[EDR Workflows][Endpoint Exception move] Remove endpoint exceptions from detections pages#258556
Merged
gergoabraham merged 18 commits intoelastic:mainfrom Mar 24, 2026
Conversation
gergoabraham
added
release_note:skip
Contributor
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
gergoabraham
force-pushed
the
remove-endpoint-exceptions-from-detections-pages
branch
from
4273027 to
1c5ae8a
Compare
gergoabraham
requested review from
a team,
ashokaditya and
tomsonpl
and removed request for
a team
denar50
approved these changes
Mar 20, 2026
Contributor
denar50
left a comment
denar50
left a comment
There was a problem hiding this comment.
Tested it locally, left a couple of comments, but overall LGTM!
gergoabraham
added a commit
to gergoabraham/kibana
that referenced
this pull request
Mar 20, 2026
10 tasks
maximpn
requested changes
Mar 23, 2026
Contributor
There was a problem hiding this comment.
@gergoabraham The changes overall looks good 👍
However, I've noticed you added callouts to rule create and edit pages. Users don't have options to add or edit endpoint exceptions in rule create and edit pages. In this case it's better to refrain from showing the callout on those pages.
Comment on lines
+889
to
+896
| {isEndpointExceptionsMovedFFEnabled && ( | ||
| <EndpointExceptionsMovedCallout | ||
| id="ruleCreation" | ||
| dismissable | ||
| title="cannotBeAddedToRules" | ||
| /> | ||
| )} | ||
|
|
Contributor
There was a problem hiding this comment.
Endpoint exceptions can't be added upon rule creation. There are 3 pages were it could be done and it's reflected in the docs
- Rule details page
- Alerts table
- Shared Exception Lists page
It makes sense to omit the callout here.
Contributor
Author
There was a problem hiding this comment.
the callout is about adding the endpoint exception list to the rule:
the docs mention it under a 'Note':
The Endpoint Security Exception List is automatically created. By default, it's associated with endpoint protection rules and any rules with the Elastic Endpoint exceptions option selected.
Contributor
Author
There was a problem hiding this comment.
additional info: the checkbox is already hidden when the FF is enabled, by this PR:
Contributor
There was a problem hiding this comment.
Got it. This explains why I didn't see the checkbox.
Did you discuss with @approksiu the callout will be shown for any rule creation? My concern is that only some rules require Endpoint exceptions. Add existing Endpoint exceptions to the rule is under advanced expandable panel. However, the callout telling about moved out endpoint exceptions will appear for workflows not related to the endpoint exceptions.
Contributor
Author
There was a problem hiding this comment.
the callout for rule creation is in the design (you can find it in the linked issue's description), and I think @approksiu was part of defining the design. @approksiu could you please confirm if we're good with this callout?
There was a problem hiding this comment.
@gergoabraham @maximpn the behaviour is implemented as expected.
The banner is dismissable for all rules.
The new users should not get the banners if they never used rule-attached endpoint exceptions.
Contributor
Author
thanks a lot @maximpn for the thorough review! 🙌 updated the code based on your findings, will update the text based on @natasha-moore-elastic 's feedback |
maximpn
approved these changes
Mar 24, 2026
Contributor
maximpn
left a comment
maximpn
left a comment
There was a problem hiding this comment.
@gergoabraham Thanks for addressing my comments 🙏
The only concern I have is described in #258556 (comment). Besides that the changes LGTM.
natasha-moore-elastic
approved these changes
Mar 24, 2026
Contributor
natasha-moore-elastic
left a comment
natasha-moore-elastic
left a comment
There was a problem hiding this comment.
Thanks for the copy updates, LGTM!
