elastic · szwarckonrad · Aug 8, 2025 · Jul 22, 2025 · Jul 22, 2025 · Jul 22, 2025
@@ -61345,6 +61345,7 @@ components:
         - rule_default
         - endpoint
         - endpoint_trusted_apps
+        - endpoint_trusted_devices
         - endpoint_events
         - endpoint_host_isolation_exceptions
         - endpoint_blocklists
@@ -63277,7 +63278,6 @@ components:
         - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.
             - `kql` (string, required): A KQL string.
             - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package.
-
       type: object
     Security_Detections_API_RuleActionFrequency:
       description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

@@ -73641,6 +73641,7 @@ components:
         - rule_default
         - endpoint
         - endpoint_trusted_apps
+        - endpoint_trusted_devices
         - endpoint_events
         - endpoint_host_isolation_exceptions
         - endpoint_blocklists
@@ -75694,7 +75695,6 @@ components:
         - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.
             - `kql` (string, required): A KQL string.
             - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package.
-
       type: object
     Security_Detections_API_RuleActionFrequency:
       description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

@@ -73,6 +73,7 @@ export enum SecurityPageName {
   timelines = 'timelines',
   timelinesTemplates = 'timelines-templates',
   trustedApps = 'trusted_apps',
+  trustedDevices = 'trusted_devices',
   users = 'users',
   usersAll = 'users-all',
   usersAnomalies = 'users-anomalies',

@@ -446,6 +446,7 @@ export const getDocLinks = ({ kibanaBranch, buildFlavor }: GetDocLinkOptions): D
       avcResults: `https://www.elastic.co/blog/elastic-security-av-comparatives-business-test`,
       bidirectionalIntegrations: `${ELASTIC_DOCS}solutions/security/endpoint-response-actions/third-party-response-actions`,
       trustedApps: `${ELASTIC_DOCS}solutions/security/manage-elastic-defend/trusted-applications`,
+      trustedDevices: `${ELASTIC_DOCS}solutions/security/manage-elastic-defend/trusted-applications`, // TODO: Update this link when trusted devices is available
       elasticAiFeatures: `${ELASTIC_DOCS}solutions/security/ai`,
       eventFilters: `${ELASTIC_DOCS}solutions/security/manage-elastic-defend/event-filters`,
       blocklist: `${ELASTIC_DOCS}solutions/security/manage-elastic-defend/blocklist`,

@@ -308,6 +308,7 @@ export interface DocLinks {
     readonly bidirectionalIntegrations: string;
     readonly thirdPartyLlmProviders: string;
     readonly trustedApps: string;
+    readonly trustedDevices: string;
     readonly elasticAiFeatures: string;
     readonly eventFilters: string;
     readonly eventMerging: string;

@@ -873,7 +873,7 @@ export const getSecurityV3SubFeaturesMap = ({
       SecuritySubFeatureId.trustedApplications,
       enableSpaceAwarenessIfNeeded(trustedApplicationsSubFeature()),
     ],
-    ...((experimentalFeatures.trustedDevicesEnabled
+    ...((experimentalFeatures.trustedDevices
       ? [
           [
             SecuritySubFeatureId.trustedDevices,

@@ -11,6 +11,7 @@ export const exceptionListType = t.keyof({
   detection: null,
   rule_default: null,
   endpoint: null,
+  endpoint_trusted_devices: null,
   endpoint_trusted_apps: null,
   endpoint_events: null,
   endpoint_host_isolation_exceptions: null,
@@ -24,6 +25,7 @@ export enum ExceptionListTypeEnum {
   RULE_DEFAULT = 'rule_default', // rule default, cannot be shared
   ENDPOINT = 'endpoint',
   ENDPOINT_TRUSTED_APPS = 'endpoint',
+  ENDPOINT_TRUSTED_DEVICES = 'endpoint_trusted_devices',
   ENDPOINT_EVENTS = 'endpoint_events',
   ENDPOINT_HOST_ISOLATION_EXCEPTIONS = 'endpoint_host_isolation_exceptions',
   ENDPOINT_BLOCKLISTS = 'endpoint_blocklists',

