Filter endpoint list exceptions in DE logic#233289
Merged
nkhristinin merged 15 commits intoelastic:mainfrom Oct 8, 2025
Merged
Filter endpoint list exceptions in DE logic#233289nkhristinin merged 15 commits intoelastic:mainfrom
nkhristinin merged 15 commits intoelastic:mainfrom
Conversation
Contributor
Author
|
/ci |
Contributor
Author
|
/ci |
Contributor
Author
|
/ci |
nkhristinin
changed the title
Contributor
Author
|
@elasticmachine merge upstream |
nkhristinin
added
release_note:deprecation
release_note:skip
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
Author
|
@elasticmachine merge upstream |
denar50
approved these changes
Sep 16, 2025
Contributor
denar50
left a comment
denar50
left a comment
There was a problem hiding this comment.
I tested it locally and it works as expected. LGTM!
| ) | ||
| : lists; | ||
|
|
||
| if (filteredLists.length > 0) { |
Contributor
There was a problem hiding this comment.
nit: you can do an early return here so the try/catch block is not nested inside the if. It makes the code easier to read.
if (filteredLists.length === 0) {
return [];
}
try {
...
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
|
Starting backport for target branches: 9.2 https://github.com/elastic/kibana/actions/runs/18352264525 |
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
|
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Oct 8, 2025
## Summary Related: elastic/security-team#13777 We are filtering endpoint exceptions from DE execution logic. Update tests so that endpoint exceptions don't affect alerts generated right now (they should be excluded on the endpoint) ### How to test: Enable FF - `endpointExceptionsMovedUnderManagement` 1. Install elastic defender (you can click add elastic defend later at the end) - http://localhost:5601/app/security/administration/endpoints <img width="1325" height="650" alt="Screenshot 2025-09-09 at 10 38 13" src="https://github.com/user-attachments/assets/1b642cc8-ec4c-471a-bcd7-5b0086fc2f90" /> 2. Now you should have `Endpoint Security (Elastic Defend)` installed. 3. Let's create 2 events. You can manipulate user.name to check how exceptions works later. ``` POST logs-endpoint.alerts-1/_doc { "event.kind": "alert", "event.module": "endpoint", "event.ingested": "2025-09-09T08:39:55.101Z", "@timestamp": "2025-09-09T08:39:55.101Z", "user.name": "hello1", "host": { "os": { "name": "windows", "type": "windows" } } } POST logs-endpoint.alerts-1/_doc { "event.kind": "alert", "event.module": "endpoint", "event.ingested": "2025-09-09T08:39:55.101Z", "@timestamp": "2025-09-09T08:39:55.101Z", "user.name": "hello2", "host": { "os": { "name": "windows", "type": "windows" } } } ``` 4. For the rule, change the interval/schedule if you need to create alerts more easily. 5. Add endpoint exceptions (windows, and user.name - some value, for example hello1). <img width="1455" height="577" alt="Screenshot 2025-09-09 at 11 13 18" src="https://github.com/user-attachments/assets/ed7e83a2-25bf-4254-8362-5e863ee77e3f" /> -- With FF enabled, we should see 2 alerts generated for `user.name` `hello1` and `hello2`. With FF disabled, the exception should work on the DE side, so you only see 1 alert for `hello2`. --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit b1713c3)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Oct 8, 2025
# Backport This will backport the following commits from `main` to `9.2`: - [Filter endpoint list exceptions in DE logic (#233289)](#233289) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Khristinin Nikita","email":"nikita.khristinin@elastic.co"},"sourceCommit":{"committedDate":"2025-10-08T17:01:57Z","message":"Filter endpoint list exceptions in DE logic (#233289)\n\n## Summary\n\nRelated: https://github.com/elastic/security-team/issues/13777\n\nWe are filtering endpoint exceptions from DE execution logic.\n\nUpdate tests so that endpoint exceptions don't affect alerts generated\nright now (they should be excluded on the endpoint)\n\n\n### How to test:\n\nEnable FF - `endpointExceptionsMovedUnderManagement`\n\n1. Install elastic defender (you can click add elastic defend later at\nthe end) - http://localhost:5601/app/security/administration/endpoints\n<img width=\"1325\" height=\"650\" alt=\"Screenshot 2025-09-09 at 10 38 13\"\nsrc=\"https://github.com/user-attachments/assets/1b642cc8-ec4c-471a-bcd7-5b0086fc2f90\"\n/>\n\n2. Now you should have `Endpoint Security (Elastic Defend)` installed.\n\n3. Let's create 2 events. You can manipulate user.name to check how\nexceptions works later.\n\n```\nPOST logs-endpoint.alerts-1/_doc\n{\n \"event.kind\": \"alert\",\n \"event.module\": \"endpoint\",\n \"event.ingested\": \"2025-09-09T08:39:55.101Z\",\n \"@timestamp\": \"2025-09-09T08:39:55.101Z\",\n \"user.name\": \"hello1\",\n \"host\": {\n \"os\": {\n \"name\": \"windows\", \n \"type\": \"windows\" \n }\n }\n}\n\nPOST logs-endpoint.alerts-1/_doc\n{\n \"event.kind\": \"alert\",\n \"event.module\": \"endpoint\",\n \"event.ingested\": \"2025-09-09T08:39:55.101Z\",\n \"@timestamp\": \"2025-09-09T08:39:55.101Z\",\n \"user.name\": \"hello2\",\n \"host\": {\n \"os\": {\n \"name\": \"windows\", \n \"type\": \"windows\" \n }\n }\n}\n```\n\n4. For the rule, change the interval/schedule if you need to create\nalerts more easily.\n\n5. Add endpoint exceptions (windows, and user.name - some value, for\nexample hello1).