[EDR Workflows][Artifact transfer 2] Import UI#247976
Merged
gergoabraham merged 13 commits intoelastic:mainfrom Mar 3, 2026
Merged
[EDR Workflows][Artifact transfer 2] Import UI#247976gergoabraham merged 13 commits intoelastic:mainfrom
gergoabraham merged 13 commits intoelastic:mainfrom
Conversation
gergoabraham
added
release_note:skip
This was referenced Jan 6, 2026
gergoabraham
added a commit
that referenced
this pull request
Jan 21, 2026
follow-up: - #247976 - #248046 ## Summary This PR adds: - Export and Import buttons for all Endpoint artifacts, - activates Export functionality, while Import doesn't do anything so far. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` <img width="950" height="176" alt="image" src="https://github.com/user-attachments/assets/1187d274-5872-4bf6-9b7c-9778daaa15f7" /> <img width="950" height="177" alt="image" src="https://github.com/user-attachments/assets/a91417c9-20dd-4278-ae57-53ddae033730" /> etc... https://github.com/user-attachments/assets/1e98a9a0-8952-45ff-a687-31a7d21cea60 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Jan 22, 2026
…ic#247967) follow-up: - elastic#247976 - elastic#248046 ## Summary This PR adds: - Export and Import buttons for all Endpoint artifacts, - activates Export functionality, while Import doesn't do anything so far. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` <img width="950" height="176" alt="image" src="https://github.com/user-attachments/assets/1187d274-5872-4bf6-9b7c-9778daaa15f7" /> <img width="950" height="177" alt="image" src="https://github.com/user-attachments/assets/a91417c9-20dd-4278-ae57-53ddae033730" /> etc... https://github.com/user-attachments/assets/1e98a9a0-8952-45ff-a687-31a7d21cea60 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
dennis-tismenko
pushed a commit
to dennis-tismenko/kibana
that referenced
this pull request
Jan 22, 2026
…ic#247967) follow-up: - elastic#247976 - elastic#248046 ## Summary This PR adds: - Export and Import buttons for all Endpoint artifacts, - activates Export functionality, while Import doesn't do anything so far. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` <img width="950" height="176" alt="image" src="https://github.com/user-attachments/assets/1187d274-5872-4bf6-9b7c-9778daaa15f7" /> <img width="950" height="177" alt="image" src="https://github.com/user-attachments/assets/a91417c9-20dd-4278-ae57-53ddae033730" /> etc... https://github.com/user-attachments/assets/1e98a9a0-8952-45ff-a687-31a7d21cea60 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
gergoabraham
force-pushed
the
artifact-transfer-2-import-ui
branch
from
8f30d8c to
993a05a
Compare
Contributor
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
tomsonpl
approved these changes
Feb 2, 2026
Contributor
tomsonpl
left a comment
tomsonpl
left a comment
There was a problem hiding this comment.
Looked only at the code, it looks great 👍 I left a few minor comments - apply/disregard on your discretion :) I love the fact that you added tests for everything ❤️
Thanks!
| toasts.addError(error, { title: labels.pageImportErrorToastTitle }); | ||
| }, | ||
| onSuccess: (response) => { | ||
| // todo: response contains lot of useful information, show somewhere? |
Contributor
There was a problem hiding this comment.
Make sure to clear this up before merging 👍
Contributor
There was a problem hiding this comment.
Maybe something like this? :
toasts.addSuccess({
title: labels.pageImportSuccessToastTitle,
text: `Imported ${response.success_count} items successfully`,
});
Contributor
Author
|
|
||
| const { isLoading, mutate } = useImportArtifactList(apiClient); | ||
|
|
||
| const handleOnCancel = useCallback(() => { |
Contributor
There was a problem hiding this comment.
I think this wrapper is redundant. Just use:
<EuiFlyout
onClose={onCancel}
...
/>
| { file }, | ||
| { | ||
| onError: (error) => { | ||
| toasts.addError(error, { title: labels.pageImportErrorToastTitle }); |
Contributor
There was a problem hiding this comment.
Is there a chance we can show more specific error from API?
Contributor
Author
There was a problem hiding this comment.
toasts.addError() actually shows the message property of the passed error, so this should be okay. and also generic, as @ashokaditya noted in his review
ashokaditya
reviewed
Feb 2, 2026
Member
ashokaditya
left a comment
ashokaditya
left a comment
There was a problem hiding this comment.
