From 03e75c9f25dd666871333c50b88751a217cc4e13 Mon Sep 17 00:00:00 2001
From: Madison Caldwell <madison.caldwell@elastic.co>
Date: Tue, 7 Jul 2020 00:09:11 -0400
Subject: [PATCH 1/8] Fix base64 download bug

---
 .../manifest_manager/manifest_manager.ts      |  2 +-
 .../apis/endpoint/artifacts/index.ts          | 35 ++++++++++++++++++-
 2 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts
index e47a23b893b71..52887a38b3419 100644
--- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts
@@ -140,7 +140,7 @@ export class ManifestManager {
         try {
           await this.artifactClient.createArtifact(artifact);
           // Cache the body of the artifact
-          this.cache.set(diff.id, artifact.body);
+          this.cache.set(diff.id, Buffer.from(artifact.body, 'base64').toString());
         } catch (err) {
           if (err.status === 409) {
             // This artifact already existed...
diff --git a/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts b/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
index 2721592ba3350..a52521b424d49 100644
--- a/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
+++ b/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
@@ -6,6 +6,7 @@
 
 import expect from '@kbn/expect';
 
+import { WrappedTranslatedExceptionList } from '../../../../../plugins/security_solution/server/endpoint/schemas';
 import { FtrProviderContext } from '../../../ftr_provider_context';
 import { getSupertestWithoutAuth, setupIngest } from '../../fleet/agents/services';
 
@@ -69,7 +70,7 @@ export default function (providerContext: FtrProviderContext) {
     });
 
     it('should download an artifact with correct hash', async () => {
-      await supertestWithoutAuth
+      const { body } = await supertestWithoutAuth
         .get(
           '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/a4e4586e895fcb46dd25a25358b446f9a425279452afa3ef9a98bca39c39122d'
         )
@@ -77,6 +78,38 @@ export default function (providerContext: FtrProviderContext) {
         .set('authorization', `ApiKey ${agentAccessAPIKey}`)
         .send()
         .expect(200);
+
+      // console.log(body);
+
+      // const artifactObj: WrappedTranslatedExceptionList = JSON.parse(body);
+      expect(body).to.eql({
+        exceptions_list: [
+          {
+            field: 'actingProcess.file.signer',
+            operator: 'included',
+            type: 'exact_cased',
+            value: 'Elastic, N.V.',
+          },
+          {
+            entries: [
+              {
+                field: 'signer',
+                operator: 'included',
+                type: 'exact_cased',
+                value: 'Evil',
+              },
+              {
+                field: 'trusted',
+                operator: 'included',
+                type: 'exact_cased',
+                value: 'true',
+              },
+            ],
+            field: 'file.signature',
+            type: 'nested',
+          },
+        ],
+      } as WrappedTranslatedExceptionList);
     });
 
     it('should fail on invalid api key', async () => {

From 86205107a534b0ee300eeea137eba63e97a97cfa Mon Sep 17 00:00:00 2001
From: Madison Caldwell <madison.caldwell@elastic.co>
Date: Tue, 7 Jul 2020 12:37:03 -0400
Subject: [PATCH 2/8] Add test for artifact download

---
 .../apis/endpoint/artifacts/index.ts          | 56 +++++++++----------
 .../endpoint/artifacts/api_feature/data.json  | 12 ++--
 2 files changed, 33 insertions(+), 35 deletions(-)

diff --git a/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts b/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
index a52521b424d49..a63c2c19dc96c 100644
--- a/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
+++ b/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
@@ -6,7 +6,6 @@
 
 import expect from '@kbn/expect';
 
-import { WrappedTranslatedExceptionList } from '../../../../../plugins/security_solution/server/endpoint/schemas';
 import { FtrProviderContext } from '../../../ftr_provider_context';
 import { getSupertestWithoutAuth, setupIngest } from '../../fleet/agents/services';
 
@@ -70,46 +69,45 @@ export default function (providerContext: FtrProviderContext) {
     });
 
     it('should download an artifact with correct hash', async () => {
-      const { body } = await supertestWithoutAuth
+      await supertestWithoutAuth
         .get(
-          '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/a4e4586e895fcb46dd25a25358b446f9a425279452afa3ef9a98bca39c39122d'
+          '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/d162f0302cbf419038ade7ea978e0a7ade7aad317fedefe455ff38dfa28b7cff'
         )
         .set('kbn-xsrf', 'xxx')
         .set('authorization', `ApiKey ${agentAccessAPIKey}`)
         .send()
-        .expect(200);
-
-      // console.log(body);
-
-      // const artifactObj: WrappedTranslatedExceptionList = JSON.parse(body);
-      expect(body).to.eql({
-        exceptions_list: [
-          {
-            field: 'actingProcess.file.signer',
-            operator: 'included',
-            type: 'exact_cased',
-            value: 'Elastic, N.V.',
-          },
-          {
-            entries: [
+        .expect(200)
+        .expect((response) => {
+          const artifactJson = JSON.parse(response.text);
+          expect(artifactJson).to.eql({
+            exceptions_list: [
               {
-                field: 'signer',
+                field: 'actingProcess.file.signer',
                 operator: 'included',
                 type: 'exact_cased',
-                value: 'Evil',
+                value: 'Elastic, N.V.',
               },
               {
-                field: 'trusted',
-                operator: 'included',
-                type: 'exact_cased',
-                value: 'true',
+                entries: [
+                  {
+                    field: 'signer',
+                    operator: 'included',
+                    type: 'exact_cased',
+                    value: 'Evil',
+                  },
+                  {
+                    field: 'trusted',
+                    operator: 'included',
+                    type: 'exact_cased',
+                    value: 'true',
+                  },
+                ],
+                field: 'file.signature',
+                type: 'nested',
               },
             ],
-            field: 'file.signature',
-            type: 'nested',
-          },
-        ],
-      } as WrappedTranslatedExceptionList);
+          });
+        });
     });
 
     it('should fail on invalid api key', async () => {
diff --git a/x-pack/test/functional/es_archives/endpoint/artifacts/api_feature/data.json b/x-pack/test/functional/es_archives/endpoint/artifacts/api_feature/data.json
index b156f2f6cc7bf..abc7c463ec96d 100644
--- a/x-pack/test/functional/es_archives/endpoint/artifacts/api_feature/data.json
+++ b/x-pack/test/functional/es_archives/endpoint/artifacts/api_feature/data.json
@@ -1,21 +1,21 @@
 {
   "type": "doc",
   "value": {
-    "id": "endpoint:user-artifact:endpoint-exceptionlist-linux-1.0.0-a4e4586e895fcb46dd25a25358b446f9a425279452afa3ef9a98bca39c39122d",
+    "id": "endpoint:user-artifact:endpoint-exceptionlist-linux-1.0.0-d162f0302cbf419038ade7ea978e0a7ade7aad317fedefe455ff38dfa28b7cff",
     "index": ".kibana",
     "source": {
       "references": [
       ],
       "endpoint:user-artifact": {
-        "body": "eyJleGNlcHRpb25zX2xpc3QiOltdfQ==",
+        "body": "eyJleGNlcHRpb25zX2xpc3QiOlt7ImZpZWxkIjoiYWN0aW5nUHJvY2Vzcy5maWxlLnNpZ25lciIsIm9wZXJhdG9yIjoiaW5jbHVkZWQiLCJ0eXBlIjoiZXhhY3RfY2FzZWQiLCJ2YWx1ZSI6IkVsYXN0aWMsIE4uVi4ifSx7ImVudHJpZXMiOlt7ImZpZWxkIjoic2lnbmVyIiwib3BlcmF0b3IiOiJpbmNsdWRlZCIsInR5cGUiOiJleGFjdF9jYXNlZCIsInZhbHVlIjoiRXZpbCJ9LHsiZmllbGQiOiJ0cnVzdGVkIiwib3BlcmF0b3IiOiJpbmNsdWRlZCIsInR5cGUiOiJleGFjdF9jYXNlZCIsInZhbHVlIjoidHJ1ZSJ9XSwiZmllbGQiOiJmaWxlLnNpZ25hdHVyZSIsInR5cGUiOiJuZXN0ZWQifV19",
         "created": 1593016187465,
         "compressionAlgorithm": "none",
         "encryptionAlgorithm": "none",
         "identifier": "endpoint-exceptionlist-linux-1.0.0",
-        "compressedSha256": "a4e4586e895fcb46dd25a25358b446f9a425279452afa3ef9a98bca39c39122d",
-        "compressedSize": 22,
-        "decompressedSha256": "a4e4586e895fcb46dd25a25358b446f9a425279452afa3ef9a98bca39c39122d",
-        "decompressedSize": 22
+        "compressedSha256": "d162f0302cbf419038ade7ea978e0a7ade7aad317fedefe455ff38dfa28b7cff",
+        "compressedSize": 336,
+        "decompressedSha256": "d162f0302cbf419038ade7ea978e0a7ade7aad317fedefe455ff38dfa28b7cff",
+        "decompressedSize": 336
       },
       "type": "endpoint:user-artifact",
       "updated_at": "2020-06-24T16:29:47.584Z"

From 1456697298c6fdbb4c9f4205379f1b9a6a429e29 Mon Sep 17 00:00:00 2001
From: Madison Caldwell <madison.caldwell@elastic.co>
Date: Tue, 7 Jul 2020 13:19:46 -0400
Subject: [PATCH 3/8] Add more tests to ensure cached versions of artifacts are
 correct