\n\n<img width=\"1455\" height=\"577\" alt=\"Screenshot 2025-09-09 at 11 13 18\"\nsrc=\"https://github.com/user-attachments/assets/ed7e83a2-25bf-4254-8362-5e863ee77e3f\"\n/>\n\n\n--\n\nWith FF enabled, we should see 2 alerts generated for `user.name`\n`hello1` and `hello2`.\n\nWith FF disabled, the exception should work on the DE side, so you only\nsee 1 alert for `hello2`.\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"b1713c38ba3e4a7b6e99e6c867868ae39045cae1","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:deprecation","backport:version","v9.2.0","v9.3.0"],"title":"Filter endpoint list exceptions in DE logic","number":233289,"url":"https://github.com/elastic/kibana/pull/233289","mergeCommit":{"message":"Filter endpoint list exceptions in DE logic (#233289)\n\n## Summary\n\nRelated: https://github.com/elastic/security-team/issues/13777\n\nWe are filtering endpoint exceptions from DE execution logic.\n\nUpdate tests so that endpoint exceptions don't affect alerts generated\nright now (they should be excluded on the endpoint)\n\n\n### How to test:\n\nEnable FF - `endpointExceptionsMovedUnderManagement`\n\n1. Install elastic defender (you can click add elastic defend later at\nthe end) - http://localhost:5601/app/security/administration/endpoints\n<img width=\"1325\" height=\"650\" alt=\"Screenshot 2025-09-09 at 10 38 13\"\nsrc=\"https://github.com/user-attachments/assets/1b642cc8-ec4c-471a-bcd7-5b0086fc2f90\"\n/>\n\n2. Now you should have `Endpoint Security (Elastic Defend)` installed.\n\n3. Let's create 2 events. You can manipulate user.name to check how\nexceptions works later.\n\n```\nPOST logs-endpoint.alerts-1/_doc\n{\n \"event.kind\": \"alert\",\n \"event.module\": \"endpoint\",\n \"event.ingested\": \"2025-09-09T08:39:55.101Z\",\n \"@timestamp\": \"2025-09-09T08:39:55.101Z\",\n \"user.name\": \"hello1\",\n \"host\": {\n \"os\": {\n \"name\": \"windows\", \n \"type\": \"windows\" \n }\n }\n}\n\nPOST logs-endpoint.alerts-1/_doc\n{\n \"event.kind\": \"alert\",\n \"event.module\": \"endpoint\",\n \"event.ingested\": \"2025-09-09T08:39:55.101Z\",\n \"@timestamp\": \"2025-09-09T08:39:55.101Z\",\n \"user.name\": \"hello2\",\n \"host\": {\n \"os\": {\n \"name\": \"windows\", \n \"type\": \"windows\" \n }\n }\n}\n```\n\n4. For the rule, change the interval/schedule if you need to create\nalerts more easily.\n\n5. Add endpoint exceptions (windows, and user.name - some value, for\nexample hello1).\n\n<img width=\"1455\" height=\"577\" alt=\"Screenshot 2025-09-09 at 11 13 18\"\nsrc=\"https://github.com/user-attachments/assets/ed7e83a2-25bf-4254-8362-5e863ee77e3f\"\n/>\n\n\n--\n\nWith FF enabled, we should see 2 alerts generated for `user.name`\n`hello1` and `hello2`.\n\nWith FF disabled, the exception should work on the DE side, so you only\nsee 1 alert for `hello2`.\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"b1713c38ba3e4a7b6e99e6c867868ae39045cae1"}},"sourceBranch":"main","suggestedTargetBranches":["9.2"],"targetPullRequestStates":[{"branch":"9.2","label":"v9.2.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/233289","number":233289,"mergeCommit":{"message":"Filter endpoint list exceptions in DE logic (#233289)\n\n## Summary\n\nRelated: https://github.com/elastic/security-team/issues/13777\n\nWe are filtering endpoint exceptions from DE execution logic.\n\nUpdate tests so that endpoint exceptions don't affect alerts generated\nright now (they should be excluded on the endpoint)\n\n\n### How to test:\n\nEnable FF - `endpointExceptionsMovedUnderManagement`\n\n1. Install elastic defender (you can click add elastic defend later at\nthe end) - http://localhost:5601/app/security/administration/endpoints\n<img width=\"1325\" height=\"650\" alt=\"Screenshot 2025-09-09 at 10 38 13\"\nsrc=\"https://github.com/user-attachments/assets/1b642cc8-ec4c-471a-bcd7-5b0086fc2f90\"\n/>\n\n2. Now you should have `Endpoint Security (Elastic Defend)` installed.\n\n3. Let's create 2 events. You can manipulate user.name to check how\nexceptions works later.\n\n```\nPOST logs-endpoint.alerts-1/_doc\n{\n \"event.kind\": \"alert\",\n \"event.module\": \"endpoint\",\n \"event.ingested\": \"2025-09-09T08:39:55.101Z\",\n \"@timestamp\": \"2025-09-09T08:39:55.101Z\",\n \"user.name\": \"hello1\",\n \"host\": {\n \"os\": {\n \"name\": \"windows\", \n \"type\": \"windows\" \n }\n }\n}\n\nPOST logs-endpoint.alerts-1/_doc\n{\n \"event.kind\": \"alert\",\n \"event.module\": \"endpoint\",\n \"event.ingested\": \"2025-09-09T08:39:55.101Z\",\n \"@timestamp\": \"2025-09-09T08:39:55.101Z\",\n \"user.name\": \"hello2\",\n \"host\": {\n \"os\": {\n \"name\": \"windows\", \n \"type\": \"windows\" \n }\n }\n}\n```\n\n4. For the rule, change the interval/schedule if you need to create\nalerts more easily.\n\n5. Add endpoint exceptions (windows, and user.name - some value, for\nexample hello1).\n\n<img width=\"1455\" height=\"577\" alt=\"Screenshot 2025-09-09 at 11 13 18\"\nsrc=\"https://github.com/user-attachments/assets/ed7e83a2-25bf-4254-8362-5e863ee77e3f\"\n/>\n\n\n--\n\nWith FF enabled, we should see 2 alerts generated for `user.name`\n`hello1` and `hello2`.\n\nWith FF disabled, the exception should work on the DE side, so you only\nsee 1 alert for `hello2`.\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"b1713c38ba3e4a7b6e99e6c867868ae39045cae1"}}]}] BACKPORT--> Co-authored-by: Khristinin Nikita <nikita.khristinin@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Member
|
Hi! This PR has a