Did code review and tested it out. I have a few suggestions:
- that the import info. should be pluralised for artifact type and we should drop the
listfrom these messages. SoImport Trusted applications,Import Blocklist,Import Host isolation exceptionsetc. - The failure toasts should be generic. Something like
Import failed. <API error reason here>. - Maybe this is better for success toast messages with the adverb at the start of the sentence.
Successfully imported trusted applications,Successfully imported blocklistetc. - Lastly, I feel a narrow vertical flyout is mostly empty for the purpose of imports. The upload area is up to and action buttons are way at the bottom. This might look even more empty on a tall screen or one with high resolution. I suggest that we use a modal or a popover menu with a file picker instead. (We do a popover file picker for upload response action)
file picker on upload
Contributor
Author
|
thanks for the review, @ashokaditya
i kept the
the error reason is displayed. do you mean that having e.g.
let me revisit this later when we have a working import API : ) |
Contributor
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
|
ashokaditya
approved these changes
Mar 3, 2026
| 'xpack.securitySolution.artifactListPage.importFlyoutDetails', | ||
| { | ||
| defaultMessage: | ||
| 'Attention: importing your artifacts will overwrite the existing list, which results in losing all existing artifacts that can be edited by the current user.', |
Member
There was a problem hiding this comment.
Suggestion for next PR
Attentions: Importing artifacts will overwrite your existing list. Any artifacts currently editable by you, will be lost.
rbrtj
pushed a commit
to rbrtj/kibana
that referenced
this pull request
Mar 5, 2026
prerequisite: - elastic#247967 follow-up: - elastic#248046 ## Summary This PR adds UI changes for being able to import artifacts: - Import flyout on artifact pages, - flyout stored in URL as well like other flyouts, - import button for empty state on artifact pages, - import button for empty state on policy detail tabs. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` > [!important] > This PR contains only UI changes! API changes are implemented in a follow-up PR. > > No checks are changed/applied - on any artifact page you will be able to import JSON files of shared exception lists or endpoint exceptions, but an API error is returned if you try to import endpoint artifacts. ### Looks <img width="898" height="948" alt="image" src="https://github.com/user-attachments/assets/4a9fd1b4-7c36-47bd-b963-c9e5ace85f1b" /> ### Artifact pages -Import flyout from overflow menu https://github.com/user-attachments/assets/53d9a05d-66bf-49bb-9cea-15e95d353cf8 ### Artifact pages - empty state https://github.com/user-attachments/assets/40f4b0f4-2e24-47dd-b3cc-6c4482c3205b ### Policy details tabs - empty state https://github.com/user-attachments/assets/13266549-8cd0-4690-85bb-c0e4fa0d03ba ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
DennisKo
pushed a commit
to DennisKo/kibana
that referenced
this pull request
Mar 6, 2026
prerequisite: - elastic#247967 follow-up: - elastic#248046 ## Summary This PR adds UI changes for being able to import artifacts: - Import flyout on artifact pages, - flyout stored in URL as well like other flyouts, - import button for empty state on artifact pages, - import button for empty state on policy detail tabs. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` > [!important] > This PR contains only UI changes! API changes are implemented in a follow-up PR. > > No checks are changed/applied - on any artifact page you will be able to import JSON files of shared exception lists or endpoint exceptions, but an API error is returned if you try to import endpoint artifacts. ### Looks <img width="898" height="948" alt="image" src="https://github.com/user-attachments/assets/4a9fd1b4-7c36-47bd-b963-c9e5ace85f1b" /> ### Artifact pages -Import flyout from overflow menu https://github.com/user-attachments/assets/53d9a05d-66bf-49bb-9cea-15e95d353cf8 ### Artifact pages - empty state https://github.com/user-attachments/assets/40f4b0f4-2e24-47dd-b3cc-6c4482c3205b ### Policy details tabs - empty state https://github.com/user-attachments/assets/13266549-8cd0-4690-85bb-c0e4fa0d03ba ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Mar 11, 2026