---
 .../manifest_manager/manifest_manager.mock.ts |  8 ++-
 .../manifest_manager/manifest_manager.test.ts | 44 ++++++++++++++-
 .../manifest_manager/manifest_manager.ts      |  1 +
 .../apis/endpoint/artifacts/index.ts          | 55 +++++++++++++++++++
 4 files changed, 106 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.mock.ts b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.mock.ts
index cd70b11aef305..483b3434d63f2 100644
--- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.mock.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.mock.ts
@@ -84,9 +84,15 @@ export class ManifestManagerMock extends ManifestManager {
 }
 
 export const getManifestManagerMock = (opts?: {
+  cache?: ExceptionsCache;
   packageConfigService?: PackageConfigServiceMock;
   savedObjectsClient?: ReturnType<typeof savedObjectsClientMock.create>;
 }): ManifestManagerMock => {
+  let cache = new ExceptionsCache(5);
+  if (opts?.cache !== undefined) {
+    cache = opts.cache;
+  }
+
   let packageConfigService = getPackageConfigServiceMock();
   if (opts?.packageConfigService !== undefined) {
     packageConfigService = opts.packageConfigService;
@@ -99,7 +105,7 @@ export const getManifestManagerMock = (opts?: {
 
   const manifestManager = new ManifestManagerMock({
     artifactClient: getArtifactClientMock(savedObjectsClient),
-    cache: new ExceptionsCache(5),
+    cache,
     // @ts-ignore
     packageConfigService,
     exceptionListClient: listMock.getExceptionListClient(),
diff --git a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts
index ef4f921cb537e..900ad2c026956 100644
--- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts
@@ -5,7 +5,12 @@
  */
 
 import { savedObjectsClientMock } from 'src/core/server/mocks';
-import { ArtifactConstants, ManifestConstants, Manifest } from '../../../lib/artifacts';
+import {
+  ArtifactConstants,
+  ManifestConstants,
+  Manifest,
+  ExceptionsCache,
+} from '../../../lib/artifacts';
 import { getPackageConfigServiceMock, getManifestManagerMock } from './manifest_manager.mock';
 
 describe('manifest_manager', () => {
@@ -23,6 +28,43 @@ describe('manifest_manager', () => {
       expect(manifestWrapper!.manifest).toBeInstanceOf(Manifest);
     });
 
+    test('ManifestManager populates cache properly', async () => {
+      const cache = new ExceptionsCache(5);
+      const manifestManager = getManifestManagerMock({ cache });
+      const manifestWrapper = await manifestManager.refresh();
+      expect(manifestWrapper!.diffs).toEqual([
+        {
+          id:
+            'endpoint-exceptionlist-linux-1.0.0-d34a1f6659bd86fc2023d7477aa2e5d2055c9c0fb0a0f10fae76bf8b94bebe49',
+          type: 'add',
+        },
+      ]);
+      const diff = manifestWrapper!.diffs[0];
+      const entry = JSON.parse(cache.get(diff!.id)!);
+      expect(entry).toEqual({
+        exceptions_list: [
+          {
+            entries: [
+              {
+                field: 'nested.field',
+                operator: 'included',
+                type: 'exact_cased',
+                value: 'some value',
+              },
+            ],
+            field: 'some.parentField',
+            type: 'nested',
+          },
+          {
+            field: 'some.not.nested.field',
+            operator: 'included',
+            type: 'exact_cased',
+            value: 'some value',
+          },
+        ],
+      });
+    });
+
     test('ManifestManager can dispatch manifest', async () => {
       const packageConfigService = getPackageConfigServiceMock();
       const manifestManager = getManifestManagerMock({ packageConfigService });
diff --git a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts
index 52887a38b3419..f7bc711d4bd05 100644
--- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts
@@ -139,6 +139,7 @@ export class ManifestManager {
         const artifact = newManifest.getArtifact(diff.id);
         try {
           await this.artifactClient.createArtifact(artifact);
+
           // Cache the body of the artifact
           this.cache.set(diff.id, Buffer.from(artifact.body, 'base64').toString());
         } catch (err) {
diff --git a/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts b/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
index a63c2c19dc96c..3193a4456ba37 100644
--- a/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
+++ b/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
@@ -110,6 +110,61 @@ export default function (providerContext: FtrProviderContext) {
         });
     });
 
+    it('should download an artifact with correct hash from cache', async () => {
+      await supertestWithoutAuth
+        .get(
+          '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/d162f0302cbf419038ade7ea978e0a7ade7aad317fedefe455ff38dfa28b7cff'
+        )
+        .set('kbn-xsrf', 'xxx')
+        .set('authorization', `ApiKey ${agentAccessAPIKey}`)
+        .send()
+        .expect(200)
+        .expect((response) => {
+          JSON.parse(response.text);
+        })
+        .then(async () => {
+          await supertestWithoutAuth
+            .get(
+              '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/d162f0302cbf419038ade7ea978e0a7ade7aad317fedefe455ff38dfa28b7cff'
+            )
+            .set('kbn-xsrf', 'xxx')
+            .set('authorization', `ApiKey ${agentAccessAPIKey}`)
+            .send()
+            .expect(200)
+            .expect((response) => {
+              const artifactJson = JSON.parse(response.text);
+              expect(artifactJson).to.eql({
+                exceptions_list: [
+                  {
+                    field: 'actingProcess.file.signer',
+                    operator: 'included',
+                    type: 'exact_cased',
+                    value: 'Elastic, N.V.',
+                  },
+                  {
+                    entries: [
+                      {
+                        field: 'signer',
+                        operator: 'included',
+                        type: 'exact_cased',
+                        value: 'Evil',
+                      },
+                      {
+                        field: 'trusted',
+                        operator: 'included',
+                        type: 'exact_cased',
+                        value: 'true',
+                      },
+                    ],
+                    field: 'file.signature',
+                    type: 'nested',
+                  },
+                ],
+              });
+            });
+        });
+    });
+
     it('should fail on invalid api key', async () => {
       await supertestWithoutAuth
         .get(

From eae1b8925b70d3fb279fe8a1c2c2b11c0f5d45e0 Mon Sep 17 00:00:00 2001
From: Madison Caldwell <madison.caldwell@elastic.co>
Date: Tue, 7 Jul 2020 14:17:05 -0400
Subject: [PATCH 4/8] Convert to new format

---
 .../common/endpoint/schema/manifest.ts        |  8 +++---
 .../server/endpoint/lib/artifacts/common.ts   |  4 +--
 .../endpoint/lib/artifacts/lists.test.ts      | 12 ++++----
 .../server/endpoint/lib/artifacts/lists.ts    | 16 +++++------
 .../endpoint/lib/artifacts/manifest.test.ts   | 26 ++++++++---------
 .../lib/artifacts/manifest_entry.test.ts      | 16 +++++------
 .../endpoint/lib/artifacts/manifest_entry.ts  | 28 +++++++++----------
 .../lib/artifacts/saved_object_mappings.ts    |  8 +++---
 .../endpoint/schemas/artifacts/lists.ts       |  6 ++--
 .../schemas/artifacts/saved_objects.ts        |  8 +++---
 .../services/artifacts/artifact_client.ts     |  2 +-
 .../manifest_manager/manifest_manager.test.ts | 16 +++++------
 .../apis/endpoint/artifacts/index.ts          | 10 +++----
 .../endpoint/artifacts/api_feature/data.json  | 28 +++++++++----------
 14 files changed, 94 insertions(+), 94 deletions(-)

diff --git a/x-pack/plugins/security_solution/common/endpoint/schema/manifest.ts b/x-pack/plugins/security_solution/common/endpoint/schema/manifest.ts
index 2f03895d91c74..1c8916dfdd5bb 100644
--- a/x-pack/plugins/security_solution/common/endpoint/schema/manifest.ts
+++ b/x-pack/plugins/security_solution/common/endpoint/schema/manifest.ts
@@ -19,10 +19,10 @@ import {
 export const manifestEntrySchema = t.exact(
   t.type({
     relative_url: relativeUrl,
-    precompress_sha256: sha256,
-    precompress_size: size,
-    postcompress_sha256: sha256,
-    postcompress_size: size,
+    decoded_sha256: sha256,
+    decoded_size: size,
+    encoded_sha256: sha256,
+    encoded_size: size,
     compression_algorithm: compressionAlgorithm,
     encryption_algorithm: encryptionAlgorithm,
   })
diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/common.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/common.ts
index b6a5bed9078ab..cf38147522083 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/common.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/common.ts
@@ -6,12 +6,12 @@
 
 export const ArtifactConstants = {
   GLOBAL_ALLOWLIST_NAME: 'endpoint-exceptionlist',
-  SAVED_OBJECT_TYPE: 'endpoint:user-artifact',
+  SAVED_OBJECT_TYPE: 'endpoint:user-artifact:v2',
   SUPPORTED_OPERATING_SYSTEMS: ['linux', 'macos', 'windows'],
   SCHEMA_VERSION: '1.0.0',
 };
 
 export const ManifestConstants = {
-  SAVED_OBJECT_TYPE: 'endpoint:user-artifact-manifest',
+  SAVED_OBJECT_TYPE: 'endpoint:user-artifact-manifest:v2',
   SCHEMA_VERSION: '1.0.0',
 };
diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.test.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.test.ts
index 738890fb4038f..80d7bd5658363 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.test.ts
@@ -21,7 +21,7 @@ describe('buildEventTypeSignal', () => {
 
   test('it should convert the exception lists response to the proper endpoint format', async () => {
     const expectedEndpointExceptions = {
-      exceptions_list: [
+      entries: [
         {
           entries: [
             {
@@ -57,7 +57,7 @@ describe('buildEventTypeSignal', () => {
     ];
 
     const expectedEndpointExceptions = {
-      exceptions_list: [
+      entries: [
         {
           field: 'server.domain',
           operator: 'included',
@@ -100,7 +100,7 @@ describe('buildEventTypeSignal', () => {
     ];
 
     const expectedEndpointExceptions = {
-      exceptions_list: [
+      entries: [
         {
           field: 'server.domain',
           operator: 'included',
@@ -147,7 +147,7 @@ describe('buildEventTypeSignal', () => {
     ];
 