If the change should not be listed in the release notes, please use the If this helps, we have a page describing release notes best practices for PRs (Elastic access only) |
rylnd
pushed a commit
to rylnd/kibana
that referenced
this pull request
Oct 17, 2025
## Summary Related: elastic/security-team#13777 We are filtering endpoint exceptions from DE execution logic. Update tests so that endpoint exceptions don't affect alerts generated right now (they should be excluded on the endpoint) ### How to test: Enable FF - `endpointExceptionsMovedUnderManagement` 1. Install elastic defender (you can click add elastic defend later at the end) - http://localhost:5601/app/security/administration/endpoints <img width="1325" height="650" alt="Screenshot 2025-09-09 at 10 38 13" src="https://github.com/user-attachments/assets/1b642cc8-ec4c-471a-bcd7-5b0086fc2f90" /> 2. Now you should have `Endpoint Security (Elastic Defend)` installed. 3. Let's create 2 events. You can manipulate user.name to check how exceptions works later. ``` POST logs-endpoint.alerts-1/_doc { "event.kind": "alert", "event.module": "endpoint", "event.ingested": "2025-09-09T08:39:55.101Z", "@timestamp": "2025-09-09T08:39:55.101Z", "user.name": "hello1", "host": { "os": { "name": "windows", "type": "windows" } } } POST logs-endpoint.alerts-1/_doc { "event.kind": "alert", "event.module": "endpoint", "event.ingested": "2025-09-09T08:39:55.101Z", "@timestamp": "2025-09-09T08:39:55.101Z", "user.name": "hello2", "host": { "os": { "name": "windows", "type": "windows" } } } ``` 4. For the rule, change the interval/schedule if you need to create alerts more easily. 5. Add endpoint exceptions (windows, and user.name - some value, for example hello1). <img width="1455" height="577" alt="Screenshot 2025-09-09 at 11 13 18" src="https://github.com/user-attachments/assets/ed7e83a2-25bf-4254-8362-5e863ee77e3f" /> -- With FF enabled, we should see 2 alerts generated for `user.name` `hello1` and `hello2`. With FF disabled, the exception should work on the DE side, so you only see 1 alert for `hello2`. --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
NicholasPeretti
pushed a commit
to NicholasPeretti/kibana
that referenced
this pull request
Oct 27, 2025
## Summary Related: elastic/security-team#13777 We are filtering endpoint exceptions from DE execution logic. Update tests so that endpoint exceptions don't affect alerts generated right now (they should be excluded on the endpoint) ### How to test: Enable FF - `endpointExceptionsMovedUnderManagement` 1. Install elastic defender (you can click add elastic defend later at the end) - http://localhost:5601/app/security/administration/endpoints <img width="1325" height="650" alt="Screenshot 2025-09-09 at 10 38 13" src="https://github.com/user-attachments/assets/1b642cc8-ec4c-471a-bcd7-5b0086fc2f90" /> 2. Now you should have `Endpoint Security (Elastic Defend)` installed. 3. Let's create 2 events. You can manipulate user.name to check how exceptions works later. ``` POST logs-endpoint.alerts-1/_doc { "event.kind": "alert", "event.module": "endpoint", "event.ingested": "2025-09-09T08:39:55.101Z", "@timestamp": "2025-09-09T08:39:55.101Z", "user.name": "hello1", "host": { "os": { "name": "windows", "type": "windows" } } } POST logs-endpoint.alerts-1/_doc { "event.kind": "alert", "event.module": "endpoint", "event.ingested": "2025-09-09T08:39:55.101Z", "@timestamp": "2025-09-09T08:39:55.101Z", "user.name": "hello2", "host": { "os": { "name": "windows", "type": "windows" } } } ``` 4. For the rule, change the interval/schedule if you need to create alerts more easily. 5. Add endpoint exceptions (windows, and user.name - some value, for example hello1). <img width="1455" height="577" alt="Screenshot 2025-09-09 at 11 13 18" src="https://github.com/user-attachments/assets/ed7e83a2-25bf-4254-8362-5e863ee77e3f" /> -- With FF enabled, we should see 2 alerts generated for `user.name` `hello1` and `hello2`. With FF disabled, the exception should work on the DE side, so you only see 1 alert for `hello2`. --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
1 task
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 24, 2025
…o add endpoint exceptions to rule execution (elastic#242480) ## Summary Conditionally render endpoint exceptions UI checkbox under "About Rule" advanced settings. UI change related to: elastic#233289 (cherry picked from commit 98685d9)
eokoneyo
pushed a commit
to eokoneyo/kibana
that referenced
this pull request
Dec 2, 2025
…o add endpoint exceptions to rule execution (elastic#242480) ## Summary Conditionally render endpoint exceptions UI checkbox under "About Rule" advanced settings. UI change related to: elastic#233289
florent-leborgne
added
the
Team: SecuritySolution
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
yctercero
added
release_note:skip
rylnd
added a commit
to rylnd/kibana
that referenced
this pull request
Mar 18, 2026
Previously, rule exception logic allowed for Endpoint Exceptions to be applied to rules, and thus the associated list needed to be present in order for our exception retrieval to succeed. However, with the effort of elastic/security-team#14573, and particularly elastic#233289, we no longer apply endpoint exceptions, and so these calls are no longer necessary. (In fact, these calls are now preventing Rules-only users from e.g. previewing rules, as that call requires privileges they do not have, causing errors and a short-circuiting). The one exception to the above may be if a rule references an endpoint list, and the FF is not yet removed (meaning we still search for endpoint exceptions). However, I will add a regression test for that case.
