Skip to content

[EDR Workflows][‼️ v9.4 ‼️] Enable Endpoint exceptions move feature flag#260983

Merged
szwarckonrad merged 25 commits intoelastic:9.4from
gergoabraham:enable-endpoint-exceptions-move-feature-flag
Apr 10, 2026
Merged

[EDR Workflows][‼️ v9.4 ‼️] Enable Endpoint exceptions move feature flag#260983
szwarckonrad merged 25 commits intoelastic:9.4from
gergoabraham:enable-endpoint-exceptions-move-feature-flag

Conversation

@gergoabraham
Copy link
Copy Markdown
Contributor

@gergoabraham gergoabraham commented Apr 2, 2026
edited
Loading

Caution

Must be retargeted to 9.4 branch as soon as it's cut. Serverless release will follow later.

Summary

This PR enables the Security Solution feature flag endpointExceptionsMovedUnderManagement to:

  • hide Endpoint exceptions from Detections and Shared exception list pages,
  • instead, show Endpoint exceptions under Endpoint / Artifacts,
  • add an opt-in mechanism to allow users to opt-in to per-policy usage for Endpoint exceptions,
  • and add export/import functionality to all Endpoint artifacts

And in order to do this, it:

  • adapts some of the tests,
  • deletes some obsolete ones, including fixtures,
  • removes Endpoint exception privilege condition for showing Shared exception list page (see this comment)
  • enables API documentation (see this comment)

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

  • Documentation was added for features that require explanation or tutorials
  • Unit or functional tests were updated or added to match the most common scenarios
  • The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines

Release Notes

  • Moves Endpoint exceptions from the Shared exception lists and Rules pages to the Endpoint Artifacts page, in order to separate them from Rule exceptions, and emphasize their connection to other Endpoint artifacts.
  • Adds the possibility for users to opt-in to a per-policy usage for Endpoint exceptions, allowing them to assign Endpoint exceptions to Defend package policies, with the additional result of not evaluating Endpoint exceptions on rule execution anymore.
  • Adds export/import functionality to all Endpoint artifacts, like Trusted applications, Trusted devices, Event filters, Blocklists, Host isolation exceptions.

(Note: this is the same as in #263687. If one is updated, update the other one as well.)

@gergoabraham gergoabraham added release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting Team:Defend Workflows “EDR Workflows” sub-team of Security Solution ci:cloud-deploy Create or update a Cloud deployment ci:project-deploy-security Create a Security Serverless Project labels Apr 2, 2026
@gergoabraham gergoabraham force-pushed the enable-endpoint-exceptions-move-feature-flag branch from 65a7f1f to e8931d6 Compare April 2, 2026 17:08
@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Apr 2, 2026

Cloud deployment initiated, see credentials at: https://buildkite.com/elastic/kibana-deploy-cloud-from-pr/builds/904

@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Apr 2, 2026

Project deployed, see credentials at: https://buildkite.com/elastic/kibana-deploy-project-from-pr/builds/1138

@gergoabraham gergoabraham added ci:build-cloud-image ci:build-serverless-image and removed ci:cloud-deploy Create or update a Cloud deployment ci:project-deploy-security Create a Security Serverless Project labels Apr 7, 2026
@gergoabraham gergoabraham force-pushed the enable-endpoint-exceptions-move-feature-flag branch from e8931d6 to 59b5385 Compare April 7, 2026 12:08
@elastic elastic deleted a comment from macroscopeapp bot Apr 8, 2026
@gergoabraham
Copy link
Copy Markdown
Contributor Author

gergoabraham commented Apr 9, 2026

Files by Code Owner

elastic/security-defend-workflows, elastic/security-detection-engine, elastic/security-solution

  • x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/ess.config.ts
  • x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/serverless.config.ts
  • x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/event_filters.ts
  • x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/host_isolation_exceptions.ts

elastic/security-defend-workflows, elastic/security-solution

  • x-pack/solutions/security/plugins/security_solution/common/api/endpoint/endpoint_exceptions_per_policy_opt_in/endpoint_exceptions_per_policy_opt_in.schema.yaml
  • x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.no_ff.cy.ts
  • x-pack/solutions/security/plugins/security_solution/public/management/hooks/artifacts/use_endpoint_per_policy_opt_in.test.ts
  • x-pack/solutions/security/plugins/security_solution/public/management/links.ts
  • x-pack/solutions/security/plugins/security_solution/public/management/pages/endpoint_exceptions/view/components/endpoint_exceptions_flyout.tsx

elastic/security-detection-engine, elastic/security-detection-rule-management, elastic/security-engineering-productivity, elastic/security-threat-hunting

  • x-pack/solutions/security/test/security_solution_cypress/cypress/fixtures/endpoint_exception_list.ndjson
  • x-pack/solutions/security/test/security_solution_cypress/cypress/objects/rule.ts

elastic/security-detection-engine, elastic/security-engineering-productivity

  • x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts
  • x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/rule_exceptions/auto_populate_with_alert_data.cy.ts
  • x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/rule_details_flow/add_edit_endpoint_exception.cy.ts
  • x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/filter_table.cy.ts
  • x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/import_lists.cy.ts
  • x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/manage_lists.cy.ts

elastic/security-detection-engine, elastic/security-engineering-productivity, elastic/security-threat-hunting-investigations