Contributor
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Page load bundle
History
|
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Mar 26, 2026
…rom detections pages (elastic#258556) ## Summary This PR removes Endpoint exceptions from the Detections/Rules pages, and shows callouts to the user. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` ### Shared lists page - Endpoint Exceptions list removed - direct url cannot be accessed - a banner is shown <img width="1282" height="503" alt="image" src="https://github.com/user-attachments/assets/d4201863-efcf-47e5-9a2f-4f1fbe842272" /> ### Rule details pages - Endpoint Exceptions tab removed - Endpoint Exceptions tab cannot be accessed by url - Rule exceptions tab shows a persistent banner for Endpoint security rules - The same banner is also used for Rules that used Endpoint exceptions, but user hasn't opted in to use per-policy Endpoint exceptions <img width="1288" height="832" alt="image" src="https://github.com/user-attachments/assets/9a4a192d-5e82-48b9-be85-7448c69edf7b" /> - When user opted in for per-policy Endpoint Exceptions, a different (dismissible) message is shown for rules that used Endpoint exceptions <img width="1162" height="649" alt="image" src="https://github.com/user-attachments/assets/f2b1fde4-387b-4998-be33-47d15b682704" /> ### Rule create page <img width="1161" height="517" alt="image" src="https://github.com/user-attachments/assets/237a068d-cb79-4365-a507-df2d8e74de2b" /> ### Rule edit page - If the user has opted in for per-policy Endpoint exceptions, and the rule used Endpoint exceptions, this banner is shown: <img width="1153" height="538" alt="image" src="https://github.com/user-attachments/assets/0dc6cf8c-4115-45af-a160-c0ed5cba06c2" /> - If not opted in, or it's a rule without endpoint exceptions, the general 'moved' banner is shown: <img width="1164" height="520" alt="image" src="https://github.com/user-attachments/assets/90bb29b5-d390-4ab0-8903-58ef276255e9" /> > [!note] > Per-policy opt-in feature is coming up in a follow-up PR. In that PR will all code (including these banners, and the removal of 'Add Endpoint exceptions to this rule' toggle) related to per-policy opt-in updated. > Until then, this PR handles the banners as if the user has already opted in, in case the FF is enabled of course. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
gergoabraham
added a commit
that referenced
this pull request
Mar 31, 2026
…icy Endpoint Exceptions (#259598) ## Summary This PR adds an opt-in mechanism that allows using the so far global-only Endpoint Exceptions on a per-policy basis. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` ### Behavior in short - new deployments are automatically opted in. they also won't see the 'Endpoint exceptions moved' and 'Endpoint exceptions not evaluated on rules anymore' callouts (from #258556). - upgraded environments will see a new callout on the Endpoint exceptions page that suggests to enable per-policy behavior - superuser role (ESS) or admin role (serverless) users are able to perform the opt-in - other users will see a message to contact their administrators - after manually opting in - Endpoint exceptions can be assigned to package policies, like other endpoint artifacts - but, they won't be evaluated during rule execution anymore (see #233289) - and they cannot be added to detection rules anymore (see #242480) ### Data Opt-in status is stored in the `ReferenceDataClient`, and it's defaulted during plugin start phase either to: - `{ status: false }`, in case endpoint exception list exists (i.e. upgrade, it's created every time), - `{ status: true, reason: 'newDeployment' }`, in case the list does not exist. ### API 2 new API endpoints are added: - `GET /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to receive the opt-in status on the UI, - `POST /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to perform the opt-in, that sets the status to `{ status: true, reason: 'userOptedIn' }` ### UI #### empty page is... empty <img width="400" height="793" alt="image" src="https://github.com/user-attachments/assets/e7b72ab9-2a42-49ca-b2e9-2447e3ff9dd3" /> #### callout for non-superusers <img width="1280" height="516" alt="image" src="https://github.com/user-attachments/assets/f88a04a6-b8bb-46be-8f5f-ece5f1d89cf2" /> #### callout for superusers / admins <img width="1215" height="554" alt="image" src="https://github.com/user-attachments/assets/e2552d27-ac9d-4dfe-84da-48012fdf57fc" /> #### menu action for superusers / admins in case the callout is dismissed. although, it will come up again as it's only dismissed for the session. <img width="335" height="204" alt="image" src="https://github.com/user-attachments/assets/5d7a23e6-2428-4f8f-b941-0f97e8bd7750" /> #### modal <img width="925" height="564" alt="image" src="https://github.com/user-attachments/assets/0cbc4573-b052-4e1f-82c5-13298532f7fe" /> ### recording #### opt-in process and endpoint exceptions pages https://github.com/user-attachments/assets/de8204bd-72d2-4a99-b51c-b86771c577c3 ### hiding stuff behind opt-in status - endpoint exception related per-policy activities are available only after opt-in, like - per-policy assignment in the form, - assigning exceptions to policies in the Policy details page Endpoint exceptions tab, - `ManifestManager` also uses per-policy EE after opt-in only. - 'endpoint exceptions moved' informative callouts are shown without opting in (due to the FF enabled), or after _manual_ opt-in (i.e. are hidden on new deployments) - see the details in the previous PR: #258556 - 'endpoint exceptions are not evaluated on rules' informative callouts are shown only after _manually_ opting in (i.e. it needs opt-in, but isn't shown on new deployments) - see the details in the previous PR: #258556 ## Testing To test this, - either add some data (endpoint exceptions), and then turn on the feature flag `xpack.securitySolution.enableExperimental.endpointExceptionsMovedUnderManagement`, to simulate an 'upgrade' scenario, - or start with the feature flag turned on, to simulate a 'new deployment' scenario. ### Reading opt-in status dev console: ``` GET .