4 tasks
gergoabraham
added a commit
that referenced
this pull request
Mar 31, 2026
…icy Endpoint Exceptions (#259598) ## Summary This PR adds an opt-in mechanism that allows using the so far global-only Endpoint Exceptions on a per-policy basis. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` ### Behavior in short - new deployments are automatically opted in. they also won't see the 'Endpoint exceptions moved' and 'Endpoint exceptions not evaluated on rules anymore' callouts (from #258556). - upgraded environments will see a new callout on the Endpoint exceptions page that suggests to enable per-policy behavior - superuser role (ESS) or admin role (serverless) users are able to perform the opt-in - other users will see a message to contact their administrators - after manually opting in - Endpoint exceptions can be assigned to package policies, like other endpoint artifacts - but, they won't be evaluated during rule execution anymore (see #233289) - and they cannot be added to detection rules anymore (see #242480) ### Data Opt-in status is stored in the `ReferenceDataClient`, and it's defaulted during plugin start phase either to: - `{ status: false }`, in case endpoint exception list exists (i.e. upgrade, it's created every time), - `{ status: true, reason: 'newDeployment' }`, in case the list does not exist. ### API 2 new API endpoints are added: - `GET /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to receive the opt-in status on the UI, - `POST /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to perform the opt-in, that sets the status to `{ status: true, reason: 'userOptedIn' }` ### UI #### empty page is... empty <img width="400" height="793" alt="image" src="https://github.com/user-attachments/assets/e7b72ab9-2a42-49ca-b2e9-2447e3ff9dd3" /> #### callout for non-superusers <img width="1280" height="516" alt="image" src="https://github.com/user-attachments/assets/f88a04a6-b8bb-46be-8f5f-ece5f1d89cf2" /> #### callout for superusers / admins <img width="1215" height="554" alt="image" src="https://github.com/user-attachments/assets/e2552d27-ac9d-4dfe-84da-48012fdf57fc" /> #### menu action for superusers / admins in case the callout is dismissed. although, it will come up again as it's only dismissed for the session. <img width="335" height="204" alt="image" src="https://github.com/user-attachments/assets/5d7a23e6-2428-4f8f-b941-0f97e8bd7750" /> #### modal <img width="925" height="564" alt="image" src="https://github.com/user-attachments/assets/0cbc4573-b052-4e1f-82c5-13298532f7fe" /> ### recording #### opt-in process and endpoint exceptions pages https://github.com/user-attachments/assets/de8204bd-72d2-4a99-b51c-b86771c577c3 ### hiding stuff behind opt-in status - endpoint exception related per-policy activities are available only after opt-in, like - per-policy assignment in the form, - assigning exceptions to policies in the Policy details page Endpoint exceptions tab, - `ManifestManager` also uses per-policy EE after opt-in only. - 'endpoint exceptions moved' informative callouts are shown without opting in (due to the FF enabled), or after _manual_ opt-in (i.e. are hidden on new deployments) - see the details in the previous PR: #258556 - 'endpoint exceptions are not evaluated on rules' informative callouts are shown only after _manually_ opting in (i.e. it needs opt-in, but isn't shown on new deployments) - see the details in the previous PR: #258556 ## Testing To test this, - either add some data (endpoint exceptions), and then turn on the feature flag `xpack.securitySolution.enableExperimental.endpointExceptionsMovedUnderManagement`, to simulate an 'upgrade' scenario, - or start with the feature flag turned on, to simulate a 'new deployment' scenario. ### Reading opt-in status dev console: ``` GET .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ### Deleting opt-in status you can also delete the opt-in status, so you're back to the 'upgrade' scenario. for this, you need a `system_indices_superuser`, here's a quick console command to create one: ``` POST kbn://internal/security/users/testuser { "password": "changeme", "username": "testuser", "full_name": "", "email": "", "roles": [ "system_indices_superuser", "superuser" ] } ``` and then delete like this: ``` DELETE .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ## todo docs ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Apr 1, 2026
…icy Endpoint Exceptions (elastic#259598) ## Summary This PR adds an opt-in mechanism that allows using the so far global-only Endpoint Exceptions on a per-policy basis. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` ### Behavior in short - new deployments are automatically opted in. they also won't see the 'Endpoint exceptions moved' and 'Endpoint exceptions not evaluated on rules anymore' callouts (from elastic#258556). - upgraded environments will see a new callout on the Endpoint exceptions page that suggests to enable per-policy behavior - superuser role (ESS) or admin role (serverless) users are able to perform the opt-in - other users will see a message to contact their administrators - after manually opting in - Endpoint exceptions can be assigned to package policies, like other endpoint artifacts - but, they won't be evaluated during rule execution anymore (see elastic#233289) - and they cannot be added to detection rules anymore (see elastic#242480) ### Data Opt-in status is stored in the `ReferenceDataClient`, and it's defaulted during plugin start phase either to: - `{ status: false }`, in case endpoint exception list exists (i.e. upgrade, it's created every time), - `{ status: true, reason: 'newDeployment' }`, in case the list does not exist. ### API 2 new API endpoints are added: - `GET /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to receive the opt-in status on the UI, - `POST /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to perform the opt-in, that sets the status to `{ status: true, reason: 'userOptedIn' }` ### UI #### empty page is... empty <img width="400" height="793" alt="image" src="https://github.com/user-attachments/assets/e7b72ab9-2a42-49ca-b2e9-2447e3ff9dd3" /> #### callout for non-superusers <img width="1280" height="516" alt="image" src="https://github.com/user-attachments/assets/f88a04a6-b8bb-46be-8f5f-ece5f1d89cf2" /> #### callout for superusers / admins <img width="1215" height="554" alt="image" src="https://github.com/user-attachments/assets/e2552d27-ac9d-4dfe-84da-48012fdf57fc" /> #### menu action for superusers / admins in case the callout is dismissed. although, it will come up again as it's only dismissed for the session. <img width="335" height="204" alt="image" src="https://github.com/user-attachments/assets/5d7a23e6-2428-4f8f-b941-0f97e8bd7750" /> #### modal <img width="925" height="564" alt="image" src="https://github.com/user-attachments/assets/0cbc4573-b052-4e1f-82c5-13298532f7fe" /> ### recording #### opt-in process and endpoint exceptions pages https://github.com/user-attachments/assets/de8204bd-72d2-4a99-b51c-b86771c577c3 ### hiding stuff behind opt-in status - endpoint exception related per-policy activities are available only after opt-in, like - per-policy assignment in the form, - assigning exceptions to policies in the Policy details page Endpoint exceptions tab, - `ManifestManager` also uses per-policy EE after opt-in only. - 'endpoint exceptions moved' informative callouts are shown without opting in (due to the FF enabled), or after _manual_ opt-in (i.e. are hidden on new deployments) - see the details in the previous PR: elastic#258556 - 'endpoint exceptions are not evaluated on rules' informative callouts are shown only after _manually_ opting in (i.e. it needs opt-in, but isn't shown on new deployments) - see the details in the previous PR: elastic#258556 ## Testing To test this, - either add some data (endpoint exceptions), and then turn on the feature flag `xpack.securitySolution.enableExperimental.endpointExceptionsMovedUnderManagement`, to simulate an 'upgrade' scenario, - or start with the feature flag turned on, to simulate a 'new deployment' scenario. ### Reading opt-in status dev console: ``` GET .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ### Deleting opt-in status you can also delete the opt-in status, so you're back to the 'upgrade' scenario. for this, you need a `system_indices_superuser`, here's a quick console command to create one: ``` POST kbn://internal/security/users/testuser { "password": "changeme", "username": "testuser", "full_name": "", "email": "", "roles": [ "system_indices_superuser", "superuser" ] } ``` and then delete like this: ``` DELETE .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ## todo docs ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Apr 2, 2026
…icy Endpoint Exceptions (elastic#259598) ## Summary This PR adds an opt-in mechanism that allows using the so far global-only Endpoint Exceptions on a per-policy basis. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` ### Behavior in short - new deployments are automatically opted in. they also won't see the 'Endpoint exceptions moved' and 'Endpoint exceptions not evaluated on rules anymore' callouts (from elastic#258556). - upgraded environments will see a new callout on the Endpoint exceptions page that suggests to enable per-policy behavior - superuser role (ESS) or admin role (serverless) users are able to perform the opt-in - other users will see a message to contact their administrators - after manually opting in - Endpoint exceptions can be assigned to package policies, like other endpoint artifacts - but, they won't be evaluated during rule execution anymore (see elastic#233289) - and they cannot be added to detection rules anymore (see elastic#242480) ### Data Opt-in status is stored in the `ReferenceDataClient`, and it's defaulted during plugin start phase either to: - `{ status: false }`, in case endpoint exception list exists (i.e. upgrade, it's created every time), - `{ status: true, reason: 'newDeployment' }`, in case the list does not exist. ### API 2 new API endpoints are added: - `GET /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to receive the opt-in status on the UI, - `POST /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to perform the opt-in, that sets the status to `{ status: true, reason: 'userOptedIn' }` ### UI #### empty page is... empty <img width="400" height="793" alt="image" src="https://github.com/user-attachments/assets/e7b72ab9-2a42-49ca-b2e9-2447e3ff9dd3" /> #### callout for non-superusers <img width="1280" height="516" alt="image" src="https://github.com/user-attachments/assets/f88a04a6-b8bb-46be-8f5f-ece5f1d89cf2" /> #### callout for superusers / admins <img width="1215" height="554" alt="image" src="https://github.com/user-attachments/assets/e2552d27-ac9d-4dfe-84da-48012fdf57fc" /> #### menu