[Security Solution] [Detection Engine] Conditionally hides checkbox to add endpoint exceptions to rule execution#242480
Merged
dhurley14 merged 8 commits intoelastic:mainfrom Nov 24, 2025
Conversation
dhurley14
added
backport:version
dhurley14
changed the title
…on' into endpoint-exceptions-rule-ui-option
denar50
approved these changes
Nov 17, 2025
Contributor
denar50
left a comment
denar50
left a comment
There was a problem hiding this comment.
Tested it locally. LGTM!
Contributor
|
Starting backport for target branches: 9.2 https://github.com/elastic/kibana/actions/runs/19642877770 |
Contributor
💚 Build Succeeded
Metrics [docs]Async chunks
History
cc @dhurley14 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 24, 2025
…o add endpoint exceptions to rule execution (elastic#242480) ## Summary Conditionally render endpoint exceptions UI checkbox under "About Rule" advanced settings. UI change related to: elastic#233289 (cherry picked from commit 98685d9)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Nov 24, 2025
…kbox to add endpoint exceptions to rule execution (#242480) (#244039) # Backport This will backport the following commits from `main` to `9.2`: - [[Security Solution] [Detection Engine] Conditionally hides checkbox to add endpoint exceptions to rule execution (#242480)](#242480) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Devin W. Hurley","email":"devin.hurley@elastic.co"},"sourceCommit":{"committedDate":"2025-11-24T17:13:16Z","message":"[Security Solution] [Detection Engine] Conditionally hides checkbox to add endpoint exceptions to rule execution (#242480)\n\n## Summary\n\nConditionally render endpoint exceptions UI checkbox under \"About Rule\"\nadvanced settings.\n\nUI change related to: https://github.com/elastic/kibana/pull/233289","sha":"98685d98160d3152ce26c412c9492730f9146460","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:deprecation","backport:version","v9.3.0","v9.2.2"],"title":"[Security Solution] [Detection Engine] Conditionally hides checkbox to add endpoint exceptions to rule execution","number":242480,"url":"https://github.com/elastic/kibana/pull/242480","mergeCommit":{"message":"[Security Solution] [Detection Engine] Conditionally hides checkbox to add endpoint exceptions to rule execution (#242480)\n\n## Summary\n\nConditionally render endpoint exceptions UI checkbox under \"About Rule\"\nadvanced settings.\n\nUI change related to: https://github.com/elastic/kibana/pull/233289","sha":"98685d98160d3152ce26c412c9492730f9146460"}},"sourceBranch":"main","suggestedTargetBranches":["9.2"],"targetPullRequestStates":[{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/242480","number":242480,"mergeCommit":{"message":"[Security Solution] [Detection Engine] Conditionally hides checkbox to add endpoint exceptions to rule execution (#242480)\n\n## Summary\n\nConditionally render endpoint exceptions UI checkbox under \"About Rule\"\nadvanced settings.\n\nUI change related to: https://github.com/elastic/kibana/pull/233289","sha":"98685d98160d3152ce26c412c9492730f9146460"}},{"branch":"9.2","label":"v9.2.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Devin W. Hurley <devin.hurley@elastic.co>
eokoneyo
pushed a commit
to eokoneyo/kibana
that referenced
this pull request
Dec 2, 2025
…o add endpoint exceptions to rule execution (elastic#242480) ## Summary Conditionally render endpoint exceptions UI checkbox under "About Rule" advanced settings. UI change related to: elastic#233289
Member
|
@dhurley14 reposting the release notes guidance for PRs with the Hi! This PR has a
If the change should not be listed in the release notes, please use the If this helps, we have a page describing release notes best practices for PRs (Elastic access only) |
yctercero
added
release_note:skip
Contributor
Author
|
Hi @nastasha-solomon Sorry for the oversight I genuinely don't think I intended to select the |
gergoabraham
added a commit
that referenced
this pull request
Mar 31, 2026
