elastic · tomsonpl · Sep 26, 2025 · Aug 29, 2025 · Aug 29, 2025 · Aug 29, 2025
@@ -27,9 +27,25 @@ xpack.features.overrides:
   siem.description: null
   siemV2.description: null
   siemV3.description: null
+  siemV4.description: null
   securitySolutionSiemMigrations.hidden: true
 
   ## Fine-tune the security solution essentials feature privileges. These feature privilege overrides are set individually for each project type. Also, refer to `serverless.yml` for the project-agnostic overrides.
+  siemV4:
+    privileges:
+      all.composedOf:
+        ## Limited values so the fields from serverless.yml or serverless.security.yml are overwritten
+        ## We do not need to compose siemV4 from maps and visualizations because these functionalities are disabled in this tier
+        - feature: "discover_v2"
+          privileges: [ "all" ]
+          ## We need limited access to fleet (v1) in order to use integrations
+        - feature: "fleet"
+          privileges: [ "all" ]
+      read.composedOf:
+        - feature: "discover_v2"
+          privileges: [ "read" ]
+        - feature: "fleet"
+          privileges: [ "read" ]
   siemV3:
     privileges:
       all.composedOf:

@@ -29,6 +29,33 @@ xpack.features.overrides:
     category: "security"
     order: 1102
   ### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps.
+  siemV4:
+    privileges:
+      ### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and
+      ### Visualize features.
+      all.composedOf:
+        - feature: "discover_v2"
+          privileges: [ "all" ]
+        - feature: "dashboard_v2"
+          privileges: [ "all" ]
+        - feature: "visualize_v2"
+          privileges: [ "all" ]
+        - feature: "maps_v2"
+          privileges: [ "all" ]
+      # Security's `Read` feature privilege should implicitly grant `Read` access to Discover, Dashboard, Maps, and
+      # Visualize features. Additionally, it should implicitly grant privilege to create short URLs in Discover,
+      ### Dashboard, and Visualize apps.
+      read.composedOf:
+        - feature: "discover_v2"
+          privileges: [ "read" ]
+        - feature: "dashboard_v2"
+          privileges: [ "read" ]
+        - feature: "visualize_v2"
+          privileges: [ "read" ]
+        - feature: "maps_v2"
+          privileges: [ "read" ]
+
+  ### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps.
   siemV3:
     privileges:
       ### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and

@@ -8,7 +8,7 @@
 import { deepFreeze } from '@kbn/std';
 import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common';
 
-export const SECURITY_SOLUTION_APP_ID = 'siemV3';
+export const SECURITY_SOLUTION_APP_ID = 'siemV4';
 
 export interface PrivilegeMapObject {
   appId: string;

@@ -134,7 +134,7 @@ export default function ({ getService }: FtrProviderContext) {
             'searchSynonyms',
             'searchQueryRules',
             'searchPlayground',
-            'siemV3',
+            'siemV4',
             'slo',
             'streams',
             'securitySolutionAssistant',

@@ -120,6 +120,8 @@ export default function ({ getService }: FtrProviderContext) {
         'blocklist_read',
         'event_filters_all',
         'event_filters_read',
+        'endpoint_exceptions_all',
+        'endpoint_exceptions_read',
         'policy_management_all',
         'policy_management_read',
         'actions_log_management_all',
@@ -148,6 +150,8 @@ export default function ({ getService }: FtrProviderContext) {
         'blocklist_read',
         'event_filters_all',
         'event_filters_read',
+        'endpoint_exceptions_all',
+        'endpoint_exceptions_read',
         'policy_management_all',
         'policy_management_read',
         'actions_log_management_all',
@@ -176,6 +180,38 @@ export default function ({ getService }: FtrProviderContext) {
         'blocklist_read',
         'event_filters_all',
         'event_filters_read',
+        'endpoint_exceptions_all',
+        'endpoint_exceptions_read',
+        'policy_management_all',
+        'policy_management_read',
+        'actions_log_management_all',
+        'actions_log_management_read',
+        'host_isolation_all',
+        'process_operations_all',
+        'file_operations_all',
+        'execute_operations_all',
+        'scan_operations_all',
+      ],
+      siemV4: [
+        'all',
+        'read',
+        'minimal_all',
+        'minimal_read',
+        'endpoint_list_all',
+        'endpoint_list_read',
+        'workflow_insights_all',
+        'workflow_insights_read',
+        'global_artifact_management_all',
+        'trusted_applications_all',
+        'trusted_applications_read',
+        'host_isolation_exceptions_all',
+        'host_isolation_exceptions_read',
+        'blocklist_all',
+        'blocklist_read',
+        'event_filters_all',
+        'event_filters_read',
+        'endpoint_exceptions_all',
+        'endpoint_exceptions_read',
         'policy_management_all',
         'policy_management_read',
         'actions_log_management_all',