action for superusers / admins in case the callout is dismissed. although, it will come up again as it's only dismissed for the session. <img width="335" height="204" alt="image" src="https://github.com/user-attachments/assets/5d7a23e6-2428-4f8f-b941-0f97e8bd7750" /> #### modal <img width="925" height="564" alt="image" src="https://github.com/user-attachments/assets/0cbc4573-b052-4e1f-82c5-13298532f7fe" /> ### recording #### opt-in process and endpoint exceptions pages https://github.com/user-attachments/assets/de8204bd-72d2-4a99-b51c-b86771c577c3 ### hiding stuff behind opt-in status - endpoint exception related per-policy activities are available only after opt-in, like - per-policy assignment in the form, - assigning exceptions to policies in the Policy details page Endpoint exceptions tab, - `ManifestManager` also uses per-policy EE after opt-in only. - 'endpoint exceptions moved' informative callouts are shown without opting in (due to the FF enabled), or after _manual_ opt-in (i.e. are hidden on new deployments) - see the details in the previous PR: elastic#258556 - 'endpoint exceptions are not evaluated on rules' informative callouts are shown only after _manually_ opting in (i.e. it needs opt-in, but isn't shown on new deployments) - see the details in the previous PR: elastic#258556 ## Testing To test this, - either add some data (endpoint exceptions), and then turn on the feature flag `xpack.securitySolution.enableExperimental.endpointExceptionsMovedUnderManagement`, to simulate an 'upgrade' scenario, - or start with the feature flag turned on, to simulate a 'new deployment' scenario. ### Reading opt-in status dev console: ``` GET .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ### Deleting opt-in status you can also delete the opt-in status, so you're back to the 'upgrade' scenario. for this, you need a `system_indices_superuser`, here's a quick console command to create one: ``` POST kbn://internal/security/users/testuser { "password": "changeme", "username": "testuser", "full_name": "", "email": "", "roles": [ "system_indices_superuser", "superuser" ] } ``` and then delete like this: ``` DELETE .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ## todo docs ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
rylnd
added a commit
that referenced
this pull request
Apr 3, 2026
…ated routes (#258266) ## Summary This PR removes two calls to `createEndpointList()` from rule-related code paths. [PR #233289](#233289) removed the use of endpoint exceptions in rules, so ensuring the endpoint list exists in these rule routes is no longer required. Dropping these calls fixes a 9.3 issue where users with **only** the Rules Kibana feature could not preview rules, because the routes were invoking `createEndpointList()`, which depended on list/exception permissions those users do not have. The problem was first seen on the Alerts RBAC branch but affects current 9.3 behavior. ### Expected behavior for rules that reference an endpoint exception list - **Until the feature flag is enabled/removed:** Rules keep using any associated endpoint exception list when the `endpointExceptionsMovedUnderManagement` feature flag is off. No change to that behavior. - **When the user cannot read the endpoint exception list:** Endpoint exceptions are ignored (no error). Rule creation and preview succeed; only endpoint exception list items are skipped for that execution. A new integration test under `create_rules` covers this: a user with only the Rules feature can create and preview a rule that references the endpoint exception list, and the preview completes successfully with no errors while endpoint exceptions are ignored. --- ## How to Review 1. **Feature flag and execution:** Ensure rule execution and `getExceptions` still respect `endpointExceptionsMovedUnderManagement` (endpoint lists filtered out when the flag is on) and that missing read permission for the endpoint list results in endpoint exceptions being ignored, not in failures. 1. **New integration test:** Run the new test that uses a role with only the Rules feature (e.g. `rulesAllPreviewIndexRole`), creates a rule that references the endpoint exception list, and runs a rule preview. It should pass and assert that the preview returns no errors (validating that endpoint exceptions are ignored when the user cannot read the endpoint list). 1. **Regression:** Run the existing detections/rule creation and prebuilt-rule installation tests to confirm no regressions from removing `createEndpointList()`. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
rylnd
added a commit
to rylnd/kibana
that referenced
this pull request
Apr 3, 2026