@@ -85,7 +85,7 @@ describe('Lists', () => {
       const message = pipe(decoded, foldLeftRight);
 
       expect(getPaths(left(message.errors))).toEqual([
-        'Invalid value "1" supplied to "Array<{| id: NonEmptyString, list_id: NonEmptyString, type: "detection" | "rule_default" | "endpoint" | "endpoint_trusted_apps" | "endpoint_events" | "endpoint_host_isolation_exceptions" | "endpoint_blocklists", namespace_type: "agnostic" | "single" |}>"',
+        'Invalid value "1" supplied to "Array<{| id: NonEmptyString, list_id: NonEmptyString, type: "detection" | "rule_default" | "endpoint" | "endpoint_trusted_devices" | "endpoint_trusted_apps" | "endpoint_events" | "endpoint_host_isolation_exceptions" | "endpoint_blocklists", namespace_type: "agnostic" | "single" |}>"',
       ]);
       expect(message.schema).toEqual({});
     });
@@ -116,8 +116,8 @@ describe('Lists', () => {
       const message = pipe(decoded, foldLeftRight);
 
       expect(getPaths(left(message.errors))).toEqual([
-        'Invalid value "1" supplied to "(Array<{| id: NonEmptyString, list_id: NonEmptyString, type: "detection" | "rule_default" | "endpoint" | "endpoint_trusted_apps" | "endpoint_events" | "endpoint_host_isolation_exceptions" | "endpoint_blocklists", namespace_type: "agnostic" | "single" |}> | undefined)"',
-        'Invalid value "[1]" supplied to "(Array<{| id: NonEmptyString, list_id: NonEmptyString, type: "detection" | "rule_default" | "endpoint" | "endpoint_trusted_apps" | "endpoint_events" | "endpoint_host_isolation_exceptions" | "endpoint_blocklists", namespace_type: "agnostic" | "single" |}> | undefined)"',
+        'Invalid value "1" supplied to "(Array<{| id: NonEmptyString, list_id: NonEmptyString, type: "detection" | "rule_default" | "endpoint" | "endpoint_trusted_devices" | "endpoint_trusted_apps" | "endpoint_events" | "endpoint_host_isolation_exceptions" | "endpoint_blocklists", namespace_type: "agnostic" | "single" |}> | undefined)"',
+        'Invalid value "[1]" supplied to "(Array<{| id: NonEmptyString, list_id: NonEmptyString, type: "detection" | "rule_default" | "endpoint" | "endpoint_trusted_devices" | "endpoint_trusted_apps" | "endpoint_events" | "endpoint_host_isolation_exceptions" | "endpoint_blocklists", namespace_type: "agnostic" | "single" |}> | undefined)"',
       ]);
       expect(message.schema).toEqual({});
     });

@@ -21,6 +21,7 @@ export const internalCreateExceptionListSchema = t.intersection([
         endpoint_events: null,
         endpoint_host_isolation_exceptions: null,
         endpoint_blocklists: null,
+        endpoint_trusted_devices: null,
       }),
     })
   ),

@@ -80,6 +80,11 @@ export const ENDPOINT_ARTIFACT_LISTS = deepFreeze({
     name: 'Endpoint Security Trusted Apps List',
     description: 'Endpoint Security Trusted Apps List',
   },
+  trustedDevices: {
+    id: 'endpoint_trusted_devices',
+    name: 'Endpoint Security Trusted Devices List',
+    description: 'Endpoint Security Trusted Devices List',
+  },
   eventFilters: {
     id: 'endpoint_event_filters',
     name: 'Endpoint Security Event Filters List',

@@ -60,6 +60,10 @@ export const createAssetsNavigationTree = (core: CoreStart): NodeDefinition => (
           id: SecurityPageName.trustedApps,
           link: securityLink(SecurityPageName.trustedApps),
         },
+        {
+          id: SecurityPageName.trustedDevices,
+          link: securityLink(SecurityPageName.trustedDevices),
+        },
         {
           id: SecurityPageName.eventFilters,
           link: securityLink(SecurityPageName.eventFilters),

@@ -271,6 +271,7 @@ type DetectionAlertSchema = {
           | 'rule_default'
           | 'endpoint'
           | 'endpoint_trusted_apps'
+          | 'endpoint_trusted_devices'
           | 'endpoint_events'
           | 'endpoint_host_isolation_exceptions'
           | 'endpoint_blocklists';

@@ -576,7 +576,6 @@ export const RuleActionFrequency = z.object({
 - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.
     - `kql` (string, required): A KQL string.
     - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package.
-
 
   */
 export type RuleActionAlertsFilter = z.infer<typeof RuleActionAlertsFilter>;
@@ -669,6 +668,7 @@ export const ExceptionListType = z.enum([
   'rule_default',
   'endpoint',
   'endpoint_trusted_apps',
+  'endpoint_trusted_devices',
   'endpoint_events',
   'endpoint_host_isolation_exceptions',
   'endpoint_blocklists',

@@ -475,23 +475,23 @@ components:
     RelatedIntegration:
       type: object
       description: |
-            Related integration is a potential dependency of a rule. It's assumed that if the user installs
-            one of the related integrations of a rule, the rule might start to work properly because it will
-            have source events (generated by this integration) potentially matching the rule's query.
+        Related integration is a potential dependency of a rule. It's assumed that if the user installs
+        one of the related integrations of a rule, the rule might start to work properly because it will
+        have source events (generated by this integration) potentially matching the rule's query.
 