@@ -59,6 +59,7 @@ export default function ({ getService }: FtrProviderContext) {
             siem: ['all', 'read', 'minimal_all', 'minimal_read'],
             siemV2: ['all', 'read', 'minimal_all', 'minimal_read'],
             siemV3: ['all', 'read', 'minimal_all', 'minimal_read'],
+            siemV4: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionAssistant: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionAttackDiscovery: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionCases: ['all', 'read', 'minimal_all', 'minimal_read'],
@@ -222,6 +223,8 @@ export default function ({ getService }: FtrProviderContext) {
               'all',
               'blocklist_all',
               'blocklist_read',
+              'endpoint_exceptions_all',
+              'endpoint_exceptions_read',
               'endpoint_list_all',
               'endpoint_list_read',
               'event_filters_all',
@@ -248,6 +251,8 @@ export default function ({ getService }: FtrProviderContext) {
               'global_artifact_management_all',
               'blocklist_all',
               'blocklist_read',
+              'endpoint_exceptions_all',
+              'endpoint_exceptions_read',
               'endpoint_list_all',
               'endpoint_list_read',
               'event_filters_all',
@@ -276,6 +281,38 @@ export default function ({ getService }: FtrProviderContext) {
               'global_artifact_management_all',
               'blocklist_all',
               'blocklist_read',
+              'endpoint_exceptions_all',
+              'endpoint_exceptions_read',
+              'endpoint_list_all',
+              'endpoint_list_read',
+              'event_filters_all',
+              'event_filters_read',
+              'host_isolation_all',
+              'host_isolation_exceptions_all',
+              'host_isolation_exceptions_read',
+              'minimal_all',
+              'minimal_read',
+              'policy_management_all',
+              'policy_management_read',
+              'process_operations_all',
+              'read',
+              'trusted_applications_all',
+              'trusted_applications_read',
+              'file_operations_all',
+              'execute_operations_all',
+              'scan_operations_all',
+              'workflow_insights_all',
+              'workflow_insights_read',
+            ],
+            siemV4: [
+              'actions_log_management_all',
+              'actions_log_management_read',
+              'all',
+              'global_artifact_management_all',
+              'blocklist_all',
+              'blocklist_read',
+              'endpoint_exceptions_all',
+              'endpoint_exceptions_read',
               'endpoint_list_all',
               'endpoint_list_read',
               'event_filters_all',

@@ -191,6 +191,7 @@ export default function ({ getService }: FtrProviderContext) {
           "securitySolutionCasesV2",
           "siem",
           "siemV2",
+          "siemV3",
           "visualize",
         ]
       `);

@@ -94,7 +94,7 @@ export function createTestSuiteFactory({ getService }: DeploymentAgnosticFtrProv
         'securitySolutionNotes',
         'securitySolutionSiemMigrations',
         'securitySolutionTimeline',
-        'siemV3',
+        'siemV4',
         'slo',
         'streams',
         'uptime',

@@ -98,7 +98,7 @@ export function getTestSuiteFactory(context: DeploymentAgnosticFtrProviderContex
             'securitySolutionNotes',
             'securitySolutionSiemMigrations',
             'securitySolutionTimeline',
-            'siemV3',
+            'siemV4',
             'slo',
             'streams',
             'uptime',

@@ -86,7 +86,7 @@ const ALL_SPACE_RESULTS: Space[] = [
       'securitySolutionNotes',
       'securitySolutionSiemMigrations',
       'securitySolutionTimeline',
-      'siemV3',
+      'siemV4',
       'slo',
       'streams',
       'uptime',

@@ -96,6 +96,7 @@ export default function ({ getService }: FtrProviderContext) {
         siem: 0,
         siemV2: 0,
         siemV3: 0,
+        siemV4: 0,
         securitySolutionCases: 0,
         securitySolutionCasesV2: 0,
         securitySolutionCasesV3: 0,