prerequisite: - elastic#247967 follow-up: - elastic#248046 ## Summary This PR adds UI changes for being able to import artifacts: - Import flyout on artifact pages, - flyout stored in URL as well like other flyouts, - import button for empty state on artifact pages, - import button for empty state on policy detail tabs. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` > [!important] > This PR contains only UI changes! API changes are implemented in a follow-up PR. > > No checks are changed/applied - on any artifact page you will be able to import JSON files of shared exception lists or endpoint exceptions, but an API error is returned if you try to import endpoint artifacts. ### Looks <img width="898" height="948" alt="image" src="https://github.com/user-attachments/assets/4a9fd1b4-7c36-47bd-b963-c9e5ace85f1b" /> ### Artifact pages -Import flyout from overflow menu https://github.com/user-attachments/assets/53d9a05d-66bf-49bb-9cea-15e95d353cf8 ### Artifact pages - empty state https://github.com/user-attachments/assets/40f4b0f4-2e24-47dd-b3cc-6c4482c3205b ### Policy details tabs - empty state https://github.com/user-attachments/assets/13266549-8cd0-4690-85bb-c0e4fa0d03ba ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
3 tasks
gergoabraham
added a commit
that referenced
this pull request
Mar 18, 2026
prerequisites: - #247967 - #247976 follow-up: - #257983 closes #250470 ## Summary > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` This PR allows importing all Endpoint artifacts! Lot's of changes, here's a summary written by Claude, plus some additional information: This PR updates the Endpoint artifact import validator registered for the `POST /api/exception_lists/_import` API. The changes are gated behind the `endpointExceptionsMovedUnderManagement` feature flag. ### What's changed **Import validation overhaul (`getExceptionsPreImportHandler`):** - Replaces the old simple "block all non-endpoint-exception artifacts" logic with full per-artifact-type validation support - When the feature flag is enabled, dispatches validation to the appropriate artifact-specific validator (`TrustedAppValidator`, `BlocklistValidator`, `EventFilterValidator`, `HostIsolationExceptionsValidator`, `TrustedDeviceValidator`, `EndpointExceptionsValidator`) - Supports importing only **one** artifact list type per import call (returns 400 if multiple types are mixed) - Handles `overwrite` semantics by deleting visible items before import (respecting user permissions), then disabling the Lists API's own overwrite to avoid full-list deletion **Space-aware validation:** - Each imported item is validated against the user's space permissions: non-global artifact management users can only import items owned by the current space; users with global artifact management privilege can import items from other spaces, provided those items are visible in the current space - Invalid owner space IDs are rejected _(this means error);_ invalid policy IDs are stripped and noted in a comment on the item **On error handling:** - if there's a general problem (like no user access), the request is rejected. - if there's a per-item problem, the request succeeds, but it'll contain the errors per item, which errors we can later show to the user **Data enrichment on import:** - Adds the `imported_artifact` tag to all imported items - Adds an audit comment to each item with the original author and creation date - Adds the `ownerSpaceId` tag to items that lack one (backward compatibility for pre-space-awareness exports) **`ExceptionsListPreImportServerExtension` type change:** - The extension point's data type changed from `PromiseFromStreams` → `{ data: PromiseFromStreams; overwrite: boolean }`, allowing the extension to inspect and override the `overwrite` flag **`ExceptionListClient.bulkDeleteExceptionListItems`:** - New public method for bulk-deleting exception list items (replaces the previous slow per-item sequential deletion via `asyncForEach`) **`ExceptionItemImportError` class:** - New error class implementing `BulkErrorErrorSchema`, used to surface per-item validation errors in the import response (instead of aborting the entire import) **Tests:** - Comprehensive new FTR integration test suite (`artifact_import.ts`) covering privilege checks, space-awareness scenarios, invalid data handling, overwrite behavior, comment/tag enrichment, and backward compatibility ## Testing To ease testing, I added some ugly details (58fcfb3) to the success toast, but this is not something that will stay. ## Follow-up PR possibilities There are some things we probably also need to add, but I'd like to keep them out of this PR. I can think of these: - improve UI feedback to user on errors (the toast doesn't look ideal) - do not allow any artifact type be imported on any artifact pages and rule exceptions page. this is now allowed, since the API endpoint is the same. (we could fix this e.g. by adding a new query parameter to the import API, or by adding a new endpoint artifact import API that calls the lists import service) Follow-up PR is already in-progress: - #257983 ## Screenshots <img width="965" height="497" alt="image" src="https://github.com/user-attachments/assets/9a552242-48b0-45f2-979b-eadacf73ffcc" /> <img width="975" height="497" alt="image" src="https://github.com/user-attachments/assets/73d77a99-c2c6-421b-a22d-2c2aeb595b90" /> <img width="1227" height="747" alt="image" src="https://github.com/user-attachments/assets/3d3b77f2-0077-441d-b4eb-5519fcda25a5" /> ### Some error messages <img width="973" height="500" alt="image" src="https://github.com/user-attachments/assets/b751a6cb-e84a-44df-8d47-c676a20253ce" /> Response: ```json { "message": "EndpointArtifactError: Importing multiple Endpoint artifact exception list types at the same time is not supported", "status_code": 400 } ``` <img width="1231" height="745" alt="image" src="https://github.com/user-attachments/assets/ef4d9032-ecef-4f32-9c80-241ecdc1a978" /> ☝️ probably won't be like this, it's just to visualize the response for this PR. will be improved in a follow-up pr Response: ```json { "errors": [ { "error": { "status_code": 403, "message": "EndpointArtifactError: Importing artifacts with invalid owner space IDs is not allowed. The following space ID is invalid or unaccessible by current user: nope" }, "list_id": "endpoint_host_isolation_exceptions", "item_id": "5cc4585e-edbb-445f-a0d6-a6a67bb29d04" }, { "error": { "status_code": 403, "message": "EndpointArtifactError: Endpoint authorization failure. Importing artifacts that are not visible in the current space is not allowed" }, "list_id": "endpoint_host_isolation_exceptions", "item_id": "4c791b4a-5e87-4eb3-9713-1c80f6c98b80" } ], "success": false, "success_count": 1, "success_exception_lists": true, "success_count_exception_lists": 0, "success_exception_list_items": false, "success_count_exception_list_items": 1 } ``` ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Mar 18, 2026
…8046) prerequisites: - elastic#247967 - elastic#247976 follow-up: - elastic#257983 closes elastic#250470 ## Summary > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` This PR allows importing all Endpoint artifacts! Lot's of changes, here's a summary written by Claude, plus some additional information: This PR updates the Endpoint artifact import validator registered for the `POST /api/exception_lists/_import` API. The changes are gated behind the `endpointExceptionsMovedUnderManagement` feature flag. ### What's changed **Import validation overhaul (`getExceptionsPreImportHandler`):** - Replaces the old simple "block all non-endpoint-exception artifacts" logic with full per-artifact-type validation support - When the feature flag is enabled, dispatches validation to the appropriate artifact-specific validator (`TrustedAppValidator`, `BlocklistValidator`, `EventFilterValidator`, `HostIsolationExceptionsValidator`, `TrustedDeviceValidator`, `EndpointExceptionsValidator`) - Supports importing only **one** artifact list type per import call (returns 400 if multiple types are mixed) - Handles `overwrite` semantics by deleting visible items before import (respecting user permissions), then disabling the Lists API's own overwrite to avoid full-list deletion **Space-aware validation:** - Each imported item is validated against the user's space permissions: non-global artifact management users can only import items owned by the current space; users with global artifact management privilege can import items from other spaces, provided those items are visible in the current space - Invalid owner space IDs are rejected _(this means error);_ invalid policy IDs are stripped and noted in a comment on the item **On error handling:** - if there's a general problem (like no user access), the request is rejected. - if there's a per-item problem, the request succeeds, but it'll contain the errors per item, which errors we can later show to the user **Data enrichment on import:** - Adds the `imported_artifact` tag to all imported items - Adds an audit comment to each item with the original author and creation date - Adds the `ownerSpaceId` tag to items that lack one (backward compatibility for pre-space-awareness exports) **`ExceptionsListPreImportServerExtension` type change:** - The extension point's data type changed from `PromiseFromStreams` → `{ data: PromiseFromStreams; overwrite: boolean }`, allowing the extension to inspect and override the `overwrite` flag **`ExceptionListClient.bulkDeleteExceptionListItems`:** - New public method for bulk-deleting exception list items (replaces the previous slow per-item sequential deletion via `asyncForEach`) **`ExceptionItemImportError` class:** - New error class implementing `BulkErrorErrorSchema`, used to surface per-item validation errors in the import response (instead of