…ated routes (elastic#258266) ## Summary This PR removes two calls to `createEndpointList()` from rule-related code paths. [PR elastic#233289](elastic#233289) removed the use of endpoint exceptions in rules, so ensuring the endpoint list exists in these rule routes is no longer required. Dropping these calls fixes a 9.3 issue where users with **only** the Rules Kibana feature could not preview rules, because the routes were invoking `createEndpointList()`, which depended on list/exception permissions those users do not have. The problem was first seen on the Alerts RBAC branch but affects current 9.3 behavior. ### Expected behavior for rules that reference an endpoint exception list - **Until the feature flag is enabled/removed:** Rules keep using any associated endpoint exception list when the `endpointExceptionsMovedUnderManagement` feature flag is off. No change to that behavior. - **When the user cannot read the endpoint exception list:** Endpoint exceptions are ignored (no error). Rule creation and preview succeed; only endpoint exception list items are skipped for that execution. A new integration test under `create_rules` covers this: a user with only the Rules feature can create and preview a rule that references the endpoint exception list, and the preview completes successfully with no errors while endpoint exceptions are ignored. --- ## How to Review 1. **Feature flag and execution:** Ensure rule execution and `getExceptions` still respect `endpointExceptionsMovedUnderManagement` (endpoint lists filtered out when the flag is on) and that missing read permission for the endpoint list results in endpoint exceptions being ignored, not in failures. 1. **New integration test:** Run the new test that uses a role with only the Rules feature (e.g. `rulesAllPreviewIndexRole`), creates a rule that references the endpoint exception list, and runs a rule preview. It should pass and assert that the preview returns no errors (validating that endpoint exceptions are ignored when the user cannot read the endpoint list). 1. **Regression:** Run the existing detections/rule creation and prebuilt-rule installation tests to confirm no regressions from removing `createEndpointList()`. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit f912fdc) # Conflicts: # x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/create_rule/route.ts # x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/utils/auth/roles.ts
rylnd
added a commit
that referenced
this pull request
Apr 4, 2026
…le-related routes (#258266) (#261176) # Backport This will backport the following commits from `main` to `9.3`: - [[Detection Engine] Remove Endpoint List bootstrap calls from Rule-related routes (#258266)](#258266) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Ryland Herrick","email":"ryalnd@gmail.com"},"sourceCommit":{"committedDate":"2026-04-03T15:59:55Z","message":"[Detection Engine] Remove Endpoint List bootstrap calls from Rule-related routes (#258266)\n\n## Summary\n\nThis PR removes two calls to `createEndpointList()` from rule-related\ncode paths. [PR #233289](https://github.com/elastic/kibana/pull/233289)\nremoved the use of endpoint exceptions in rules, so ensuring the\nendpoint list exists in these rule routes is no longer required.\nDropping these calls fixes a 9.3 issue where users with **only** the\nRules Kibana feature could not preview rules, because the routes were\ninvoking `createEndpointList()`, which depended on list/exception\npermissions those users do not have. The problem was first seen on the\nAlerts RBAC branch but affects current 9.3 behavior.\n\n### Expected behavior for rules that reference an endpoint exception\nlist\n\n- **Until the feature flag is enabled/removed:** Rules keep using any\nassociated endpoint exception list when the\n`endpointExceptionsMovedUnderManagement` feature flag is off. No change\nto that behavior.\n- **When the user cannot read the endpoint exception list:** Endpoint\nexceptions are ignored (no error). Rule creation and preview succeed;\nonly endpoint exception list items are skipped for that execution. A new\nintegration test under `create_rules` covers this: a user with only the\nRules feature can create and preview a rule that references the endpoint\nexception list, and the preview completes successfully with no errors\nwhile endpoint exceptions are ignored.\n\n---\n\n## How to Review\n\n1. **Feature flag and execution:** Ensure rule execution and\n`getExceptions` still respect `endpointExceptionsMovedUnderManagement`\n(endpoint lists filtered out when the flag is on) and that missing read\npermission for the endpoint list results in endpoint exceptions being\nignored, not in failures.\n1. **New integration test:** Run the new test that uses a role with only\nthe Rules feature (e.g. `rulesAllPreviewIndexRole`), creates a rule that\nreferences the endpoint exception list, and runs a rule preview. It\nshould pass and assert that the preview returns no errors (validating\nthat endpoint exceptions are ignored when the user cannot read the\nendpoint list).\n1. **Regression:** Run the existing detections/rule creation and\nprebuilt-rule installation tests to confirm no regressions from removing\n`createEndpointList()`.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"f912fdcf915e2c7ec20c0aa4ce81127767d9941b","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Feature:Detection Alerts/Rules RBAC","Team:Detection Engine","backport:version","v9.3.0","v9.4.0"],"title":"[Detection Engine] Remove Endpoint List bootstrap calls from Rule-related routes","number":258266,"url":"https://github.com/elastic/kibana/pull/258266","mergeCommit":{"message":"[Detection Engine] Remove Endpoint List bootstrap calls from Rule-related routes (#258266)\n\n## Summary\n\nThis PR removes two calls to `createEndpointList()` from rule-related\ncode paths. [PR #233289](https://github.com/elastic/kibana/pull/233289)\nremoved the use of endpoint exceptions in rules, so ensuring the\nendpoint list exists in these rule routes is no longer required.\nDropping these calls fixes a 9.3 issue where users with **only** the\nRules Kibana feature could not preview rules, because the routes were\ninvoking `createEndpointList()`, which depended on list/exception\npermissions those users do not have. The problem was first seen on the\nAlerts RBAC branch but affects current 9.3 behavior.