple AND/OR conditions each contain an escape issue, the modal
shows one warning item per affected field, leveraging the
`listOfWarnings: Array<React.ReactNode>` array introduced by elastic#268477.

  **Tests**
- Unit tests in
`kbn-securitysolution-list-utils/src/helpers/index.test.ts` covering:
escaped `\*` / `\?`, documented Windows paths (negative — must not
trigger), single-backslash paths (positive), `match` entries (negative —
only `wildcard` type checked), empty entries, OR conditions, and
multiple AND entries producing per-field results.

### Exception filter behavior across rule types

Traced the full backend execution path to confirm that wildcard
exception entries (`matches` operator, `type: "wildcard"`) behave
identically across all rule types.

**Central path:**
`create_security_rule_type_wrapper.ts` builds the exception filter once
via `buildExceptionFilter()` (from `@kbn/lists-plugin`) and passes it to
every rule executor through `sharedParams.exceptionFilter`. The
resulting ES clause is:
  ```json
  { "wildcard": { "<field>": "<value>" } }
```
> ES|QL note:
> ES|QL uses esClient.esql.asyncQuery() instead of _search, which accepts a separate filter parameter (standard ES DSL). The exception filter is passed there unchanged; Elasticsearch applies it at the shard level before the ES|QL query runs. No translation to a WHERE clause is performed or needed.

So, the Elasticsearch wildcard semantics apply uniformly across all rule types (query, EQL, ES|QL, threshold, new terms, ML, indicator match, saved query):
 - \* matches a literal asterisk, not a wildcard
 - \? matches a literal question mark, not a wildcard
 - \\ matches a literal backslash

 ### Out of scope (and maybe for a follow-up)
  - For bare `*` / `?` values in `matches` (e.g., a value of just `*` matching everything) we could handle it by a separate validator with its own callout copy. The AC mentions this as a separate signal.
  - Lone `\` (single backslash) and unpaired `\\` cases, could also be on a separate validator.

 ### Checklist

  - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n
  support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
  - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials -- Already in place, under: https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions#detection-rule-exceptions
  - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
  - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker
  list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
  - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these
  situations.
  - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed
  - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the
  [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
  - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.

  ### Identify risks

  - [x] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)

  | Risk | Severity | Mitigation |
  |---|---|---|
  | **False positives on documented Windows paths** (e.g. `C:\\Windows\\*.dll`) | Medium → Low | Negative-lookbehind regex `(?<!\\)\\[*?]` only flags `\` immediately before `*`/`?` when not itself preceded by `\`. Test coverage explicitly asserts the documented Windows-path pattern does not trigger. |
  | **Per-entry modal warnings on large exception items** | Low | `malformedMatchesFields` is bounded by the number of entries the user has added in the flyout — not a pagination or unbounded list concern. |
  | **Co-firing with existing `wildcardWarningExists` callout** | Low | Both are non-blocking, use the same modal gate, and render as separate list items in the modal's `listOfWarnings`. UX copy sign-off with @approksiu recommended before marking ready for review. |
  | **Behavioral change to save flow** | None | Validator only adds a confirmation step; on confirm, save proceeds via the unchanged `submitException()` path. No data  shape changes. |

## Release note
Adds a warning callout and confirmation modal to the rule exceptions form when a user enters escaped characters (e.g. `\*` or `\?`) with the matches operator, indicating they may have intended wildcards instead. The warning is non-blocking, users can acknowledge and save.