     const expectedEndpointExceptions = {
-      exceptions_list: [
+      entries: [
         {
           field: 'server.domain',
           operator: 'included',
@@ -182,7 +182,7 @@ describe('buildEventTypeSignal', () => {
       .mockReturnValueOnce(second)
       .mockReturnValueOnce(third);
     const resp = await getFullEndpointExceptionList(mockExceptionClient, 'linux', '1.0.0');
-    expect(resp.exceptions_list.length).toEqual(6);
+    expect(resp.entries.length).toEqual(6);
   });
 
   test('it should handle no exceptions', async () => {
@@ -191,6 +191,6 @@ describe('buildEventTypeSignal', () => {
     exceptionsResponse.total = 0;
     mockExceptionClient.findExceptionListItem = jest.fn().mockReturnValueOnce(exceptionsResponse);
     const resp = await getFullEndpointExceptionList(mockExceptionClient, 'linux', '1.0.0');
-    expect(resp.exceptions_list.length).toEqual(0);
+    expect(resp.entries.length).toEqual(0);
   });
 });
diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts
index 2abb72234fecd..53cda8f2d2299 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts
@@ -14,7 +14,7 @@ import {
   InternalArtifactSchema,
   TranslatedEntry,
   WrappedTranslatedExceptionList,
-  wrappedExceptionList,
+  wrappedTranslatedExceptionList,
   TranslatedEntryNestedEntry,
   translatedEntryNestedEntry,
   translatedEntry as translatedEntryType,
@@ -36,10 +36,10 @@ export async function buildArtifact(
     identifier: `${ArtifactConstants.GLOBAL_ALLOWLIST_NAME}-${os}-${schemaVersion}`,
     compressionAlgorithm: 'none',
     encryptionAlgorithm: 'none',
-    decompressedSha256: sha256,
-    compressedSha256: sha256,
-    decompressedSize: exceptionsBuffer.byteLength,
-    compressedSize: exceptionsBuffer.byteLength,
+    decodedSha256: sha256,
+    encodedSha256: sha256,
+    decodedSize: exceptionsBuffer.byteLength,
+    encodedSize: exceptionsBuffer.byteLength,
     created: Date.now(),
     body: exceptionsBuffer.toString('base64'),
   };
@@ -50,7 +50,7 @@ export async function getFullEndpointExceptionList(
   os: string,
   schemaVersion: string
 ): Promise<WrappedTranslatedExceptionList> {
-  const exceptions: WrappedTranslatedExceptionList = { exceptions_list: [] };
+  const exceptions: WrappedTranslatedExceptionList = { entries: [] };
   let numResponses = 0;
   let page = 1;
 
@@ -68,7 +68,7 @@ export async function getFullEndpointExceptionList(
     if (response?.data !== undefined) {
       numResponses = response.data.length;
 
-      exceptions.exceptions_list = exceptions.exceptions_list.concat(
+      exceptions.entries = exceptions.entries.concat(
         translateToEndpointExceptions(response, schemaVersion)
       );
 
@@ -78,7 +78,7 @@ export async function getFullEndpointExceptionList(
     }
   } while (numResponses > 0);
 
-  const [validated, errors] = validate(exceptions, wrappedExceptionList);
+  const [validated, errors] = validate(exceptions, wrappedTranslatedExceptionList);
   if (errors != null) {
     throw new Error(errors);
   }
diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.test.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.test.ts
index da8a449e1b026..00a651c0b60fe 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.test.ts
@@ -57,30 +57,30 @@ describe('manifest', () => {
           'endpoint-exceptionlist-linux-1.0.0': {
             compression_algorithm: 'none',
             encryption_algorithm: 'none',
-            precompress_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-            postcompress_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-            precompress_size: 268,
-            postcompress_size: 268,
+            decoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+            encoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+            decoded_size: 268,
+            encoded_size: 268,
             relative_url:
               '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
           },
           'endpoint-exceptionlist-macos-1.0.0': {
             compression_algorithm: 'none',
             encryption_algorithm: 'none',
-            precompress_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-            postcompress_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-            precompress_size: 268,
-            postcompress_size: 268,
+            decoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+            encoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+            decoded_size: 268,
+            encoded_size: 268,
             relative_url:
               '/api/endpoint/artifacts/download/endpoint-exceptionlist-macos-1.0.0/70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
           },
           'endpoint-exceptionlist-windows-1.0.0': {
             compression_algorithm: 'none',
             encryption_algorithm: 'none',
-            precompress_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-            postcompress_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-            precompress_size: 268,
-            postcompress_size: 268,
+            decoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+            encoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+            decoded_size: 268,
+            encoded_size: 268,
             relative_url:
               '/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-1.0.0/70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
           },
@@ -119,7 +119,7 @@ describe('manifest', () => {
 
     test('Manifest returns data for given artifact', async () => {
       const artifact = artifacts[0];
-      const returned = manifest1.getArtifact(`${artifact.identifier}-${artifact.compressedSha256}`);
+      const returned = manifest1.getArtifact(`${artifact.identifier}-${artifact.encodedSha256}`);
       expect(returned).toEqual(artifact);
     });
 
diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.test.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.test.ts
index c8cbdfc2fc5f4..41afd72efd366 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.test.ts
@@ -33,17 +33,17 @@ describe('manifest_entry', () => {
     });
 
     test('Correct sha256 is returned', () => {
-      expect(manifestEntry.getCompressedSha256()).toEqual(
+      expect(manifestEntry.getEncodedSha256()).toEqual(
         '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c'
       );
-      expect(manifestEntry.getDecompressedSha256()).toEqual(
+      expect(manifestEntry.getDecodedSha256()).toEqual(
         '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c'
       );
     });
 
     test('Correct size is returned', () => {
-      expect(manifestEntry.getCompressedSize()).toEqual(268);
-      expect(manifestEntry.getDecompressedSize()).toEqual(268);
+      expect(manifestEntry.getEncodedSize()).toEqual(268);
+      expect(manifestEntry.getDecodedSize()).toEqual(268);
     });
 
     test('Correct url is returned', () => {
@@ -60,10 +60,10 @@ describe('manifest_entry', () => {
       expect(manifestEntry.getRecord()).toEqual({
         compression_algorithm: 'none',
         encryption_algorithm: 'none',
-        precompress_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-        postcompress_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-        precompress_size: 268,
-        postcompress_size: 268,
+        decoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+        encoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+        decoded_size: 268,
+        encoded_size: 268,
         relative_url:
           '/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-1.0.0/70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
       });
diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.ts
index 860c2d7d704b2..c23258c4c3ba4 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.ts
@@ -15,31 +15,31 @@ export class ManifestEntry {
   }
 
   public getDocId(): string {
-    return `${this.getIdentifier()}-${this.getCompressedSha256()}`;
+    return `${this.getIdentifier()}-${this.getEncodedSha256()}`;
   }
 
   public getIdentifier(): string {
     return this.artifact.identifier;
   }
 
-  public getCompressedSha256(): string {
-    return this.artifact.compressedSha256;
+  public getEncodedSha256(): string {
+    return this.artifact.encodedSha256;
   }
 
-  public getDecompressedSha256(): string {
-    return this.artifact.decompressedSha256;
+  public getDecodedSha256(): string {
+    return this.artifact.decodedSha256;
   }
 
-  public getCompressedSize(): number {
-    return this.artifact.compressedSize;
+  public getEncodedSize(): number {
+    return this.artifact.encodedSize;
   }
 
-  public getDecompressedSize(): number {
-    return this.artifact.decompressedSize;
+  public getDecodedSize(): number {
+    return this.artifact.decodedSize;
   }
 
   public getUrl(): string {
-    return `/api/endpoint/artifacts/download/${this.getIdentifier()}/${this.getCompressedSha256()}`;
+    return `/api/endpoint/artifacts/download/${this.getIdentifier()}/${this.getEncodedSha256()}`;
   }
 
   public getArtifact(): InternalArtifactSchema {
@@ -50,10 +50,10 @@ export class ManifestEntry {
     return {
       compression_algorithm: 'none',
       encryption_algorithm: 'none',
-      precompress_sha256: this.getDecompressedSha256(),
-      precompress_size: this.getDecompressedSize(),
-      postcompress_sha256: this.getCompressedSha256(),
-      postcompress_size: this.getCompressedSize(),
+      decoded_sha256: this.getDecodedSha256(),
+      decoded_size: this.getDecodedSize(),
+      encoded_sha256: this.getEncodedSha256(),
+      encoded_size: this.getEncodedSize(),
       relative_url: this.getUrl(),
     };
   }
diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/saved_object_mappings.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/saved_object_mappings.ts
index 5e61b278e87e4..89e974a3d5fd3 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/saved_object_mappings.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/saved_object_mappings.ts
@@ -24,18 +24,18 @@ export const exceptionsArtifactSavedObjectMappings: SavedObjectsType['mappings']
       type: 'keyword',
       index: false,
     },
-    compressedSha256: {
+    encodedSha256: {
       type: 'keyword',
     },
-    compressedSize: {
+    encodedSize: {
       type: 'long',
       index: false,
     },
-    decompressedSha256: {
+    decodedSha256: {
       type: 'keyword',
       index: false,
     },
-    decompressedSize: {
+    decodedSize: {
       type: 'long',
       index: false,
     },
diff --git a/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.ts b/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.ts
index d071896c537bf..cdb841a8d4c82 100644
--- a/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.ts
@@ -72,9 +72,9 @@ export const translatedExceptionList = t.exact(
 );
 export type TranslatedExceptionList = t.TypeOf<typeof translatedExceptionList>;
 