aborting the entire import) **Tests:** - Comprehensive new FTR integration test suite (`artifact_import.ts`) covering privilege checks, space-awareness scenarios, invalid data handling, overwrite behavior, comment/tag enrichment, and backward compatibility ## Testing To ease testing, I added some ugly details (58fcfb3) to the success toast, but this is not something that will stay. ## Follow-up PR possibilities There are some things we probably also need to add, but I'd like to keep them out of this PR. I can think of these: - improve UI feedback to user on errors (the toast doesn't look ideal) - do not allow any artifact type be imported on any artifact pages and rule exceptions page. this is now allowed, since the API endpoint is the same. (we could fix this e.g. by adding a new query parameter to the import API, or by adding a new endpoint artifact import API that calls the lists import service) Follow-up PR is already in-progress: - elastic#257983 ## Screenshots <img width="965" height="497" alt="image" src="https://github.com/user-attachments/assets/9a552242-48b0-45f2-979b-eadacf73ffcc" /> <img width="975" height="497" alt="image" src="https://github.com/user-attachments/assets/73d77a99-c2c6-421b-a22d-2c2aeb595b90" /> <img width="1227" height="747" alt="image" src="https://github.com/user-attachments/assets/3d3b77f2-0077-441d-b4eb-5519fcda25a5" /> ### Some error messages <img width="973" height="500" alt="image" src="https://github.com/user-attachments/assets/b751a6cb-e84a-44df-8d47-c676a20253ce" /> Response: ```json { "message": "EndpointArtifactError: Importing multiple Endpoint artifact exception list types at the same time is not supported", "status_code": 400 } ``` <img width="1231" height="745" alt="image" src="https://github.com/user-attachments/assets/ef4d9032-ecef-4f32-9c80-241ecdc1a978" /> ☝️ probably won't be like this, it's just to visualize the response for this PR. will be improved in a follow-up pr Response: ```json { "errors": [ { "error": { "status_code": 403, "message": "EndpointArtifactError: Importing artifacts with invalid owner space IDs is not allowed. The following space ID is invalid or unaccessible by current user: nope" }, "list_id": "endpoint_host_isolation_exceptions", "item_id": "5cc4585e-edbb-445f-a0d6-a6a67bb29d04" }, { "error": { "status_code": 403, "message": "EndpointArtifactError: Endpoint authorization failure. Importing artifacts that are not visible in the current space is not allowed" }, "list_id": "endpoint_host_isolation_exceptions", "item_id": "4c791b4a-5e87-4eb3-9713-1c80f6c98b80" } ], "success": false, "success_count": 1, "success_exception_lists": true, "success_count_exception_lists": 0, "success_exception_list_items": false, "success_count_exception_list_items": 1 } ``` ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Mar 26, 2026
…8046) prerequisites: - elastic#247967 - elastic#247976 follow-up: - elastic#257983 closes elastic#250470 ## Summary > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` This PR allows importing all Endpoint artifacts! Lot's of changes, here's a summary written by Claude, plus some additional information: This PR updates the Endpoint artifact import validator registered for the `POST /api/exception_lists/_import` API. The changes are gated behind the `endpointExceptionsMovedUnderManagement` feature flag. ### What's changed **Import validation overhaul (`getExceptionsPreImportHandler`):** - Replaces the old simple "block all non-endpoint-exception artifacts" logic with full per-artifact-type validation support - When the feature flag is enabled, dispatches validation to the appropriate artifact-specific validator (`TrustedAppValidator`, `BlocklistValidator`, `EventFilterValidator`, `HostIsolationExceptionsValidator`, `TrustedDeviceValidator`, `EndpointExceptionsValidator`) - Supports importing only **one** artifact list type per import call (returns 400 if multiple types are mixed) - Handles `overwrite` semantics by deleting visible items before import (respecting user permissions), then disabling the Lists API's own overwrite to avoid full-list deletion **Space-aware validation:** - Each imported item is validated against the user's space permissions: non-global artifact management users can only import items owned by the current space; users with global artifact management privilege can import items from other spaces, provided those items are visible in the current space - Invalid owner space IDs are rejected _(this means error);_ invalid policy IDs are stripped and noted in a comment on the item **On error handling:** - if there's a general problem (like no user access), the request is rejected. - if there's a per-item problem, the request succeeds, but it'll