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ### Deleting opt-in status you can also delete the opt-in status, so you're back to the 'upgrade' scenario. for this, you need a `system_indices_superuser`, here's a quick console command to create one: ``` POST kbn://internal/security/users/testuser { "password": "changeme", "username": "testuser", "full_name": "", "email": "", "roles": [ "system_indices_superuser", "superuser" ] } ``` and then delete like this: ``` DELETE .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ## todo docs ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
gergoabraham
added a commit
to gergoabraham/kibana
that referenced
this pull request
Mar 31, 2026
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Apr 1, 2026
…icy Endpoint Exceptions (elastic#259598) ## Summary This PR adds an opt-in mechanism that allows using the so far global-only Endpoint Exceptions on a per-policy basis. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` ### Behavior in short - new deployments are automatically opted in. they also won't see the 'Endpoint exceptions moved' and 'Endpoint exceptions not evaluated on rules anymore' callouts (from elastic#258556). - upgraded environments will see a new callout on the Endpoint exceptions page that suggests to enable per-policy behavior - superuser role (ESS) or admin role (serverless) users are able to perform the opt-in - other users will see a message to contact their administrators - after manually opting in - Endpoint exceptions can be assigned to package policies, like other endpoint artifacts - but, they won't be evaluated during rule execution anymore (see elastic#233289) - and they cannot be added to detection rules anymore (see elastic#242480) ### Data Opt-in status is stored in the `ReferenceDataClient`, and it's defaulted during plugin start phase either to: - `{ status: false }`, in case endpoint exception list exists (i.e. upgrade, it's created every time), - `{ status: true, reason: 'newDeployment' }`, in case the list does not exist. ### API 2 new API endpoints are added: - `GET /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to receive the opt-in status on the UI, - `POST /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to perform the opt-in, that sets the status to `{ status: true, reason: 'userOptedIn' }` ### UI #### empty page is... empty <img width="400" height="793" alt="image" src="https://github.com/user-attachments/assets/e7b72ab9-2a42-49ca-b2e9-2447e3ff9dd3" /> #### callout for non-superusers <img width="1280" height="516" alt="image" src="https://github.com/user-attachments/assets/f88a04a6-b8bb-46be-8f5f-ece5f1d89cf2" /> #### callout for superusers / admins <img width="1215" height="554" alt="image" src="https://github.com/user-attachments/assets/e2552d27-ac9d-4dfe-84da-48012fdf57fc" /> #### menu action for superusers / admins in case the callout is dismissed. although, it will come up again as it's only dismissed for the session. <img width="335" height="204" alt="image" src="https://github.com/user-attachments/assets/5d7a23e6-2428-4f8f-b941-0f97e8bd7750" /> #### modal <img width="925" height="564" alt="image" src="https://github.com/user-attachments/assets/0cbc4573-b052-4e1f-82c5-13298532f7fe" /> ### recording #### opt-in process and endpoint exceptions pages https://github.com/user-attachments/assets/de8204bd-72d2-4a99-b51c-b86771c577c3 ### hiding stuff behind opt-in status - endpoint exception related per-policy activities are available only after opt-in, like - per-policy assignment in the form, - assigning exceptions to policies in the Policy details page Endpoint exceptions tab, - `ManifestManager` also uses per-policy EE after opt-in only. - 'endpoint exceptions moved' informative callouts are shown without opting in (due to the FF enabled), or after _manual_ opt-in (i.e. are hidden on new deployments) - see the details in the previous PR: elastic#258556 - 'endpoint exceptions are not evaluated on rules' informative callouts are shown only after _manually_ opting in (i.e. it needs opt-in, but isn't shown on new deployments) - see the details in the previous PR: elastic#258556 ## Testing To test this, - either add some data (endpoint exceptions), and then turn on the feature flag `xpack.securitySolution.enableExperimental.endpointExceptionsMovedUnderManagement`, to simulate an 'upgrade' scenario, - or start with the feature flag turned on, to simulate a 'new deployment' scenario. ### Reading opt-in status dev console: ``` GET .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ### Deleting opt-in status you can also delete the opt-in status, so you're back to the 'upgrade' scenario. for this, you need a `system_indices_superuser`, here's a quick console command to create one: ``` POST kbn://internal/security/users/testuser { "password": "changeme", "username": "testuser", "full_name": "", "email": "", "roles": [ "system_indices_superuser", "superuser" ] } ``` and then delete like this: ``` DELETE .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ## todo docs ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
gergoabraham
added a commit
to gergoabraham/kibana
that referenced
this pull request
Apr 1, 2026
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Apr 2, 2026