-export const wrappedExceptionList = t.exact(
+export const wrappedTranslatedExceptionList = t.exact(
   t.type({
-    exceptions_list: t.array(translatedEntry),
+    entries: t.array(translatedEntry),
   })
 );
-export type WrappedTranslatedExceptionList = t.TypeOf<typeof wrappedExceptionList>;
+export type WrappedTranslatedExceptionList = t.TypeOf<typeof wrappedTranslatedExceptionList>;
diff --git a/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/saved_objects.ts b/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/saved_objects.ts
index fe032586dda56..e4cd7f48a2901 100644
--- a/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/saved_objects.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/saved_objects.ts
@@ -19,10 +19,10 @@ export const internalArtifactSchema = t.exact(
     identifier,
     compressionAlgorithm,
     encryptionAlgorithm,
-    decompressedSha256: sha256,
-    decompressedSize: size,
-    compressedSha256: sha256,
-    compressedSize: size,
+    decodedSha256: sha256,
+    decodedSize: size,
+    encodedSha256: sha256,
+    encodedSize: size,
     created,
     body,
   })
diff --git a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/artifact_client.ts b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/artifact_client.ts
index 00ae802ba6f32..e899905602c8d 100644
--- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/artifact_client.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/artifact_client.ts
@@ -16,7 +16,7 @@ export class ArtifactClient {
   }
 
   public getArtifactId(artifact: InternalArtifactSchema) {
-    return `${artifact.identifier}-${artifact.compressedSha256}`;
+    return `${artifact.identifier}-${artifact.encodedSha256}`;
   }
 
   public async getArtifact(id: string): Promise<SavedObject<InternalArtifactSchema>> {
diff --git a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts
index 900ad2c026956..e2f22a10c10e3 100644
--- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts
@@ -21,7 +21,7 @@ describe('manifest_manager', () => {
       expect(manifestWrapper!.diffs).toEqual([
         {
           id:
-            'endpoint-exceptionlist-linux-1.0.0-d34a1f6659bd86fc2023d7477aa2e5d2055c9c0fb0a0f10fae76bf8b94bebe49',
+            'endpoint-exceptionlist-linux-1.0.0-2a2ec06c957330deb42f41835d3029001432038106f823173fb9e7ea603decb5',
           type: 'add',
         },
       ]);
@@ -35,14 +35,14 @@ describe('manifest_manager', () => {
       expect(manifestWrapper!.diffs).toEqual([
         {
           id:
-            'endpoint-exceptionlist-linux-1.0.0-d34a1f6659bd86fc2023d7477aa2e5d2055c9c0fb0a0f10fae76bf8b94bebe49',
+            'endpoint-exceptionlist-linux-1.0.0-2a2ec06c957330deb42f41835d3029001432038106f823173fb9e7ea603decb5',
           type: 'add',
         },
       ]);
       const diff = manifestWrapper!.diffs[0];
       const entry = JSON.parse(cache.get(diff!.id)!);
       expect(entry).toEqual({
-        exceptions_list: [
+        entries: [
           {
             entries: [
               {
@@ -82,11 +82,11 @@ describe('manifest_manager', () => {
           [artifact.identifier]: {
             compression_algorithm: 'none',
             encryption_algorithm: 'none',
-            precompress_sha256: artifact.decompressedSha256,
-            postcompress_sha256: artifact.compressedSha256,
-            precompress_size: artifact.decompressedSize,
-            postcompress_size: artifact.compressedSize,
-            relative_url: `/api/endpoint/artifacts/download/${artifact.identifier}/${artifact.compressedSha256}`,
+            decoded_sha256: artifact.decodedSha256,
+            encoded_sha256: artifact.encodedSha256,
+            decoded_size: artifact.decodedSize,
+            encoded_size: artifact.encodedSize,
+            relative_url: `/api/endpoint/artifacts/download/${artifact.identifier}/${artifact.encodedSha256}`,
           },
         },
       });
diff --git a/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts b/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
index 3193a4456ba37..0a801ed237885 100644
--- a/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
+++ b/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
@@ -71,7 +71,7 @@ export default function (providerContext: FtrProviderContext) {
     it('should download an artifact with correct hash', async () => {
       await supertestWithoutAuth
         .get(
-          '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/d162f0302cbf419038ade7ea978e0a7ade7aad317fedefe455ff38dfa28b7cff'
+          '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/f59266b06ffb1d7250edb9dbabd946e00e98afa950f955d8ea9d8ffef0eb142a'
         )
         .set('kbn-xsrf', 'xxx')
         .set('authorization', `ApiKey ${agentAccessAPIKey}`)
@@ -80,7 +80,7 @@ export default function (providerContext: FtrProviderContext) {
         .expect((response) => {
           const artifactJson = JSON.parse(response.text);
           expect(artifactJson).to.eql({
-            exceptions_list: [
+            entries: [
               {
                 field: 'actingProcess.file.signer',
                 operator: 'included',
@@ -113,7 +113,7 @@ export default function (providerContext: FtrProviderContext) {
     it('should download an artifact with correct hash from cache', async () => {
       await supertestWithoutAuth
         .get(
-          '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/d162f0302cbf419038ade7ea978e0a7ade7aad317fedefe455ff38dfa28b7cff'
+          '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/f59266b06ffb1d7250edb9dbabd946e00e98afa950f955d8ea9d8ffef0eb142a'
         )
         .set('kbn-xsrf', 'xxx')
         .set('authorization', `ApiKey ${agentAccessAPIKey}`)
@@ -125,7 +125,7 @@ export default function (providerContext: FtrProviderContext) {
         .then(async () => {
           await supertestWithoutAuth
             .get(
-              '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/d162f0302cbf419038ade7ea978e0a7ade7aad317fedefe455ff38dfa28b7cff'
+              '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/f59266b06ffb1d7250edb9dbabd946e00e98afa950f955d8ea9d8ffef0eb142a'
             )
             .set('kbn-xsrf', 'xxx')
             .set('authorization', `ApiKey ${agentAccessAPIKey}`)
@@ -134,7 +134,7 @@ export default function (providerContext: FtrProviderContext) {
             .expect((response) => {
               const artifactJson = JSON.parse(response.text);
               expect(artifactJson).to.eql({
-                exceptions_list: [
+                entries: [
                   {
                     field: 'actingProcess.file.signer',
                     operator: 'included',
diff --git a/x-pack/test/functional/es_archives/endpoint/artifacts/api_feature/data.json b/x-pack/test/functional/es_archives/endpoint/artifacts/api_feature/data.json
index abc7c463ec96d..565e1d619dda4 100644
--- a/x-pack/test/functional/es_archives/endpoint/artifacts/api_feature/data.json
+++ b/x-pack/test/functional/es_archives/endpoint/artifacts/api_feature/data.json
@@ -1,23 +1,23 @@
 {
   "type": "doc",
   "value": {
-    "id": "endpoint:user-artifact:endpoint-exceptionlist-linux-1.0.0-d162f0302cbf419038ade7ea978e0a7ade7aad317fedefe455ff38dfa28b7cff",
+    "id": "endpoint:user-artifact:v2:endpoint-exceptionlist-linux-1.0.0-f59266b06ffb1d7250edb9dbabd946e00e98afa950f955d8ea9d8ffef0eb142a",
     "index": ".kibana",
     "source": {
       "references": [
       ],
-      "endpoint:user-artifact": {
-        "body": "eyJleGNlcHRpb25zX2xpc3QiOlt7ImZpZWxkIjoiYWN0aW5nUHJvY2Vzcy5maWxlLnNpZ25lciIsIm9wZXJhdG9yIjoiaW5jbHVkZWQiLCJ0eXBlIjoiZXhhY3RfY2FzZWQiLCJ2YWx1ZSI6IkVsYXN0aWMsIE4uVi4ifSx7ImVudHJpZXMiOlt7ImZpZWxkIjoic2lnbmVyIiwib3BlcmF0b3IiOiJpbmNsdWRlZCIsInR5cGUiOiJleGFjdF9jYXNlZCIsInZhbHVlIjoiRXZpbCJ9LHsiZmllbGQiOiJ0cnVzdGVkIiwib3BlcmF0b3IiOiJpbmNsdWRlZCIsInR5cGUiOiJleGFjdF9jYXNlZCIsInZhbHVlIjoidHJ1ZSJ9XSwiZmllbGQiOiJmaWxlLnNpZ25hdHVyZSIsInR5cGUiOiJuZXN0ZWQifV19",
+      "endpoint:user-artifact:v2": {
+        "body": "eyJlbnRyaWVzIjpbeyJmaWVsZCI6ImFjdGluZ1Byb2Nlc3MuZmlsZS5zaWduZXIiLCJvcGVyYXRvciI6ImluY2x1ZGVkIiwidHlwZSI6ImV4YWN0X2Nhc2VkIiwidmFsdWUiOiJFbGFzdGljLCBOLlYuIn0seyJlbnRyaWVzIjpbeyJmaWVsZCI6InNpZ25lciIsIm9wZXJhdG9yIjoiaW5jbHVkZWQiLCJ0eXBlIjoiZXhhY3RfY2FzZWQiLCJ2YWx1ZSI6IkV2aWwifSx7ImZpZWxkIjoidHJ1c3RlZCIsIm9wZXJhdG9yIjoiaW5jbHVkZWQiLCJ0eXBlIjoiZXhhY3RfY2FzZWQiLCJ2YWx1ZSI6InRydWUifV0sImZpZWxkIjoiZmlsZS5zaWduYXR1cmUiLCJ0eXBlIjoibmVzdGVkIn1dfQ==",
         "created": 1593016187465,
         "compressionAlgorithm": "none",
         "encryptionAlgorithm": "none",
         "identifier": "endpoint-exceptionlist-linux-1.0.0",
-        "compressedSha256": "d162f0302cbf419038ade7ea978e0a7ade7aad317fedefe455ff38dfa28b7cff",
-        "compressedSize": 336,
-        "decompressedSha256": "d162f0302cbf419038ade7ea978e0a7ade7aad317fedefe455ff38dfa28b7cff",
-        "decompressedSize": 336
+        "encodedSha256": "f59266b06ffb1d7250edb9dbabd946e00e98afa950f955d8ea9d8ffef0eb142a",
+        "encodedSize": 328,
+        "decodedSha256": "f59266b06ffb1d7250edb9dbabd946e00e98afa950f955d8ea9d8ffef0eb142a",
+        "decodedSize": 328
       },
-      "type": "endpoint:user-artifact",
+      "type": "endpoint:user-artifact:v2",
       "updated_at": "2020-06-24T16:29:47.584Z"
     }
   }
@@ -26,20 +26,20 @@
 {
   "type": "doc",
   "value": {
-    "id": "endpoint:user-artifact-manifest:endpoint-manifest-1.0.0",
+    "id": "endpoint:user-artifact-manifest:v2:endpoint-manifest-1.0.0",
     "index": ".kibana",
     "source": {
       "references": [
       ],
-      "endpoint:user-artifact-manifest": {
+      "endpoint:user-artifact-manifest:v2": {
         "created": 1593183699663,
         "ids": [
-          "endpoint-exceptionlist-linux-1.0.0-a4e4586e895fcb46dd25a25358b446f9a425279452afa3ef9a98bca39c39122d",
-          "endpoint-exceptionlist-macos-1.0.0-a4e4586e895fcb46dd25a25358b446f9a425279452afa3ef9a98bca39c39122d",
-          "endpoint-exceptionlist-windows-1.0.0-a4e4586e895fcb46dd25a25358b446f9a425279452afa3ef9a98bca39c39122d"
+          "endpoint-exceptionlist-linux-1.0.0-f59266b06ffb1d7250edb9dbabd946e00e98afa950f955d8ea9d8ffef0eb142a",
+          "endpoint-exceptionlist-macos-1.0.0-d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
+          "endpoint-exceptionlist-windows-1.0.0-d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658"
         ]
       },
-      "type": "endpoint:user-artifact-manifest",
+      "type": "endpoint:user-artifact-manifest:v2",
       "updated_at": "2020-06-26T15:01:39.704Z"
     }
   }