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Author: 3 people

x-pack/solutions/security/packages/kbn-securitysolution-exception-list-components/index.ts

@@ -17,4 +17,5 @@ export * from './src/header_menu';
 export * from './src/generate_linked_rules_menu_item';
 export * from './src/unnecessary_escaping_callout';
 export * from './src/wildcard_with_wrong_operator_callout';
+export * from './src/malformed_matches_value_callout';
 export * from './src/partial_code_signature_callout';

x-pack/solutions/security/packages/kbn-securitysolution-exception-list-components/moon.yml

@@ -22,6 +22,7 @@ dependsOn:
   - '@kbn/i18n'
   - '@kbn/i18n-react'
   - '@kbn/kibana-react-plugin'
+  - '@kbn/securitysolution-list-utils'
 tags:
   - shared-browser
   - package

x-pack/solutions/security/packages/kbn-securitysolution-exception-list-components/src/malformed_matches_value_callout/index.tsx

@@ -0,0 +1,56 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { FormattedMessage } from '@kbn/i18n-react';
+import { i18n } from '@kbn/i18n';
+import { EuiCallOut } from '@elastic/eui';
+import { isOperator, matchesOperator } from '@kbn/securitysolution-list-utils';
+
+export const MalformedMatchesValueCallout = () => {
+  return (
+    <EuiCallOut
+      title={i18n.translate('exceptionList-components.malformedMatchesValueCallout.title', {
+        defaultMessage: 'Please review your entries',
+      })}
+      iconType="warning"
+      color="warning"
+      size="s"
+      data-test-subj="malformedMatchesValueCallout"
+    >
+      <p>
+        <FormattedMessage
+          id="exceptionList-components.malformedMatchesValueCallout.body"
+          defaultMessage="An entry uses {matches} with a value containing escape sequences (e.g. {escapedStar}, {escapedQuestion}). These will {literalCharacters}, not wildcard patterns (for example {escapedStar2} matches a literal asterisk). If you intended an exact match, {changeOperator} to {is}."
+          values={{
+            matches: <strong>{matchesOperator.message}</strong>,
+            is: <strong>{isOperator.message}</strong>,
+            escapedStar: <code>{'\\*'}</code>,
+            escapedStar2: <code>{'\\*'}</code>,
+            escapedQuestion: <code>{'\\?'}</code>,
+            literalCharacters: (
+              <strong>
+                {i18n.translate(
+                  'exceptionList-components.malformedMatchesValueCallout.literalCharacters',
+                  { defaultMessage: 'match literal characters' }
+                )}
+              </strong>
+            ),
+            changeOperator: (
+              <strong>
+                {i18n.translate(
+                  'exceptionList-components.malformedMatchesValueCallout.changeOperator',
+                  { defaultMessage: 'change the operator' }
+                )}
+              </strong>
+            ),
+          }}
+        />
+      </p>
+    </EuiCallOut>
+  );
+};

x-pack/solutions/security/packages/kbn-securitysolution-exception-list-components/tsconfig.json

@@ -20,6 +20,7 @@
     "@kbn/i18n",
     "@kbn/i18n-react",
     "@kbn/kibana-react-plugin",
+    "@kbn/securitysolution-list-utils",
   ],
   "exclude": [
     "target/**/*",

x-pack/solutions/security/packages/kbn-securitysolution-list-utils/src/helpers/index.test.ts

@@ -11,6 +11,7 @@ import {
   hasWrongOperatorWithWildcard,
   hasEscaping,
   hasPartialCodeSignatureEntry,
+  getMalformedMatchesFields,
   getOperatorOptions,
   hasEntryEscaping,
 } from '.';
@@ -643,6 +644,188 @@ describe('Helpers', () => {
     });
   });
 