-            NOTE: Proper work is not guaranteed, because a related integration, if installed, can be
-            configured differently or generate data that is not necessarily relevant for this rule.
+        NOTE: Proper work is not guaranteed, because a related integration, if installed, can be
+        configured differently or generate data that is not necessarily relevant for this rule.
 
-            Related integration is a combination of a Fleet package and (optionally) one of the
-            package's "integrations" that this package contains. It is represented by 3 properties:
+        Related integration is a combination of a Fleet package and (optionally) one of the
+        package's "integrations" that this package contains. It is represented by 3 properties:
 
-            - `package`: name of the package (required, unique id)
-            - `version`: version of the package (required, semver-compatible)
-            - `integration`: name of the integration of this package (optional, id within the package)
+        - `package`: name of the package (required, unique id)
+        - `version`: version of the package (required, semver-compatible)
+        - `integration`: name of the integration of this package (optional, id within the package)
 
-            There are Fleet packages like `windows` that contain only one integration; in this case,
-            `integration` should be unspecified. There are also packages like `aws` and `azure` that contain
-            several integrations; in this case, `integration` should be specified.
+        There are Fleet packages like `windows` that contain only one integration; in this case,
+        `integration` should be unspecified. There are also packages like `aws` and `azure` that contain
+        several integrations; in this case, `integration` should be specified.
       properties:
         package:
           $ref: '../../../model/primitives.schema.yaml#/components/schemas/NonEmptyString'
@@ -578,7 +578,7 @@ components:
         - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.
             - `kql` (string, required): A KQL string.
             - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package.
-              
+
     RuleActionParams:
       type: object
       description: |
@@ -669,6 +669,7 @@ components:
         - rule_default
         - endpoint
         - endpoint_trusted_apps
+        - endpoint_trusted_devices
         - endpoint_events
         - endpoint_host_isolation_exceptions
         - endpoint_blocklists

@@ -118,6 +118,7 @@ export const THREAT_INTELLIGENCE_PATH = '/threat_intelligence' as const;
 export const ENDPOINTS_PATH = `${MANAGEMENT_PATH}/endpoints` as const;
 export const POLICIES_PATH = `${MANAGEMENT_PATH}/policy` as const;
 export const TRUSTED_APPS_PATH = `${MANAGEMENT_PATH}/trusted_apps` as const;
+export const TRUSTED_DEVICES_PATH = `${MANAGEMENT_PATH}/trusted_devices` as const;
 export const EVENT_FILTERS_PATH = `${MANAGEMENT_PATH}/event_filters` as const;
 export const HOST_ISOLATION_EXCEPTIONS_PATH =
   `${MANAGEMENT_PATH}/host_isolation_exceptions` as const;

@@ -292,6 +292,7 @@ export const allowedExperimentalValues = Object.freeze({
    * Allows users to manage trusted USB and external devices
    */
   trustedDevices: false,
+
   /**
    * Enables the ability to import and migration dashboards through automatic migration service
    */

@@ -6273,6 +6273,7 @@ components:
         - rule_default
         - endpoint
         - endpoint_trusted_apps
+        - endpoint_trusted_devices
         - endpoint_events
         - endpoint_host_isolation_exceptions
         - endpoint_blocklists
@@ -8527,7 +8528,6 @@ components:
         gets applied to an action and determines whether the action should run.
             - `kql` (string, required): A KQL string.
             - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package.
-
       type: object
     RuleActionFrequency:
       description: >-

@@ -5603,6 +5603,7 @@ components:
         - rule_default
         - endpoint
         - endpoint_trusted_apps
+        - endpoint_trusted_devices
         - endpoint_events
         - endpoint_host_isolation_exceptions
         - endpoint_blocklists
@@ -7736,7 +7737,6 @@ components:
         gets applied to an action and determines whether the action should run.
             - `kql` (string, required): A KQL string.
             - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package.
-
       type: object
     RuleActionFrequency:
       description: >-

@@ -168,6 +168,12 @@ export const TRUSTED_APPLICATIONS = i18n.translate(
     defaultMessage: 'Trusted applications',
   }
 );
+export const TRUSTED_DEVICES = i18n.translate(
+  'xpack.securitySolution.search.administration.trustedDevices',
+  {
+    defaultMessage: 'Trusted devices',
+  }
+);
 export const EVENT_FILTERS = i18n.translate(
   'xpack.securitySolution.search.administration.eventFilters',
   {