From 339c887a0aadec3ba03c85fcaefbce036711779b Mon Sep 17 00:00:00 2001
From: Madison Caldwell <madison.caldwell@elastic.co>
Date: Tue, 7 Jul 2020 15:44:23 -0400
Subject: [PATCH 5/8] missed some refs

---
 .../endpoint/lib/artifacts/manifest.test.ts   | 54 +++++++++----------
 .../lib/artifacts/manifest_entry.test.ts      | 22 ++++----
 .../artifacts/download_exception_list.test.ts |  2 +-
 .../endpoint/schemas/artifacts/lists.mock.ts  |  2 +-
 .../schemas/artifacts/saved_objects.mock.ts   |  2 +-
 5 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.test.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.test.ts
index 00a651c0b60fe..1a057b526edad 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.test.ts
@@ -57,32 +57,32 @@ describe('manifest', () => {
           'endpoint-exceptionlist-linux-1.0.0': {
             compression_algorithm: 'none',
             encryption_algorithm: 'none',
-            decoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-            encoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-            decoded_size: 268,
-            encoded_size: 268,
+            decoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+            encoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+            decoded_size: 260,
+            encoded_size: 260,
             relative_url:
-              '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+              '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
           },
           'endpoint-exceptionlist-macos-1.0.0': {
             compression_algorithm: 'none',
             encryption_algorithm: 'none',
-            decoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-            encoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-            decoded_size: 268,
-            encoded_size: 268,
+            decoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+            encoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+            decoded_size: 260,
+            encoded_size: 260,
             relative_url:
-              '/api/endpoint/artifacts/download/endpoint-exceptionlist-macos-1.0.0/70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+              '/api/endpoint/artifacts/download/endpoint-exceptionlist-macos-1.0.0/339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
           },
           'endpoint-exceptionlist-windows-1.0.0': {
             compression_algorithm: 'none',
             encryption_algorithm: 'none',
-            decoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-            encoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-            decoded_size: 268,
-            encoded_size: 268,
+            decoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+            encoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+            decoded_size: 260,
+            encoded_size: 260,
             relative_url:
-              '/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-1.0.0/70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+              '/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-1.0.0/339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
           },
         },
         manifest_version: 'abcd',
@@ -94,9 +94,9 @@ describe('manifest', () => {
       expect(manifest1.toSavedObject()).toStrictEqual({
         created: now.getTime(),
         ids: [
-          'endpoint-exceptionlist-linux-1.0.0-70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-          'endpoint-exceptionlist-macos-1.0.0-70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-          'endpoint-exceptionlist-windows-1.0.0-70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+          'endpoint-exceptionlist-linux-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+          'endpoint-exceptionlist-macos-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+          'endpoint-exceptionlist-windows-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
         ],
       });
     });
@@ -106,12 +106,12 @@ describe('manifest', () => {
       expect(diffs).toEqual([
         {
           id:
-            'endpoint-exceptionlist-linux-1.0.0-70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+            'endpoint-exceptionlist-linux-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
           type: 'delete',
         },
         {
           id:
-            'endpoint-exceptionlist-linux-1.0.0-69328f83418f4957470640ed6cc605be6abb5fe80e0e388fd74f9764ad7ed5d1',
+            'endpoint-exceptionlist-linux-1.0.0-27cfe2fae5550d3e312ca430821a3fdd5228c486dddc4852baf694455f89fde1',
           type: 'add',
         },
       ]);
@@ -127,15 +127,15 @@ describe('manifest', () => {
       const entries = manifest1.getEntries();
       const keys = Object.keys(entries);
       expect(keys).toEqual([
-        'endpoint-exceptionlist-linux-1.0.0-70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-        'endpoint-exceptionlist-macos-1.0.0-70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-        'endpoint-exceptionlist-windows-1.0.0-70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+        'endpoint-exceptionlist-linux-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+        'endpoint-exceptionlist-macos-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+        'endpoint-exceptionlist-windows-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
       ]);
     });
 
     test('Manifest returns true if contains artifact', async () => {
       const found = manifest1.contains(
-        'endpoint-exceptionlist-macos-1.0.0-70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c'
+        'endpoint-exceptionlist-macos-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
       );
       expect(found).toEqual(true);
     });
@@ -144,17 +144,17 @@ describe('manifest', () => {
       const manifest = Manifest.fromArtifacts(artifacts, '1.0.0', 'v0');
       expect(
         manifest.contains(
-          'endpoint-exceptionlist-linux-1.0.0-70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c'
+          'endpoint-exceptionlist-linux-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
         )
       ).toEqual(true);
       expect(
         manifest.contains(
-          'endpoint-exceptionlist-macos-1.0.0-70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c'
+          'endpoint-exceptionlist-macos-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
         )
       ).toEqual(true);
       expect(
         manifest.contains(
-          'endpoint-exceptionlist-windows-1.0.0-70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c'
+          'endpoint-exceptionlist-windows-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
         )
       ).toEqual(true);
     });
diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.test.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.test.ts
index 41afd72efd366..881a384d4054d 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.test.ts
@@ -24,7 +24,7 @@ describe('manifest_entry', () => {
 
     test('Correct doc_id is returned', () => {
       expect(manifestEntry.getDocId()).toEqual(
-        'endpoint-exceptionlist-windows-1.0.0-70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c'
+        'endpoint-exceptionlist-windows-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
       );
     });
 
@@ -34,21 +34,21 @@ describe('manifest_entry', () => {
 
     test('Correct sha256 is returned', () => {
       expect(manifestEntry.getEncodedSha256()).toEqual(
-        '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c'
+        '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
       );
       expect(manifestEntry.getDecodedSha256()).toEqual(
-        '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c'
+        '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
       );
     });
 
     test('Correct size is returned', () => {
-      expect(manifestEntry.getEncodedSize()).toEqual(268);
-      expect(manifestEntry.getDecodedSize()).toEqual(268);
+      expect(manifestEntry.getEncodedSize()).toEqual(260);
+      expect(manifestEntry.getDecodedSize()).toEqual(260);
     });
 
     test('Correct url is returned', () => {
       expect(manifestEntry.getUrl()).toEqual(
-        '/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-1.0.0/70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c'
+        '/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-1.0.0/339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
       );
     });
 
@@ -60,12 +60,12 @@ describe('manifest_entry', () => {
       expect(manifestEntry.getRecord()).toEqual({
         compression_algorithm: 'none',
         encryption_algorithm: 'none',
-        decoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-        encoded_sha256: '70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
-        decoded_size: 268,
-        encoded_size: 268,
+        decoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+        encoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+        decoded_size: 260,
+        encoded_size: 260,
         relative_url:
-          '/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-1.0.0/70d2e0ee5db0073b242df9af32e64447b932b73c3e66de3a922c61a4077b1a9c',
+          '/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-1.0.0/339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
       });
     });
   });
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/artifacts/download_exception_list.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/artifacts/download_exception_list.test.ts
index 863a1d5037756..4f87d25032804 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/artifacts/download_exception_list.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/artifacts/download_exception_list.test.ts
@@ -31,7 +31,7 @@ import { WrappedTranslatedExceptionList } from '../../schemas/artifacts/lists';
 
 const mockArtifactName = `${ArtifactConstants.GLOBAL_ALLOWLIST_NAME}-windows-1.0.0`;
 const expectedEndpointExceptions: WrappedTranslatedExceptionList = {
-  exceptions_list: [
+  entries: [
     {
       entries: [
         {
diff --git a/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.mock.ts b/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.mock.ts
index 7354b5fd0ec4d..94a0b4b015572 100644
--- a/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.mock.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.mock.ts
@@ -8,7 +8,7 @@ import { WrappedTranslatedExceptionList } from './lists';
 
 export const getTranslatedExceptionListMock = (): WrappedTranslatedExceptionList => {
   return {
-    exceptions_list: [
+    entries: [
       {
         entries: [
           {
diff --git a/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/saved_objects.mock.ts b/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/saved_objects.mock.ts
index 1a9cc55ca5725..183a819807ed2 100644
--- a/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/saved_objects.mock.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/saved_objects.mock.ts
@@ -20,7 +20,7 @@ export const getInternalArtifactMockWithDiffs = async (
   schemaVersion: string
 ): Promise<InternalArtifactSchema> => {
   const mock = getTranslatedExceptionListMock();
-  mock.exceptions_list.pop();
+  mock.entries.pop();
   return buildArtifact(mock, os, schemaVersion);
 };
 