@@ -6,7 +6,12 @@
  */
 
 export { getCasesFeature, getCasesV2Feature, getCasesV3Feature } from './src/cases';
-export { getSecurityFeature, getSecurityV2Feature, getSecurityV3Feature } from './src/security';
+export {
+  getSecurityFeature,
+  getSecurityV2Feature,
+  getSecurityV3Feature,
+  getSecurityV4Feature,
+} from './src/security';
 export { getAssistantFeature } from './src/assistant';
 export { getAttackDiscoveryFeature } from './src/attack_discovery';
 export { getTimelineFeature } from './src/timeline';

@@ -13,6 +13,8 @@ export const SERVER_APP_ID = 'siem' as const;
 export const SECURITY_FEATURE_ID_V2 = 'siemV2' as const;
 // New version for 9.1.
 export const SECURITY_FEATURE_ID_V3 = 'siemV3' as const;
+// New version for 9.2.
+export const SECURITY_FEATURE_ID_V4 = 'siemV4' as const;
 
 /**
  * @deprecated deprecated in 8.17. Use CASE_FEATURE_ID_V2 instead

@@ -25,6 +25,11 @@ import {
 import { securityDefaultProductFeaturesConfig } from './product_feature_config';
 import { securityV1ProductFeaturesConfig } from './v1_features/product_feature_config';
 import { securityV2ProductFeaturesConfig } from './v2_features/product_feature_config';
+import { getSecurityV4BaseKibanaFeature } from './v4_features/kibana_features';
+import {
+  getSecurityV4BaseKibanaSubFeatureIds,
+  getSecurityV4SubFeaturesMap,
+} from './v4_features/kibana_sub_features';
 
 export const getSecurityFeature = (
   params: SecurityFeatureParams
@@ -52,3 +57,12 @@ export const getSecurityV3Feature = (
   subFeaturesMap: getSecurityV3SubFeaturesMap(params),
   productFeatureConfig: securityDefaultProductFeaturesConfig,
 });
+
+export const getSecurityV4Feature = (
+  params: SecurityFeatureParams
+): ProductFeatureParams<ProductFeatureSecurityKey, SecuritySubFeatureId> => ({
+  baseKibanaFeature: getSecurityV4BaseKibanaFeature(params),
+  baseKibanaSubFeatureIds: getSecurityV4BaseKibanaSubFeatureIds(params),
+  subFeaturesMap: getSecurityV4SubFeaturesMap(params),
+  productFeatureConfig: securityDefaultProductFeaturesConfig,
+});
@@ -663,33 +663,42 @@ export const endpointExceptionsSubFeature = (): SubFeatureConfig => ({
   ),
   description: i18n.translate(
     'securitySolutionPackages.features.featureRegistry.subFeatures.endpointExceptions.description',
-    { defaultMessage: 'Manage Endpoint Exceptions.' }
+    {
+      defaultMessage:
+        'Reduce false positive alerts, and keep Elastic Defend from blocking standard processes.',
+    }
   ),
   privilegeGroups: [
     {
       groupType: 'mutually_exclusive',
       privileges: [
         {
           id: 'endpoint_exceptions_all',
-          includeIn: 'all',
+          includeIn: 'none',
           name: TRANSLATIONS.all,
           savedObject: {
-            all: [],
+            all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC],
             read: [],
           },
           ui: ['showEndpointExceptions', 'crudEndpointExceptions'],
-          api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`],
+          api: [
+            'lists-all',
+            'lists-read',
+            'lists-summary',
+            `${APP_ID}-showEndpointExceptions`,
+            `${APP_ID}-crudEndpointExceptions`,
+          ],
         },
         {
           id: 'endpoint_exceptions_read',
-          includeIn: 'read',
+          includeIn: 'none',
           name: TRANSLATIONS.read,
           savedObject: {
             all: [],
             read: [],
           },
           ui: ['showEndpointExceptions'],
-          api: [`${APP_ID}-showEndpointExceptions`],
+          api: ['lists-read', 'lists-summary', `${APP_ID}-showEndpointExceptions`],
         },
       ],
     },

@@ -167,4 +167,8 @@ export const securityDefaultProductFeaturesConfig: SecurityProductFeaturesConfig
       SecuritySubFeatureId.globalArtifactManagement,
     ],
   },
+
+  [ProductFeatureSecurityKey.endpointExceptions]: {
+    subFeatureIds: [SecuritySubFeatureId.endpointExceptions],
+  },
 };