@@ -7,7 +7,13 @@
 
 import type { ChromeBreadcrumb } from '@kbn/core/public';
 import { AdministrationSubTab } from '../types';
-import { ENDPOINTS_TAB, EVENT_FILTERS_TAB, POLICIES_TAB, TRUSTED_APPS_TAB } from './translations';
+import {
+  ENDPOINTS_TAB,
+  EVENT_FILTERS_TAB,
+  POLICIES_TAB,
+  TRUSTED_APPS_TAB,
+  TRUSTED_DEVICES_TAB,
+} from './translations';
 import type { AdministrationRouteSpyState } from '../../common/utils/route/types';
 import {
   HOST_ISOLATION_EXCEPTIONS,
@@ -21,6 +27,7 @@ const TabNameMappedToI18nKey: Record<AdministrationSubTab, string> = {
   [AdministrationSubTab.endpoints]: ENDPOINTS_TAB,
   [AdministrationSubTab.policies]: POLICIES_TAB,
   [AdministrationSubTab.trustedApps]: TRUSTED_APPS_TAB,
+  [AdministrationSubTab.trustedDevices]: TRUSTED_DEVICES_TAB,
   [AdministrationSubTab.eventFilters]: EVENT_FILTERS_TAB,
   [AdministrationSubTab.hostIsolationExceptions]: HOST_ISOLATION_EXCEPTIONS,
   [AdministrationSubTab.blocklist]: BLOCKLIST,

@@ -14,6 +14,7 @@ export const MANAGEMENT_ROUTING_ENDPOINTS_PATH = `${MANAGEMENT_PATH}/:tabName(${
 export const MANAGEMENT_ROUTING_POLICIES_PATH = `${MANAGEMENT_PATH}/:tabName(${AdministrationSubTab.policies})`;
 export const MANAGEMENT_ROUTING_POLICY_DETAILS_FORM_PATH = `${MANAGEMENT_PATH}/:tabName(${AdministrationSubTab.policies})/:policyId/settings`;
 export const MANAGEMENT_ROUTING_POLICY_DETAILS_TRUSTED_APPS_PATH = `${MANAGEMENT_PATH}/:tabName(${AdministrationSubTab.policies})/:policyId/trustedApps`;
+export const MANAGEMENT_ROUTING_POLICY_DETAILS_TRUSTED_DEVICES_PATH = `${MANAGEMENT_PATH}/:tabName(${AdministrationSubTab.policies})/:policyId/trustedDevices`;
 export const MANAGEMENT_ROUTING_POLICY_DETAILS_EVENT_FILTERS_PATH = `${MANAGEMENT_PATH}/:tabName(${AdministrationSubTab.policies})/:policyId/eventFilters`;
 export const MANAGEMENT_ROUTING_POLICY_DETAILS_HOST_ISOLATION_EXCEPTIONS_PATH = `${MANAGEMENT_PATH}/:tabName(${AdministrationSubTab.policies})/:policyId/hostIsolationExceptions`;
 export const MANAGEMENT_ROUTING_POLICY_DETAILS_BLOCKLISTS_PATH = `${MANAGEMENT_PATH}/:tabName(${AdministrationSubTab.policies})/:policyId/blocklists`;
@@ -22,6 +23,7 @@ export const MANAGEMENT_ROUTING_NOTES_PATH = `${MANAGEMENT_PATH}/:tabName(${Admi
 /** @deprecated use the paths defined above instead */
 export const MANAGEMENT_ROUTING_POLICY_DETAILS_PATH_OLD = `${MANAGEMENT_PATH}/:tabName(${AdministrationSubTab.policies})/:policyId`;
 export const MANAGEMENT_ROUTING_TRUSTED_APPS_PATH = `${MANAGEMENT_PATH}/:tabName(${AdministrationSubTab.trustedApps})`;
+export const MANAGEMENT_ROUTING_TRUSTED_DEVICES_PATH = `${MANAGEMENT_PATH}/:tabName(${AdministrationSubTab.trustedDevices})`;
 export const MANAGEMENT_ROUTING_EVENT_FILTERS_PATH = `${MANAGEMENT_PATH}/:tabName(${AdministrationSubTab.eventFilters})`;
 export const MANAGEMENT_ROUTING_HOST_ISOLATION_EXCEPTIONS_PATH = `${MANAGEMENT_PATH}/:tabName(${AdministrationSubTab.hostIsolationExceptions})`;
 export const MANAGEMENT_ROUTING_BLOCKLIST_PATH = `${MANAGEMENT_PATH}/:tabName(${AdministrationSubTab.blocklist})`;
-Original file line number
+Diff line change
@@ Expand Up / @@ -292,6 +292,7 @@ export const allowedExperimentalValues = Object.freeze({ @@
        * Allows users to manage trusted USB and external devices
        */
       trustedDevices: false,
       /**
        * Enables the ability to import and migration dashboards through automatic migration service
        */
@@ Expand Down @@