…icy Endpoint Exceptions (elastic#259598) ## Summary This PR adds an opt-in mechanism that allows using the so far global-only Endpoint Exceptions on a per-policy basis. > [!note] > Hidden behind feature flag (as part of the Endpoint exception move effort): > ``` > xpack.securitySolution.enableExperimental: > - endpointExceptionsMovedUnderManagement > ``` ### Behavior in short - new deployments are automatically opted in. they also won't see the 'Endpoint exceptions moved' and 'Endpoint exceptions not evaluated on rules anymore' callouts (from elastic#258556). - upgraded environments will see a new callout on the Endpoint exceptions page that suggests to enable per-policy behavior - superuser role (ESS) or admin role (serverless) users are able to perform the opt-in - other users will see a message to contact their administrators - after manually opting in - Endpoint exceptions can be assigned to package policies, like other endpoint artifacts - but, they won't be evaluated during rule execution anymore (see elastic#233289) - and they cannot be added to detection rules anymore (see elastic#242480) ### Data Opt-in status is stored in the `ReferenceDataClient`, and it's defaulted during plugin start phase either to: - `{ status: false }`, in case endpoint exception list exists (i.e. upgrade, it's created every time), - `{ status: true, reason: 'newDeployment' }`, in case the list does not exist. ### API 2 new API endpoints are added: - `GET /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to receive the opt-in status on the UI, - `POST /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in` to perform the opt-in, that sets the status to `{ status: true, reason: 'userOptedIn' }` ### UI #### empty page is... empty <img width="400" height="793" alt="image" src="https://github.com/user-attachments/assets/e7b72ab9-2a42-49ca-b2e9-2447e3ff9dd3" /> #### callout for non-superusers <img width="1280" height="516" alt="image" src="https://github.com/user-attachments/assets/f88a04a6-b8bb-46be-8f5f-ece5f1d89cf2" /> #### callout for superusers / admins <img width="1215" height="554" alt="image" src="https://github.com/user-attachments/assets/e2552d27-ac9d-4dfe-84da-48012fdf57fc" /> #### menu action for superusers / admins in case the callout is dismissed. although, it will come up again as it's only dismissed for the session. <img width="335" height="204" alt="image" src="https://github.com/user-attachments/assets/5d7a23e6-2428-4f8f-b941-0f97e8bd7750" /> #### modal <img width="925" height="564" alt="image" src="https://github.com/user-attachments/assets/0cbc4573-b052-4e1f-82c5-13298532f7fe" /> ### recording #### opt-in process and endpoint exceptions pages https://github.com/user-attachments/assets/de8204bd-72d2-4a99-b51c-b86771c577c3 ### hiding stuff behind opt-in status - endpoint exception related per-policy activities are available only after opt-in, like - per-policy assignment in the form, - assigning exceptions to policies in the Policy details page Endpoint exceptions tab, - `ManifestManager` also uses per-policy EE after opt-in only. - 'endpoint exceptions moved' informative callouts are shown without opting in (due to the FF enabled), or after _manual_ opt-in (i.e. are hidden on new deployments) - see the details in the previous PR: elastic#258556 - 'endpoint exceptions are not evaluated on rules' informative callouts are shown only after _manually_ opting in (i.e. it needs opt-in, but isn't shown on new deployments) - see the details in the previous PR: elastic#258556 ## Testing To test this, - either add some data (endpoint exceptions), and then turn on the feature flag `xpack.securitySolution.enableExperimental.endpointExceptionsMovedUnderManagement`, to simulate an 'upgrade' scenario, - or start with the feature flag turned on, to simulate a 'new deployment' scenario. ### Reading opt-in status dev console: ``` GET .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ### Deleting opt-in status you can also delete the opt-in status, so you're back to the 'upgrade' scenario. for this, you need a `system_indices_superuser`, here's a quick console command to create one: ``` POST kbn://internal/security/users/testuser { "password": "changeme", "username": "testuser", "full_name": "", "email": "", "roles": [ "system_indices_superuser", "superuser" ] } ``` and then delete like this: ``` DELETE .kibana_security_solution/_doc/security:reference-data:ENDPOINT-EXCEPTIONS-PER-POLICY-OPT-IN-STATUS ``` ## todo docs ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
gergoabraham
added a commit
to gergoabraham/kibana
that referenced
this pull request
Apr 2, 2026
gergoabraham
added a commit
to gergoabraham/kibana
that referenced
this pull request
Apr 2, 2026
gergoabraham
added a commit
to gergoabraham/kibana
that referenced
this pull request
Apr 7, 2026
gergoabraham
added a commit
to gergoabraham/kibana
that referenced
this pull request
Apr 8, 2026
gergoabraham
deleted the
remove-endpoint-exceptions-from-detections-pages
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR removes Endpoint exceptions from the Detections/Rules pages, and shows callouts to the user.
Note
Hidden behind feature flag (as part of the Endpoint exception move effort):
Shared lists page
Rule details pages
Rule create page
Rule edit page
Note
Per-policy opt-in feature is coming up in a follow-up PR. In that PR will all code (including these banners, and the removal of 'Add Endpoint exceptions to this rule' toggle) related to per-policy opt-in updated.
Until then, this PR handles the banners as if the user has already opted in, in case the FF is enabled of course.
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.