…icy Endpoint Exceptions (#259598) ## Summary This PR adds an opt-in mechanism that allows using the so far global-only Endpoint Exceptions on a per-policy basis. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` ### Behavior in short - new deployments are automatically opted in. they also won't see the 'Endpoint exceptions moved' and 'Endpoint exceptions not evaluated on rules anymore' callouts (from #258556). - upgraded environments will see a new callout on the Endpoint exceptions page that suggests to enable per-policy behavior - superuser role (ESS) or admin role (serverless) users are able to perform the opt-in - other users will see a message to contact their administrators - after manually opting in - Endpoint exceptions can be assigned to package policies, like other endpoint artifacts - but, they won't be evaluated during rule execution anymore (see #233289) - and they cannot be added to detection rules anymore (see #242480) ### Data Opt-in status is stored in the `ReferenceDataClient`, and it's defaulted during plugin start phase either to: - `{ status: false }`, in case endpoint exception list exists (i.e. upgrade, it's created every time), - `{ status: true, reason: 'newDeployment' }`, in case the list does not exist. ### API 2 new API endpoints are added: - `GET /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to receive the opt-in status on the UI, - `POST /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to perform the opt-in, that sets the status to `{ status: true, reason: 'userOptedIn' }` ### UI #### empty page is... empty <img width="400" height="793" alt="image" src="https://github.com/user-attachments/assets/e7b72ab9-2a42-49ca-b2e9-2447e3ff9dd3" /> #### callout for non-superusers <img width="1280" height="516" alt="image" src="https://github.com/user-attachments/assets/f88a04a6-b8bb-46be-8f5f-ece5f1d89cf2" /> #### callout for superusers / admins <img width="1215" height="554" alt="image" src="https://github.com/user-attachments/assets/e2552d27-ac9d-4dfe-84da-48012fdf57fc" /> #### menu action for superusers / admins in case the callout is dismissed. although, it will come up again as it's only dismissed for the session. <img width="335" height="204" alt="image" src="https://github.com/user-attachments/assets/5d7a23e6-2428-4f8f-b941-0f97e8bd7750" /> #### modal <img width="925" height="564" alt="image" src="https://github.com/user-attachments/assets/0cbc4573-b052-4e1f-82c5-13298532f7fe" /> ### recording #### opt-in process and endpoint exceptions pages https://github.com/user-attachments/assets/de8204bd-72d2-4a99-b51c-b86771c577c3 ### hiding stuff behind opt-in status - endpoint exception related per-policy activities are available only after opt-in, like - per-policy assignment in the form, - assigning exceptions to policies in the Policy details page Endpoint exceptions tab, - `ManifestManager` also uses per-policy EE after opt-in only. - 'endpoint exceptions moved' informative callouts are shown without opting in (due to the FF enabled), or after _manual_ opt-in (i.e. are hidden on new deployments) - see the details in the previous PR: #258556 - 'endpoint exceptions are not evaluated on rules' informative callouts are shown only after _manually_ opting in (i.e. it needs opt-in, but isn't shown on new deployments) - see the details in the previous PR: #258556 ## Testing To test this, - either add some data (endpoint exceptions), and then turn on the feature flag `xpack.securitySolution.enableExperimental.endpointExceptionsMovedUnderManagement`, to simulate an 'upgrade' scenario, - or start with the feature flag turned on, to simulate a 'new deployment' scenario. ### Reading opt-in status dev console: ``` GET .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ### Deleting opt-in status you can also delete the opt-in status, so you're back to the 'upgrade' scenario. for this, you need a `system_indices_superuser`, here's a quick console command to create one: ``` POST kbn://internal/security/users/testuser { "password": "changeme", "username": "testuser", "full_name": "", "email": "", "roles": [ "system_indices_superuser", "superuser" ] } ``` and then delete like this: ``` DELETE .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ## todo docs ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Apr 1, 2026