contain the errors per item, which errors we can later show to the user **Data enrichment on import:** - Adds the `imported_artifact` tag to all imported items - Adds an audit comment to each item with the original author and creation date - Adds the `ownerSpaceId` tag to items that lack one (backward compatibility for pre-space-awareness exports) **`ExceptionsListPreImportServerExtension` type change:** - The extension point's data type changed from `PromiseFromStreams` → `{ data: PromiseFromStreams; overwrite: boolean }`, allowing the extension to inspect and override the `overwrite` flag **`ExceptionListClient.bulkDeleteExceptionListItems`:** - New public method for bulk-deleting exception list items (replaces the previous slow per-item sequential deletion via `asyncForEach`) **`ExceptionItemImportError` class:** - New error class implementing `BulkErrorErrorSchema`, used to surface per-item validation errors in the import response (instead of aborting the entire import) **Tests:** - Comprehensive new FTR integration test suite (`artifact_import.ts`) covering privilege checks, space-awareness scenarios, invalid data handling, overwrite behavior, comment/tag enrichment, and backward compatibility ## Testing To ease testing, I added some ugly details (58fcfb3) to the success toast, but this is not something that will stay. ## Follow-up PR possibilities There are some things we probably also need to add, but I'd like to keep them out of this PR. I can think of these: - improve UI feedback to user on errors (the toast doesn't look ideal) - do not allow any artifact type be imported on any artifact pages and rule exceptions page. this is now allowed, since the API endpoint is the same. (we could fix this e.g. by adding a new query parameter to the import API, or by adding a new endpoint artifact import API that calls the lists import service) Follow-up PR is already in-progress: - elastic#257983 ## Screenshots <img width="965" height="497" alt="image" src="https://github.com/user-attachments/assets/9a552242-48b0-45f2-979b-eadacf73ffcc" /> <img width="975" height="497" alt="image" src="https://github.com/user-attachments/assets/73d77a99-c2c6-421b-a22d-2c2aeb595b90" /> <img width="1227" height="747" alt="image" src="https://github.com/user-attachments/assets/3d3b77f2-0077-441d-b4eb-5519fcda25a5" /> ### Some error messages <img width="973" height="500" alt="image" src="https://github.com/user-attachments/assets/b751a6cb-e84a-44df-8d47-c676a20253ce" /> Response: ```json { "message": "EndpointArtifactError: Importing multiple Endpoint artifact exception list types at the same time is not supported", "status_code": 400 } ``` <img width="1231" height="745" alt="image" src="https://github.com/user-attachments/assets/ef4d9032-ecef-4f32-9c80-241ecdc1a978" /> ☝️ probably won't be like this, it's just to visualize the response for this PR. will be improved in a follow-up pr Response: ```json { "errors": [ { "error": { "status_code": 403, "message": "EndpointArtifactError: Importing artifacts with invalid owner space IDs is not allowed. The following space ID is invalid or unaccessible by current user: nope" }, "list_id": "endpoint_host_isolation_exceptions", "item_id": "5cc4585e-edbb-445f-a0d6-a6a67bb29d04" }, { "error": { "status_code": 403, "message": "EndpointArtifactError: Endpoint authorization failure. Importing artifacts that are not visible in the current space is not allowed" }, "list_id": "endpoint_host_isolation_exceptions", "item_id": "4c791b4a-5e87-4eb3-9713-1c80f6c98b80" } ], "success": false, "success_count": 1, "success_exception_lists": true, "success_count_exception_lists": 0, "success_exception_list_items": false, "success_count_exception_list_items": 1 } ``` ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
gergoabraham
added a commit
that referenced
this pull request
Apr 2, 2026
prerequisites: - #247967 - #247976 - #248046 ## Summary > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` ### Limit which lists can be imported on which page - Shared exceptions page doesn't allow importing Endpoint artifacts (including Endpoint exceptions, that was allowed before) - 📔 text: `You can only import shared exception lists here, but at least one of the imported files contains endpoint artifacts. Import endpoint artifacts from their dedicated pages instead.` - Endpoint artifact pages allow only their corresponding artifact types to be imported - 📔 texts: - `You can only import blocklist entries here.` - `You can only import Endpoint exceptions here.` - `You can only import event filters here.