From aca7b8c2c930dad1542122deb0a4a8ab1be9c097 Mon Sep 17 00:00:00 2001
From: Madison Caldwell <madison.caldwell@elastic.co>
Date: Tue, 7 Jul 2020 17:46:08 -0400
Subject: [PATCH 6/8] partial fix to wrapper format

---
 .../endpoint/lib/artifacts/lists.test.ts      | 20 ++++++++---
 .../server/endpoint/lib/artifacts/lists.ts    | 34 ++++++++++++-------
 .../artifacts/download_exception_list.test.ts | 28 +++++++++++----
 .../endpoint/schemas/artifacts/lists.mock.ts  | 28 +++++++++++----
 .../endpoint/schemas/artifacts/lists.ts       |  6 ++--
 5 files changed, 85 insertions(+), 31 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.test.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.test.ts
index 80d7bd5658363..63021a87bbab0 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.test.ts
@@ -21,6 +21,7 @@ describe('buildEventTypeSignal', () => {
 
   test('it should convert the exception lists response to the proper endpoint format', async () => {
     const expectedEndpointExceptions = {
+      type: 'simple',
       entries: [
         {
           entries: [
@@ -46,7 +47,9 @@ describe('buildEventTypeSignal', () => {
     const first = getFoundExceptionListItemSchemaMock();
     mockExceptionClient.findExceptionListItem = jest.fn().mockReturnValueOnce(first);
     const resp = await getFullEndpointExceptionList(mockExceptionClient, 'linux', '1.0.0');
-    expect(resp).toEqual(expectedEndpointExceptions);
+    expect(resp).toEqual({
+      entries: [expectedEndpointExceptions],
+    });
   });
 
   test('it should convert simple fields', async () => {
@@ -57,6 +60,7 @@ describe('buildEventTypeSignal', () => {
     ];
 
     const expectedEndpointExceptions = {
+      type: 'simple',
       entries: [
         {
           field: 'server.domain',
@@ -84,7 +88,9 @@ describe('buildEventTypeSignal', () => {
     mockExceptionClient.findExceptionListItem = jest.fn().mockReturnValueOnce(first);
 
     const resp = await getFullEndpointExceptionList(mockExceptionClient, 'linux', '1.0.0');
-    expect(resp).toEqual(expectedEndpointExceptions);
+    expect(resp).toEqual({
+      entries: [expectedEndpointExceptions],
+    });
   });
 
   test('it should convert fields case sensitive', async () => {
@@ -100,6 +106,7 @@ describe('buildEventTypeSignal', () => {
     ];
 
     const expectedEndpointExceptions = {
+      type: 'simple',
       entries: [
         {
           field: 'server.domain',
@@ -127,7 +134,9 @@ describe('buildEventTypeSignal', () => {
     mockExceptionClient.findExceptionListItem = jest.fn().mockReturnValueOnce(first);
 
     const resp = await getFullEndpointExceptionList(mockExceptionClient, 'linux', '1.0.0');
-    expect(resp).toEqual(expectedEndpointExceptions);
+    expect(resp).toEqual({
+      entries: [expectedEndpointExceptions],
+    });
   });
 
   test('it should ignore unsupported entries', async () => {
@@ -147,6 +156,7 @@ describe('buildEventTypeSignal', () => {
     ];
 
     const expectedEndpointExceptions = {
+      type: 'simple',
       entries: [
         {
           field: 'server.domain',
@@ -162,7 +172,9 @@ describe('buildEventTypeSignal', () => {
     mockExceptionClient.findExceptionListItem = jest.fn().mockReturnValueOnce(first);
 
     const resp = await getFullEndpointExceptionList(mockExceptionClient, 'linux', '1.0.0');
-    expect(resp).toEqual(expectedEndpointExceptions);
+    expect(resp).toEqual({
+      entries: [expectedEndpointExceptions],
+    });
   });
 
   test('it should convert the exception lists response to the proper endpoint format while paging', async () => {
diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts
index 53cda8f2d2299..a13781519b508 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts
@@ -5,6 +5,7 @@
  */
 
 import { createHash } from 'crypto';
+import { ExceptionListItemSchema } from '../../../../../lists/common/schemas';
 import { validate } from '../../../../common/validate';
 
 import { Entry, EntryNested } from '../../../../../lists/common/schemas/types/entries';
@@ -21,6 +22,7 @@ import {
   TranslatedEntryMatcher,
   translatedEntryMatchMatcher,
   translatedEntryMatchAnyMatcher,
+  TranslatedExceptionListItem,
 } from '../../schemas';
 import { ArtifactConstants } from './common';
 
@@ -92,19 +94,11 @@ export async function getFullEndpointExceptionList(
 export function translateToEndpointExceptions(
   exc: FoundExceptionListItemSchema,
   schemaVersion: string
-): TranslatedEntry[] {
+): TranslatedExceptionListItem[] {
   if (schemaVersion === '1.0.0') {
-    return exc.data
-      .flatMap((list) => {
-        return list.entries;
-      })
-      .reduce((entries: TranslatedEntry[], entry) => {
-        const translatedEntry = translateEntry(schemaVersion, entry);
-        if (translatedEntry !== undefined && translatedEntryType.is(translatedEntry)) {
-          entries.push(translatedEntry);
-        }
-        return entries;
-      }, []);
+    return exc.data.map((item) => {
+      return translateItem(schemaVersion, item);
+    });
   } else {
     throw new Error('unsupported schemaVersion');
   }
@@ -124,6 +118,22 @@ function normalizeFieldName(field: string): string {
   return field.endsWith('.text') ? field.substring(0, field.length - 5) : field;
 }
 
+function translateItem(
+  schemaVersion: string,
+  item: ExceptionListItemSchema
+): TranslatedExceptionListItem {
+  return {
+    type: item.type,
+    entries: item.entries.reduce((translatedEntries: TranslatedEntry[], entry) => {
+      const translatedEntry = translateEntry(schemaVersion, entry);
+      if (translatedEntry !== undefined && translatedEntryType.is(translatedEntry)) {
+        translatedEntries.push(translatedEntry);
+      }
+      return translatedEntries;
+    }, []),
+  };
+}
+
 function translateEntry(
   schemaVersion: string,
   entry: Entry | EntryNested
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/artifacts/download_exception_list.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/artifacts/download_exception_list.test.ts
index 4f87d25032804..fbcd3bd130dfd 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/artifacts/download_exception_list.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/artifacts/download_exception_list.test.ts
@@ -33,7 +33,20 @@ const mockArtifactName = `${ArtifactConstants.GLOBAL_ALLOWLIST_NAME}-windows-1.0
 const expectedEndpointExceptions: WrappedTranslatedExceptionList = {
   entries: [
     {
+      type: 'simple',
       entries: [
+        {
+          entries: [
+            {
+              field: 'some.not.nested.field',
+              operator: 'included',
+              type: 'exact_cased',
+              value: 'some value',
+            },
+          ],
+          field: 'some.field',
+          type: 'nested',
+        },
         {
           field: 'some.not.nested.field',
           operator: 'included',
@@ -41,14 +54,17 @@ const expectedEndpointExceptions: WrappedTranslatedExceptionList = {
           value: 'some value',
         },
       ],
-      field: 'some.field',
-      type: 'nested',
     },
     {
-      field: 'some.not.nested.field',
-      operator: 'included',
-      type: 'exact_cased',
-      value: 'some value',
+      type: 'simple',
+      entries: [
+        {
+          field: 'some.other.not.nested.field',
+          operator: 'included',
+          type: 'exact_cased',
+          value: 'some other value',
+        },
+      ],
     },
   ],
 };
diff --git a/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.mock.ts b/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.mock.ts
index 94a0b4b015572..343b192163479 100644
--- a/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.mock.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.mock.ts
@@ -10,7 +10,20 @@ export const getTranslatedExceptionListMock = (): WrappedTranslatedExceptionList
   return {
     entries: [
       {
+        type: 'simple',
         entries: [
+          {
+            entries: [
+              {
+                field: 'some.not.nested.field',
+                operator: 'included',
+                type: 'exact_cased',
+                value: 'some value',
+              },
+            ],
+            field: 'some.field',
+            type: 'nested',
+          },
           {
             field: 'some.not.nested.field',
             operator: 'included',
@@ -18,14 +31,17 @@ export const getTranslatedExceptionListMock = (): WrappedTranslatedExceptionList
             value: 'some value',
           },
         ],
-        field: 'some.field',
-        type: 'nested',
       },
       {
-        field: 'some.not.nested.field',
-        operator: 'included',
-        type: 'exact_cased',
-        value: 'some value',
+        type: 'simple',
+        entries: [
+          {
+            field: 'some.other.not.nested.field',
+            operator: 'included',
+            type: 'exact_cased',
+            value: 'some other value',
+          },
+        ],
       },
     ],
   };
diff --git a/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.ts b/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.ts
index cdb841a8d4c82..b7f99fe6fe297 100644
--- a/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/schemas/artifacts/lists.ts
@@ -64,17 +64,17 @@ export const translatedEntry = t.union([
 ]);
 export type TranslatedEntry = t.TypeOf<typeof translatedEntry>;
 