…icy Endpoint Exceptions (elastic#259598) ## Summary This PR adds an opt-in mechanism that allows using the so far global-only Endpoint Exceptions on a per-policy basis. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` ### Behavior in short - new deployments are automatically opted in. they also won't see the 'Endpoint exceptions moved' and 'Endpoint exceptions not evaluated on rules anymore' callouts (from elastic#258556). - upgraded environments will see a new callout on the Endpoint exceptions page that suggests to enable per-policy behavior - superuser role (ESS) or admin role (serverless) users are able to perform the opt-in - other users will see a message to contact their administrators - after manually opting in - Endpoint exceptions can be assigned to package policies, like other endpoint artifacts - but, they won't be evaluated during rule execution anymore (see elastic#233289) - and they cannot be added to detection rules anymore (see elastic#242480) ### Data Opt-in status is stored in the `ReferenceDataClient`, and it's defaulted during plugin start phase either to: - `{ status: false }`, in case endpoint exception list exists (i.e. upgrade, it's created every time), - `{ status: true, reason: 'newDeployment' }`, in case the list does not exist. ### API 2 new API endpoints are added: - `GET /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to receive the opt-in status on the UI, - `POST /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to perform the opt-in, that sets the status to `{ status: true, reason: 'userOptedIn' }` ### UI #### empty page is... empty <img width="400" height="793" alt="image" src="https://github.com/user-attachments/assets/e7b72ab9-2a42-49ca-b2e9-2447e3ff9dd3" /> #### callout for non-superusers <img width="1280" height="516" alt="image" src="https://github.com/user-attachments/assets/f88a04a6-b8bb-46be-8f5f-ece5f1d89cf2" /> #### callout for superusers / admins <img width="1215" height="554" alt="image" src="https://github.com/user-attachments/assets/e2552d27-ac9d-4dfe-84da-48012fdf57fc" /> #### menu action for superusers / admins in case the callout is dismissed. although, it will come up again as it's only dismissed for the session. <img width="335" height="204" alt="image" src="https://github.com/user-attachments/assets/5d7a23e6-2428-4f8f-b941-0f97e8bd7750" /> #### modal <img width="925" height="564" alt="image" src="https://github.com/user-attachments/assets/0cbc4573-b052-4e1f-82c5-13298532f7fe" /> ### recording #### opt-in process and endpoint exceptions pages https://github.com/user-attachments/assets/de8204bd-72d2-4a99-b51c-b86771c577c3 ### hiding stuff behind opt-in status - endpoint exception related per-policy activities are available only after opt-in, like - per-policy assignment in the form, - assigning exceptions to policies in the Policy details page Endpoint exceptions tab, - `ManifestManager` also uses per-policy EE after opt-in only. - 'endpoint exceptions moved' informative callouts are shown without opting in (due to the FF enabled), or after _manual_ opt-in (i.e. are hidden on new deployments) - see the details in the previous PR: elastic#258556 - 'endpoint exceptions are not evaluated on rules' informative callouts are shown only after _manually_ opting in (i.e. it needs opt-in, but isn't shown on new deployments) - see the details in the previous PR: elastic#258556 ## Testing To test this, - either add some data (endpoint exceptions), and then turn on the feature flag `xpack.securitySolution.enableExperimental.endpointExceptionsMovedUnderManagement`, to simulate an 'upgrade' scenario, - or start with the feature flag turned on, to simulate a 'new deployment' scenario. ### Reading opt-in status dev console: ``` GET .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ### Deleting opt-in status you can also delete the opt-in status, so you're back to the 'upgrade' scenario. for this, you need a `system_indices_superuser`, here's a quick console command to create one: ``` POST kbn://internal/security/users/testuser { "password": "changeme", "username": "testuser", "full_name": "", "email": "", "roles": [ "system_indices_superuser", "superuser" ] } ``` and then delete like this: ``` DELETE .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ## todo docs ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Apr 2, 2026