` - etc. - Check is moved to the UI side (without more refined validation), to avoid introducing (breaking) changes to import API ### Keep existing artifacts on import Artifact import now APPENDS imported artifacts to existing ones, instead of OVERWRITING the whole list - Due to this change, all texts are updated to not use the 'list' word, e.g. _'Import trusted application list'_ => _'Import trusted applications'_ ### Positive friction for importing Endpoint artifacts - A confirmation modal is added to the import process (based on design) - 📔 texts: - flyout: `Import artifacts to your artifact list.` - confirm modal: `This will add new artifacts to your list. If an artifact you're importing already exists, the existing version will be kept, and the import of that artifact will be skipped.` ### Display import errors in a better way, following new design - Different toasts are shown to the user when the import API call fails, the API call succeeds but none of the artifacts are imported, some of the artifacts are imported or all of the artifacts are imported - 📔 texts: - `Artifacts imported` / `All artifacts were imported successfully` - `Import completed with errors` / `{importedCount} imported, {failedCount} failed. Review the errors for details.` - `Artifacts weren't imported` / `The artifacts couldn't be imported. Review the errors and try again.` - A new modal can be opened from the fail toast to show the list of all errors - 📔 texts: - title: `Import errors` - info: `Some items couldn't be imported. Review the errors below for details.` ### Server error responses are updated with new texts - 📔 texts: - `This artifact can't be imported because you don't have permission to manage artifacts in other spaces. Contact your administrator for access.` - `This artifact can't be imported because you don't have permission to manage global artifacts. Contact your administrator for access.` - `This artifact can't be imported because it isn't visible in the current space. Try importing it from a matching space or a space with access to the related policy.` - `This artifact can't be imported because it belongs to a space you don't have access to. Update the artifact in its original space and try again.` ## Screenshots ### Import limitation #### Shared lists page <img width="1135" height="642" alt="image" src="https://github.com/user-attachments/assets/86c2bd48-8678-4662-80fd-87d4f9aa6ed2" /> #### An endpoint artifact page <img width="1113" height="755" alt="image" src="https://github.com/user-attachments/assets/d0452196-bc92-4fc0-a035-07ac069522df" /> ### New texts <img width="348" height="158" alt="image" src="https://github.com/user-attachments/assets/fcd64168-4908-423b-8bbb-3671b6763c94" /> <img width="288" height="153" alt="image" src="https://github.com/user-attachments/assets/172378b7-2956-4f34-8b0d-d6891fea5084" /> <img width="423" height="275" alt="image" src="https://github.com/user-attachments/assets/9c1b0f44-9cc5-4dad-9306-2219a1e35052" /> etc. ### Confirm modal <img width="1380" height="925" alt="image" src="https://github.com/user-attachments/assets/b023f965-ccad-4398-b8c9-da7f33bede68" /> <img width="812" height="249" alt="image" src="https://github.com/user-attachments/assets/d5269ea4-0584-43b9-9983-b5cbbb8485b6" /> ### Displaying the results on toasts #### Success <img width="356" height="120" alt="image" src="https://github.com/user-attachments/assets/327aaad0-ecdb-4e3a-b6d7-08cf7ac2506c" /> #### Some items have errors <img width="342" height="147" alt="image" src="https://github.com/user-attachments/assets/da703d02-ef0e-42d6-8456-9766243122d0" /> #### All items have errors <img width="348" height="170" alt="image" src="https://github.com/user-attachments/assets/37942e8f-12b2-4916-b5b7-c383623855fd" /> #### Results modal <img width="1332" height="689" alt="image" src="https://github.com/user-attachments/assets/4352c9a4-6b78-4e08-8f9a-a8ab05610cf7" /> <img width="1371" height="974" alt="image" src="https://github.com/user-attachments/assets/4eb1dd78-65b1-4131-a29d-758de247b1ed" /> ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
prerequisite:
follow-up:
Summary
This PR adds UI changes for being able to import artifacts:
Note
Hidden behind feature flag (as part of the Endpoint exception move effort):
Important
This PR contains only UI changes! API changes are implemented in a follow-up PR.
No checks are changed/applied - on any artifact page you will be able to import JSON files of shared exception lists or endpoint exceptions, but an API error is returned if you try to import endpoint artifacts.
Looks
Artifact pages -Import flyout from overflow menu
Screen.Recording.2026-01-06.at.18.12.27.mov
Artifact pages - empty state
Screen.Recording.2026-01-06.at.18.14.36.mov
Policy details tabs - empty state
Screen.Recording.2026-01-06.at.18.15.25.mov
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.