+  describe('getMalformedMatchesFields', () => {
+    test('it returns the field name for a wildcard entry with an escaped asterisk', () => {
+      expect(
+        getMalformedMatchesFields([
+          {
+            description: '',
+            name: '',
+            type: 'simple',
+            entries: [
+              {
+                type: 'wildcard',
+                value: 'app\\*.exe',
+                field: 'process.name',
+                operator: 'included',
+              },
+            ],
+          },
+        ])
+      ).toEqual(['process.name']);
+    });
+
+    test('it returns the field name for a wildcard entry with an escaped question mark', () => {
+      expect(
+        getMalformedMatchesFields([
+          {
+            description: '',
+            name: '',
+            type: 'simple',
+            entries: [
+              { type: 'wildcard', value: 'file\\?.txt', field: 'file.name', operator: 'included' },
+            ],
+          },
+        ])
+      ).toEqual(['file.name']);
+    });
+
+    test('it returns multiple field names when multiple entries have escaped wildcards', () => {
+      expect(
+        getMalformedMatchesFields([
+          {
+            description: '',
+            name: '',
+            type: 'simple',
+            entries: [
+              {
+                type: 'wildcard',
+                value: 'app\\*.exe',
+                field: 'process.name',
+                operator: 'included',
+              },
+              {
+                type: 'wildcard',
+                value: 'file\\?.txt',
+                field: 'file.name',
+                operator: 'included',
+              },
+            ],
+          },
+        ])
+      ).toEqual(['process.name', 'file.name']);
+    });
+
+    test('it collects fields across OR conditions (multiple items)', () => {
+      expect(
+        getMalformedMatchesFields([
+          {
+            description: '',
+            name: '',
+            type: 'simple',
+            entries: [
+              {
+                type: 'wildcard',
+                value: 'app\\*.exe',
+                field: 'process.name',
+                operator: 'included',
+              },
+            ],
+          },
+          {
+            description: '',
+            name: '',
+            type: 'simple',
+            entries: [
+              {
+                type: 'wildcard',
+                value: 'file\\?.txt',
+                field: 'file.name',
+                operator: 'included',
+              },
+            ],
+          },
+        ])
+      ).toEqual(['process.name', 'file.name']);
+    });
+
+    test('it returns empty array when no entries have escaped wildcards', () => {
+      expect(
+        getMalformedMatchesFields([
+          {
+            description: '',
+            name: '',
+            type: 'simple',
+            entries: [
+              {
+                type: 'wildcard',
+                value: 'chrome*.exe',
+                field: 'process.name',
+                operator: 'included',
+              },
+            ],
+          },
+        ])
+      ).toEqual([]);
+    });
+
+    test('it returns empty array for an empty entries list', () => {
+      expect(
+        getMalformedMatchesFields([
+          {
+            description: '',
+            name: '',
+            type: 'simple',
+            entries: [],
+          },
+        ])
+      ).toEqual([]);
+    });
+
+    test('it excludes entries with an empty field name', () => {
+      expect(
+        getMalformedMatchesFields([
+          {
+            description: '',
+            name: '',
+            type: 'simple',
+            entries: [{ type: 'wildcard', value: 'app\\*.exe', field: '', operator: 'included' }],
+          },
+        ])
+      ).toEqual([]);
+    });
+
+    test('it does not include match entries even if value contains escape sequences', () => {
+      expect(
+        getMalformedMatchesFields([
+          {
+            description: '',
+            name: '',
+            type: 'simple',
+            entries: [
+              {
+                type: 'match',
+                value: 'app\\*.exe',
+                field: 'process.name',
+                operator: 'included',
+              },
+            ],
+          },
+        ])
+      ).toEqual([]);
+    });
+
+    test('it does not flag a double-backslash before a wildcard (Windows path separator)', () => {
+      expect(
+        getMalformedMatchesFields([
+          {
+            description: '',
+            name: '',
+            type: 'simple',
+            entries: [
+              {
+                type: 'wildcard',
+                value: 'C:\\\\Windows\\\\*.dll',
+                field: 'file.path',
+                operator: 'included',
+              },
+            ],
+          },
+        ])
+      ).toEqual([]);
+    });
+  });
+
   describe('getOperatorOptions', () => {
     const getItem = (overrides?: {
       nested?: FormattedBuilderEntry['nested'];

x-pack/solutions/security/packages/kbn-securitysolution-list-utils/src/helpers/index.ts