-export const translatedExceptionList = t.exact(
+export const translatedExceptionListItem = t.exact(
   t.type({
     type: t.string,
     entries: t.array(translatedEntry),
   })
 );
-export type TranslatedExceptionList = t.TypeOf<typeof translatedExceptionList>;
+export type TranslatedExceptionListItem = t.TypeOf<typeof translatedExceptionListItem>;
 
 export const wrappedTranslatedExceptionList = t.exact(
   t.type({
-    entries: t.array(translatedEntry),
+    entries: t.array(translatedExceptionListItem),
   })
 );
 export type WrappedTranslatedExceptionList = t.TypeOf<typeof wrappedTranslatedExceptionList>;

From 04d57012779489da0726065c5fcbe4f3a2559cc0 Mon Sep 17 00:00:00 2001
From: Madison Caldwell <madison.caldwell@elastic.co>
Date: Tue, 7 Jul 2020 17:59:55 -0400
Subject: [PATCH 7/8] update fixtures and integration test

---
 .../apis/endpoint/artifacts/index.ts          | 72 +++++++++++--------
 .../endpoint/artifacts/api_feature/data.json  | 14 ++--
 2 files changed, 48 insertions(+), 38 deletions(-)

diff --git a/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts b/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
index 0a801ed237885..1f1c6f27b636a 100644
--- a/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
+++ b/x-pack/test/api_integration/apis/endpoint/artifacts/index.ts
@@ -71,7 +71,7 @@ export default function (providerContext: FtrProviderContext) {
     it('should download an artifact with correct hash', async () => {
       await supertestWithoutAuth
         .get(
-          '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/f59266b06ffb1d7250edb9dbabd946e00e98afa950f955d8ea9d8ffef0eb142a'
+          '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/d2a9c760005b08d43394e59a8701ae75c80881934ccf15a006944452b80f7f9f'
         )
         .set('kbn-xsrf', 'xxx')
         .set('authorization', `ApiKey ${agentAccessAPIKey}`)
@@ -82,28 +82,33 @@ export default function (providerContext: FtrProviderContext) {
           expect(artifactJson).to.eql({
             entries: [
               {
-                field: 'actingProcess.file.signer',
-                operator: 'included',
-                type: 'exact_cased',
-                value: 'Elastic, N.V.',
-              },
-              {
+                type: 'simple',
                 entries: [
                   {
-                    field: 'signer',
+                    field: 'actingProcess.file.signer',
                     operator: 'included',
                     type: 'exact_cased',
-                    value: 'Evil',
+                    value: 'Elastic, N.V.',
                   },
                   {
-                    field: 'trusted',
-                    operator: 'included',
-                    type: 'exact_cased',
-                    value: 'true',
+                    entries: [
+                      {
+                        field: 'signer',
+                        operator: 'included',
+                        type: 'exact_cased',
+                        value: 'Evil',
+                      },
+                      {
+                        field: 'trusted',
+                        operator: 'included',
+                        type: 'exact_cased',
+                        value: 'true',
+                      },
+                    ],
+                    field: 'file.signature',
+                    type: 'nested',
                   },
                 ],
-                field: 'file.signature',
-                type: 'nested',
               },
             ],
           });
@@ -113,7 +118,7 @@ export default function (providerContext: FtrProviderContext) {
     it('should download an artifact with correct hash from cache', async () => {
       await supertestWithoutAuth
         .get(
-          '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/f59266b06ffb1d7250edb9dbabd946e00e98afa950f955d8ea9d8ffef0eb142a'
+          '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/d2a9c760005b08d43394e59a8701ae75c80881934ccf15a006944452b80f7f9f'
         )
         .set('kbn-xsrf', 'xxx')
         .set('authorization', `ApiKey ${agentAccessAPIKey}`)
@@ -125,7 +130,7 @@ export default function (providerContext: FtrProviderContext) {
         .then(async () => {
           await supertestWithoutAuth
             .get(
-              '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/f59266b06ffb1d7250edb9dbabd946e00e98afa950f955d8ea9d8ffef0eb142a'
+              '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/d2a9c760005b08d43394e59a8701ae75c80881934ccf15a006944452b80f7f9f'
             )
             .set('kbn-xsrf', 'xxx')
             .set('authorization', `ApiKey ${agentAccessAPIKey}`)
@@ -136,28 +141,33 @@ export default function (providerContext: FtrProviderContext) {
               expect(artifactJson).to.eql({
                 entries: [
                   {
-                    field: 'actingProcess.file.signer',
-                    operator: 'included',
-                    type: 'exact_cased',
-                    value: 'Elastic, N.V.',
-                  },
-                  {
+                    type: 'simple',
                     entries: [
                       {
-                        field: 'signer',
+                        field: 'actingProcess.file.signer',
                         operator: 'included',
                         type: 'exact_cased',
-                        value: 'Evil',
+                        value: 'Elastic, N.V.',
                       },
                       {
-                        field: 'trusted',
-                        operator: 'included',
-                        type: 'exact_cased',
-                        value: 'true',
+                        entries: [
+                          {
+                            field: 'signer',
+                            operator: 'included',
+                            type: 'exact_cased',
+                            value: 'Evil',
+                          },
+                          {
+                            field: 'trusted',
+                            operator: 'included',
+                            type: 'exact_cased',
+                            value: 'true',
+                          },
+                        ],
+                        field: 'file.signature',
+                        type: 'nested',
                       },
                     ],
-                    field: 'file.signature',
-                    type: 'nested',
                   },
                 ],
               });
diff --git a/x-pack/test/functional/es_archives/endpoint/artifacts/api_feature/data.json b/x-pack/test/functional/es_archives/endpoint/artifacts/api_feature/data.json
index 565e1d619dda4..3433070c08009 100644
--- a/x-pack/test/functional/es_archives/endpoint/artifacts/api_feature/data.json
+++ b/x-pack/test/functional/es_archives/endpoint/artifacts/api_feature/data.json
@@ -1,21 +1,21 @@
 {
   "type": "doc",
   "value": {
-    "id": "endpoint:user-artifact:v2:endpoint-exceptionlist-linux-1.0.0-f59266b06ffb1d7250edb9dbabd946e00e98afa950f955d8ea9d8ffef0eb142a",
+    "id": "endpoint:user-artifact:v2:endpoint-exceptionlist-linux-1.0.0-d2a9c760005b08d43394e59a8701ae75c80881934ccf15a006944452b80f7f9f",
     "index": ".kibana",
     "source": {
       "references": [
       ],
       "endpoint:user-artifact:v2": {
-        "body": "eyJlbnRyaWVzIjpbeyJmaWVsZCI6ImFjdGluZ1Byb2Nlc3MuZmlsZS5zaWduZXIiLCJvcGVyYXRvciI6ImluY2x1ZGVkIiwidHlwZSI6ImV4YWN0X2Nhc2VkIiwidmFsdWUiOiJFbGFzdGljLCBOLlYuIn0seyJlbnRyaWVzIjpbeyJmaWVsZCI6InNpZ25lciIsIm9wZXJhdG9yIjoiaW5jbHVkZWQiLCJ0eXBlIjoiZXhhY3RfY2FzZWQiLCJ2YWx1ZSI6IkV2aWwifSx7ImZpZWxkIjoidHJ1c3RlZCIsIm9wZXJhdG9yIjoiaW5jbHVkZWQiLCJ0eXBlIjoiZXhhY3RfY2FzZWQiLCJ2YWx1ZSI6InRydWUifV0sImZpZWxkIjoiZmlsZS5zaWduYXR1cmUiLCJ0eXBlIjoibmVzdGVkIn1dfQ==",
+        "body": "eyJlbnRyaWVzIjpbeyJ0eXBlIjoic2ltcGxlIiwiZW50cmllcyI6W3siZmllbGQiOiJhY3RpbmdQcm9jZXNzLmZpbGUuc2lnbmVyIiwib3BlcmF0b3IiOiJpbmNsdWRlZCIsInR5cGUiOiJleGFjdF9jYXNlZCIsInZhbHVlIjoiRWxhc3RpYywgTi5WLiJ9LHsiZW50cmllcyI6W3siZmllbGQiOiJzaWduZXIiLCJvcGVyYXRvciI6ImluY2x1ZGVkIiwidHlwZSI6ImV4YWN0X2Nhc2VkIiwidmFsdWUiOiJFdmlsIn0seyJmaWVsZCI6InRydXN0ZWQiLCJvcGVyYXRvciI6ImluY2x1ZGVkIiwidHlwZSI6ImV4YWN0X2Nhc2VkIiwidmFsdWUiOiJ0cnVlIn1dLCJmaWVsZCI6ImZpbGUuc2lnbmF0dXJlIiwidHlwZSI6Im5lc3RlZCJ9XX1dfQ==",
         "created": 1593016187465,
         "compressionAlgorithm": "none",
         "encryptionAlgorithm": "none",
         "identifier": "endpoint-exceptionlist-linux-1.0.0",
-        "encodedSha256": "f59266b06ffb1d7250edb9dbabd946e00e98afa950f955d8ea9d8ffef0eb142a",
-        "encodedSize": 328,
-        "decodedSha256": "f59266b06ffb1d7250edb9dbabd946e00e98afa950f955d8ea9d8ffef0eb142a",
-        "decodedSize": 328
+        "encodedSha256": "d2a9c760005b08d43394e59a8701ae75c80881934ccf15a006944452b80f7f9f",
+        "encodedSize": 358,
+        "decodedSha256": "d2a9c760005b08d43394e59a8701ae75c80881934ccf15a006944452b80f7f9f",
+        "decodedSize": 358
       },
       "type": "endpoint:user-artifact:v2",
       "updated_at": "2020-06-24T16:29:47.584Z"
@@ -34,7 +34,7 @@
       "endpoint:user-artifact-manifest:v2": {
         "created": 1593183699663,
         "ids": [
-          "endpoint-exceptionlist-linux-1.0.0-f59266b06ffb1d7250edb9dbabd946e00e98afa950f955d8ea9d8ffef0eb142a",
+          "endpoint-exceptionlist-linux-1.0.0-d2a9c760005b08d43394e59a8701ae75c80881934ccf15a006944452b80f7f9f",
           "endpoint-exceptionlist-macos-1.0.0-d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
           "endpoint-exceptionlist-windows-1.0.0-d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658"
         ]