\n\n### Expected behavior for rules that reference an endpoint exception\nlist\n\n- **Until the feature flag is enabled/removed:** Rules keep using any\nassociated endpoint exception list when the\n`endpointExceptionsMovedUnderManagement` feature flag is off. No change\nto that behavior.\n- **When the user cannot read the endpoint exception list:** Endpoint\nexceptions are ignored (no error). Rule creation and preview succeed;\nonly endpoint exception list items are skipped for that execution. A new\nintegration test under `create_rules` covers this: a user with only the\nRules feature can create and preview a rule that references the endpoint\nexception list, and the preview completes successfully with no errors\nwhile endpoint exceptions are ignored.\n\n---\n\n## How to Review\n\n1. **Feature flag and execution:** Ensure rule execution and\n`getExceptions` still respect `endpointExceptionsMovedUnderManagement`\n(endpoint lists filtered out when the flag is on) and that missing read\npermission for the endpoint list results in endpoint exceptions being\nignored, not in failures.\n1. **New integration test:** Run the new test that uses a role with only\nthe Rules feature (e.g. `rulesAllPreviewIndexRole`), creates a rule that\nreferences the endpoint exception list, and runs a rule preview. It\nshould pass and assert that the preview returns no errors (validating\nthat endpoint exceptions are ignored when the user cannot read the\nendpoint list).\n1. **Regression:** Run the existing detections/rule creation and\nprebuilt-rule installation tests to confirm no regressions from removing\n`createEndpointList()`.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"f912fdcf915e2c7ec20c0aa4ce81127767d9941b"}},"sourceBranch":"main","suggestedTargetBranches":["9.3"],"targetPullRequestStates":[{"branch":"9.3","label":"v9.3.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/258266","number":258266,"mergeCommit":{"message":"[Detection Engine] Remove Endpoint List bootstrap calls from Rule-related routes (#258266)\n\n## Summary\n\nThis PR removes two calls to `createEndpointList()` from rule-related\ncode paths. [PR #233289](https://github.com/elastic/kibana/pull/233289)\nremoved the use of endpoint exceptions in rules, so ensuring the\nendpoint list exists in these rule routes is no longer required.\nDropping these calls fixes a 9.3 issue where users with **only** the\nRules Kibana feature could not preview rules, because the routes were\ninvoking `createEndpointList()`, which depended on list/exception\npermissions those users do not have. The problem was first seen on the\nAlerts RBAC branch but affects current 9.3 behavior.\n\n### Expected behavior for rules that reference an endpoint exception\nlist\n\n- **Until the feature flag is enabled/removed:** Rules keep using any\nassociated endpoint exception list when the\n`endpointExceptionsMovedUnderManagement` feature flag is off. No change\nto that behavior.\n- **When the user cannot read the endpoint exception list:** Endpoint\nexceptions are ignored (no error). Rule creation and preview succeed;\nonly endpoint exception list items are skipped for that execution. A new\nintegration test under `create_rules` covers this: a user with only the\nRules feature can create and preview a rule that references the endpoint\nexception list, and the preview completes successfully with no errors\nwhile endpoint exceptions are ignored.\n\n---\n\n## How to Review\n\n1. **Feature flag and execution:** Ensure rule execution and\n`getExceptions` still respect `endpointExceptionsMovedUnderManagement`\n(endpoint lists filtered out when the flag is on) and that missing read\npermission for the endpoint list results in endpoint exceptions being\nignored, not in failures.\n1. **New integration test:** Run the new test that uses a role with only\nthe Rules feature (e.g. `rulesAllPreviewIndexRole`), creates a rule that\nreferences the endpoint exception list, and runs a rule preview. It\nshould pass and assert that the preview returns no errors (validating\nthat endpoint exceptions are ignored when the user cannot read the\nendpoint list).\n1. **Regression:** Run the existing detections/rule creation and\nprebuilt-rule installation tests to confirm no regressions from removing\n`createEndpointList()`.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"f912fdcf915e2c7ec20c0aa4ce81127767d9941b"}}]}] BACKPORT--> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Related: https://github.com/elastic/security-team/issues/13777
https://github.com/elastic/security-team/issues/14573
We are filtering endpoint exceptions from DE execution logic.
Update tests so that endpoint exceptions don't affect alerts generated right now (they should be excluded on the endpoint)
How to test:
Enable FF -
endpointExceptionsMovedUnderManagementNow you should have
Endpoint Security (Elastic Defend)installed.Let's create 2 events. You can manipulate user.name to check how exceptions works later.
For the rule, change the interval/schedule if you need to create alerts more easily.
Add endpoint exceptions (windows, and user.name - some value, for example hello1).
--
With FF enabled, we should see 2 alerts generated for
user.namehello1andhello2.With FF disabled, the exception should work on the DE side, so you only see 1 alert for
hello2.