@@ -1027,49 +1027,43 @@ export const getMappingConflictsInfo = (field: DataViewField): FieldConflictsInf
   return conflicts;
 };
 
+/** Flattens exception items into a single list of leaf entries, expanding nested entry children. */
+const flattenExceptionEntries = (
+  items: Array<Pick<ExceptionsBuilderReturnExceptionItem, 'entries'>>
+): BuilderEntry[] =>
+  items
+    .flatMap((item) => item.entries)
+    .flatMap((item) => (item.type === 'nested' ? item.entries : item));
+
+/** Narrows a BuilderEntry to one that uses the wildcard operator with a string value. */
+const isWildcardStringEntry = (
+  builderEntry: BuilderEntry
+): builderEntry is BuilderEntry & { type: 'wildcard'; value: string } =>
+  builderEntry.type === 'wildcard' &&
+  'value' in builderEntry &&
+  typeof builderEntry.value === 'string';
+
 /**
  * Given an exceptions list, determine if any entries have an "IS" operator with a wildcard value
  */
 export const hasWrongOperatorWithWildcard = (
   items: ExceptionsBuilderReturnExceptionItem[]
-): boolean => {
-  // flattens array of multiple entries added with OR
-  const multipleEntries = items.flatMap((item) => item.entries);
-  // flattens nested entries
-  const allEntries = multipleEntries.flatMap((item) => {
-    if (item.type === 'nested') {
-      return item.entries;
-    }
-    return item;
-  });
-
-  // eslint-disable-next-line array-callback-return
-  return allEntries.some((e) => {
-    if (e.type !== 'list' && 'value' in e) {
+): boolean =>
+  flattenExceptionEntries(items).some((e) => {
+    if (e.type !== 'list' && 'value' in e && e.value != null) {
       return validateHasWildcardWithWrongOperator({
         operator: e.type,
         value: e.value,
       });
     }
+    return false;
   });
-};
 
 export const hasEscaping = (
   items: Array<Pick<ExceptionsBuilderReturnExceptionItem, 'entries'>>,
   osTypes: ExceptionsBuilderReturnExceptionItem['os_types'] = ['linux']
-): boolean => {
-  // flattens array of multiple entries added with OR
-  const multipleEntries = items.flatMap((item) => item.entries);
-  // flattens nested entries
-  const allEntries = multipleEntries.flatMap((item) => {
-    if (item.type === 'nested') {
-      return item.entries;
-    }
-    return item;
-  });
-
-  return allEntries.some((builderEntry) => hasEntryEscaping(builderEntry, osTypes));
-};
+): boolean =>
+  flattenExceptionEntries(items).some((builderEntry) => hasEntryEscaping(builderEntry, osTypes));
 
 export const hasEntryEscaping = (
   builderEntry: BuilderEntry,
@@ -1104,6 +1098,29 @@ export const hasEntryEscaping = (
   );
 };
 
+// Detect `matches` entries with escaped wildcard metacharacters (\* or \?). Uses a negative
+// lookbehind so that \\* (double-backslash path separator + wildcard) does not trigger — only
+// a lone \* or \? (escaped metacharacter) fires the warning.
+const ESCAPED_WILDCARD_REGEX = /(?<!\\)\\[*?]/;
+
+export const getMalformedMatchesFields = (
+  items: ExceptionsBuilderReturnExceptionItem[]
+): string[] => {
+  const flattenedEntries = flattenExceptionEntries(items);
+
+  return flattenedEntries.reduce<string[]>((result, builderEntry) => {
+    if (
+      isWildcardStringEntry(builderEntry) &&
+      builderEntry.field !== '' &&
+      ESCAPED_WILDCARD_REGEX.test(builderEntry.value)
+    ) {
+      return [...result, builderEntry.field];
+    }
+
+    return result;
+  }, []);
+};
+
 /**
  * Event filters helper where given an exceptions list,
  * determine if both 'subject_name' and 'trusted' are