…icy Endpoint Exceptions (elastic#259598) ## Summary This PR adds an opt-in mechanism that allows using the so far global-only Endpoint Exceptions on a per-policy basis. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` ### Behavior in short - new deployments are automatically opted in. they also won't see the 'Endpoint exceptions moved' and 'Endpoint exceptions not evaluated on rules anymore' callouts (from elastic#258556). - upgraded environments will see a new callout on the Endpoint exceptions page that suggests to enable per-policy behavior - superuser role (ESS) or admin role (serverless) users are able to perform the opt-in - other users will see a message to contact their administrators - after manually opting in - Endpoint exceptions can be assigned to package policies, like other endpoint artifacts - but, they won't be evaluated during rule execution anymore (see elastic#233289) - and they cannot be added to detection rules anymore (see elastic#242480) ### Data Opt-in status is stored in the `ReferenceDataClient`, and it's defaulted during plugin start phase either to: - `{ status: false }`, in case endpoint exception list exists (i.e. upgrade, it's created every time), - `{ status: true, reason: 'newDeployment' }`, in case the list does not exist. ### API 2 new API endpoints are added: - `GET /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to receive the opt-in status on the UI, - `POST /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to perform the opt-in, that sets the status to `{ status: true, reason: 'userOptedIn' }` ### UI #### empty page is... empty <img width="400" height="793" alt="image" src="https://github.com/user-attachments/assets/e7b72ab9-2a42-49ca-b2e9-2447e3ff9dd3" /> #### callout for non-superusers <img width="1280" height="516" alt="image" src="https://github.com/user-attachments/assets/f88a04a6-b8bb-46be-8f5f-ece5f1d89cf2" /> #### callout for superusers / admins <img width="1215" height="554" alt="image" src="https://github.com/user-attachments/assets/e2552d27-ac9d-4dfe-84da-48012fdf57fc" /> #### menu action for superusers / admins in case the callout is dismissed. although, it will come up again as it's only dismissed for the session. <img width="335" height="204" alt="image" src="https://github.com/user-attachments/assets/5d7a23e6-2428-4f8f-b941-0f97e8bd7750" /> #### modal <img width="925" height="564" alt="image" src="https://github.com/user-attachments/assets/0cbc4573-b052-4e1f-82c5-13298532f7fe" /> ### recording #### opt-in process and endpoint exceptions pages https://github.com/user-attachments/assets/de8204bd-72d2-4a99-b51c-b86771c577c3 ### hiding stuff behind opt-in status - endpoint exception related per-policy activities are available only after opt-in, like - per-policy assignment in the form, - assigning exceptions to policies in the Policy details page Endpoint exceptions tab, - `ManifestManager` also uses per-policy EE after opt-in only. - 'endpoint exceptions moved' informative callouts are shown without opting in (due to the FF enabled), or after _manual_ opt-in (i.e. are hidden on new deployments) - see the details in the previous PR: elastic#258556 - 'endpoint exceptions are not evaluated on rules' informative callouts are shown only after _manually_ opting in (i.e. it needs opt-in, but isn't shown on new deployments) - see the details in the previous PR: elastic#258556 ## Testing To test this, - either add some data (endpoint exceptions), and then turn on the feature flag `xpack.securitySolution.enableExperimental.endpointExceptionsMovedUnderManagement`, to simulate an 'upgrade' scenario, - or start with the feature flag turned on, to simulate a 'new deployment' scenario. ### Reading opt-in status dev console: ``` GET .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ### Deleting opt-in status you can also delete the opt-in status, so you're back to the 'upgrade' scenario. for this, you need a `system_indices_superuser`, here's a quick console command to create one: ``` POST kbn://internal/security/users/testuser { "password": "changeme", "username": "testuser", "full_name": "", "email": "", "roles": [ "system_indices_superuser", "superuser" ] } ``` and then delete like this: ``` DELETE .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ## todo docs ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Conditionally render endpoint exceptions UI checkbox under "About Rule" advanced settings.
UI change related to: #233289
Before:
After:
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.