From ed87ad2d5ae4781b2d419d3d77792e2ece36bace Mon Sep 17 00:00:00 2001
From: Alex Kahan <alexander.kahan@elastic.co>
Date: Tue, 7 Jul 2020 18:05:13 -0400
Subject: [PATCH 8/8] Fixing unit tests

---
 .../endpoint/lib/artifacts/lists.test.ts      |  2 +-
 .../endpoint/lib/artifacts/manifest.test.ts   | 54 +++++++++----------
 .../lib/artifacts/manifest_entry.test.ts      | 22 ++++----
 .../manifest_manager/manifest_manager.test.ts | 27 ++++++----
 4 files changed, 55 insertions(+), 50 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.test.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.test.ts
index 63021a87bbab0..0a1cd556e6e91 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.test.ts
@@ -194,7 +194,7 @@ describe('buildEventTypeSignal', () => {
       .mockReturnValueOnce(second)
       .mockReturnValueOnce(third);
     const resp = await getFullEndpointExceptionList(mockExceptionClient, 'linux', '1.0.0');
-    expect(resp.entries.length).toEqual(6);
+    expect(resp.entries.length).toEqual(3);
   });
 
   test('it should handle no exceptions', async () => {
diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.test.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.test.ts
index 1a057b526edad..3e5fdbf9484ca 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.test.ts
@@ -57,32 +57,32 @@ describe('manifest', () => {
           'endpoint-exceptionlist-linux-1.0.0': {
             compression_algorithm: 'none',
             encryption_algorithm: 'none',
-            decoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
-            encoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
-            decoded_size: 260,
-            encoded_size: 260,
+            decoded_sha256: '5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
+            encoded_sha256: '5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
+            decoded_size: 430,
+            encoded_size: 430,
             relative_url:
-              '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+              '/api/endpoint/artifacts/download/endpoint-exceptionlist-linux-1.0.0/5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
           },
           'endpoint-exceptionlist-macos-1.0.0': {
             compression_algorithm: 'none',
             encryption_algorithm: 'none',
-            decoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
-            encoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
-            decoded_size: 260,
-            encoded_size: 260,
+            decoded_sha256: '5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
+            encoded_sha256: '5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
+            decoded_size: 430,
+            encoded_size: 430,
             relative_url:
-              '/api/endpoint/artifacts/download/endpoint-exceptionlist-macos-1.0.0/339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+              '/api/endpoint/artifacts/download/endpoint-exceptionlist-macos-1.0.0/5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
           },
           'endpoint-exceptionlist-windows-1.0.0': {
             compression_algorithm: 'none',
             encryption_algorithm: 'none',
-            decoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
-            encoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
-            decoded_size: 260,
-            encoded_size: 260,
+            decoded_sha256: '5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
+            encoded_sha256: '5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
+            decoded_size: 430,
+            encoded_size: 430,
             relative_url:
-              '/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-1.0.0/339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+              '/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-1.0.0/5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
           },
         },
         manifest_version: 'abcd',
@@ -94,9 +94,9 @@ describe('manifest', () => {
       expect(manifest1.toSavedObject()).toStrictEqual({
         created: now.getTime(),
         ids: [
-          'endpoint-exceptionlist-linux-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
-          'endpoint-exceptionlist-macos-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
-          'endpoint-exceptionlist-windows-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+          'endpoint-exceptionlist-linux-1.0.0-5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
+          'endpoint-exceptionlist-macos-1.0.0-5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
+          'endpoint-exceptionlist-windows-1.0.0-5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
         ],
       });
     });
@@ -106,12 +106,12 @@ describe('manifest', () => {
       expect(diffs).toEqual([
         {
           id:
-            'endpoint-exceptionlist-linux-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+            'endpoint-exceptionlist-linux-1.0.0-5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
           type: 'delete',
         },
         {
           id:
-            'endpoint-exceptionlist-linux-1.0.0-27cfe2fae5550d3e312ca430821a3fdd5228c486dddc4852baf694455f89fde1',
+            'endpoint-exceptionlist-linux-1.0.0-3d3546e94f70493021ee845be32c66e36ea7a720c64b4d608d8029fe949f7e51',
           type: 'add',
         },
       ]);
@@ -127,15 +127,15 @@ describe('manifest', () => {
       const entries = manifest1.getEntries();
       const keys = Object.keys(entries);
       expect(keys).toEqual([
-        'endpoint-exceptionlist-linux-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
-        'endpoint-exceptionlist-macos-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
-        'endpoint-exceptionlist-windows-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+        'endpoint-exceptionlist-linux-1.0.0-5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
+        'endpoint-exceptionlist-macos-1.0.0-5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
+        'endpoint-exceptionlist-windows-1.0.0-5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
       ]);
     });
 
     test('Manifest returns true if contains artifact', async () => {
       const found = manifest1.contains(
-        'endpoint-exceptionlist-macos-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
+        'endpoint-exceptionlist-macos-1.0.0-5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735'
       );
       expect(found).toEqual(true);
     });
@@ -144,17 +144,17 @@ describe('manifest', () => {
       const manifest = Manifest.fromArtifacts(artifacts, '1.0.0', 'v0');
       expect(
         manifest.contains(
-          'endpoint-exceptionlist-linux-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
+          'endpoint-exceptionlist-linux-1.0.0-5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735'
         )
       ).toEqual(true);
       expect(
         manifest.contains(
-          'endpoint-exceptionlist-macos-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
+          'endpoint-exceptionlist-macos-1.0.0-5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735'
         )
       ).toEqual(true);
       expect(
         manifest.contains(
-          'endpoint-exceptionlist-windows-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
+          'endpoint-exceptionlist-windows-1.0.0-5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735'
         )
       ).toEqual(true);
     });
diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.test.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.test.ts
index 881a384d4054d..a52114ad90258 100644
--- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.test.ts
@@ -24,7 +24,7 @@ describe('manifest_entry', () => {
 
     test('Correct doc_id is returned', () => {
       expect(manifestEntry.getDocId()).toEqual(
-        'endpoint-exceptionlist-windows-1.0.0-339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
+        'endpoint-exceptionlist-windows-1.0.0-5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735'
       );
     });
 
@@ -34,21 +34,21 @@ describe('manifest_entry', () => {
 
     test('Correct sha256 is returned', () => {
       expect(manifestEntry.getEncodedSha256()).toEqual(
-        '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
+        '5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735'
       );
       expect(manifestEntry.getDecodedSha256()).toEqual(
-        '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
+        '5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735'
       );
     });
 
     test('Correct size is returned', () => {
-      expect(manifestEntry.getEncodedSize()).toEqual(260);
-      expect(manifestEntry.getDecodedSize()).toEqual(260);
+      expect(manifestEntry.getEncodedSize()).toEqual(430);
+      expect(manifestEntry.getDecodedSize()).toEqual(430);
     });
 
     test('Correct url is returned', () => {
       expect(manifestEntry.getUrl()).toEqual(
-        '/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-1.0.0/339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d'
+        '/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-1.0.0/5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735'
       );
     });
 
@@ -60,12 +60,12 @@ describe('manifest_entry', () => {
       expect(manifestEntry.getRecord()).toEqual({
         compression_algorithm: 'none',
         encryption_algorithm: 'none',
-        decoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
-        encoded_sha256: '339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
-        decoded_size: 260,
-        encoded_size: 260,
+        decoded_sha256: '5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
+        encoded_sha256: '5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
+        decoded_size: 430,
+        encoded_size: 430,
         relative_url:
-          '/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-1.0.0/339af4b7d15db33dfb80268d3fa0b40f7fd1806becd691d8a757f425e782db7d',
+          '/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-1.0.0/5f16e5e338c53e77cfa945c17c11b175c3967bf109aa87131de41fb93b149735',
       });
     });
   });
diff --git a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts
index e2f22a10c10e3..1d6dffadde61a 100644
--- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts
@@ -21,7 +21,7 @@ describe('manifest_manager', () => {
       expect(manifestWrapper!.diffs).toEqual([
         {
           id:
-            'endpoint-exceptionlist-linux-1.0.0-2a2ec06c957330deb42f41835d3029001432038106f823173fb9e7ea603decb5',
+            'endpoint-exceptionlist-linux-1.0.0-1a8295e6ccb93022c6f5ceb8997b29f2912389b3b38f52a8f5a2ff7b0154b1bc',
           type: 'add',
         },
       ]);
@@ -35,7 +35,7 @@ describe('manifest_manager', () => {
       expect(manifestWrapper!.diffs).toEqual([
         {
           id:
-            'endpoint-exceptionlist-linux-1.0.0-2a2ec06c957330deb42f41835d3029001432038106f823173fb9e7ea603decb5',
+            'endpoint-exceptionlist-linux-1.0.0-1a8295e6ccb93022c6f5ceb8997b29f2912389b3b38f52a8f5a2ff7b0154b1bc',
           type: 'add',
         },
       ]);
@@ -44,22 +44,27 @@ describe('manifest_manager', () => {
       expect(entry).toEqual({
         entries: [
           {
+            type: 'simple',
             entries: [
               {
-                field: 'nested.field',
+                entries: [
+                  {
+                    field: 'nested.field',
+                    operator: 'included',
+                    type: 'exact_cased',
+                    value: 'some value',
+                  },
+                ],
+                field: 'some.parentField',
+                type: 'nested',
+              },
+              {
+                field: 'some.not.nested.field',
                 operator: 'included',
                 type: 'exact_cased',
                 value: 'some value',
               },
             ],
-            field: 'some.parentField',
-            type: 'nested',
-          },
-          {
-            field: 'some.not.nested.field',
-            operator: 'included',
-            type: 'exact_cased',
-            value: 'some value',
           },
         ],
       });