  • x-pack/solutions/security/test/security_solution_cypress/cypress/urls/navigation.ts

elastic/security-detection-rule-management, elastic/security-solution

  • x-pack/solutions/security/plugins/security_solution/public/rules/links.ts

elastic/security-engineering-productivity

  • x-pack/solutions/security/test/security_solution_cypress/config.ts
  • x-pack/solutions/security/test/security_solution_cypress/cypress/screens/exceptions.ts
  • x-pack/solutions/security/test/security_solution_cypress/cypress/screens/rule_details.ts
  • x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions/flyout_options.ts
  • x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions_table.ts
  • x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/rule_details.ts
  • x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/data.json
  • x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/mappings.json
  • x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/data.json
  • x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/mappings.json

elastic/security-engineering-productivity, elastic/security-threat-hunting-investigations

  • x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/explore/navigation/navigation.cy.ts

elastic/security-solution

  • x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts

Owners to ping

  • elastic/security-defend-workflows
  • elastic/security-detection-engine
  • elastic/security-detection-rule-management
  • elastic/security-engineering-productivity
  • elastic/security-solution
  • elastic/security-threat-hunting
  • elastic/security-threat-hunting-investigations

tomsonpl
tomsonpl reviewed Apr 9, 2026
View reviewed changes
Comment thread ...oint/endpoint_exceptions_per_policy_opt_in/endpoint_exceptions_per_policy_opt_in.schema.yaml
x-labels: []
# TODO: When the feature flag `endpointExceptionsMovedUnderManagement` is enabled, remove empty `x-labels` and un-comment the line below.
# x-labels: [ ess, serverless ]
x-labels: [ ess, serverless ]
Copy link
Copy Markdown
Contributor

@tomsonpl tomsonpl Apr 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: shouldn't these be added while when released in serverless, and not 9.4?

Copy link
Copy Markdown
Contributor Author

@gergoabraham gergoabraham Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually, it did not cause any change when adding these labels and running the generate and bundle scripts based on the readme:

kibana/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/README.md

Lines 42 to 53 in dda77f4

### Making changes
1. Update the OpenAPI schema YML file and/or the Kibana schema file (see References below for help with OpenAPI YAML format)
2. Generate/re-generate the Zod schema validation modules:
```shell
yarn --cwd x-pack/solutions/security/plugins/security_solution openapi:generate
```
3. Create a new bundle with the updated APIs:
```shell
yarn --cwd x-pack/solutions/security/plugins/security_solution openapi:bundle:endpoint-management
```
4. Ensure that the newly generated files are commited to source

it seems these docs only make their way into the bundles, if they have neither an x-internal: true attribute, nor /internal/ in their paths:

kibana/src/platform/packages/shared/kbn-openapi-bundler/src/bundler/processor_sets.ts

Lines 31 to 34 in dda77f4

export const DEFAULT_BUNDLING_PROCESSORS: Readonly<DocumentNodeProcessor[]> = [
createSkipNodeWithInternalPropProcessor(X_INTERNAL),
createSkipInternalPathProcessor('/internal'),
createModifyPartialProcessor(),

so I think we're good, and didn't even need to hide this in the first place 👍

MadameSheema
MadameSheema reviewed Apr 9, 2026
View reviewed changes
Comment thread ...e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts Outdated
cy.get(EXCEPTION_ITEM_VIEWER_CONTAINER).should('have.length', 1);
cy.get(EXCEPTION_CARD_ITEM_NAME).should('have.text', ITEM_NAME_EDIT);
cy.get(EXCEPTION_CARD_ITEM_CONDITIONS).contains('span', ADDITIONAL_ENTRY);
cy.get('[data-test-subj="endpointExceptionsListPage-card"]').should('have.length', 1);
Copy link
Copy Markdown
Contributor

@MadameSheema MadameSheema Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT: Following best-practices, please, extract the locators to screens folder :)

Copy link
Copy Markdown
Contributor Author

@gergoabraham gergoabraham Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's a good point, done 🫡
f75f048

agusruidiazgd
agusruidiazgd approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@agusruidiazgd agusruidiazgd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM from @elastic/security-threat-hunting-investigations. Code review only

MadameSheema
MadameSheema reviewed Apr 9, 2026
View reviewed changes
Comment thread ...tion_engine/exceptions/alerts_table_flow/rule_exceptions/auto_populate_with_alert_data.cy.ts
beforeEach(() => {
cy.task('esArchiverUnload', { archiveName: 'endpoint_2' });
cy.task('esArchiverLoad', { archiveName: 'endpoint_2' });
cy.task('esArchiverLoad', { archiveName: 'endpoint' });
Copy link
Copy Markdown
Contributor

@MadameSheema MadameSheema Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any reason why we are not unloading the loaded archive in the after hook?

Copy link
Copy Markdown
Contributor Author

@gergoabraham gergoabraham Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is unloaded in the afterEach hook. after I changed the index name and the type from index to data stream, the tests failed with the following message:

CypressError: `cy.task('esArchiverUnload')` failed with the following error:

> index_not_found_exception
	Root causes:
		index_not_found_exception: no such index [logs-endpoint.alerts-default]

so it seems that while unloading indices is done by best effort, unloading data streams fails when not found. to avoid this, I just added exactly as many unload ops as many load ops we have.

is this expected by the way?

Copy link
Copy Markdown
Contributor

@MadameSheema MadameSheema Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH I don't know, this is a thing we can probably ask to appex-qa team.

ashokaditya
ashokaditya approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ashokaditya ashokaditya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did code review only and looks good to ship. Cypress best practices comments should be addressed.

banderror
banderror approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@banderror banderror left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, no rule management functionality affected

MadameSheema
MadameSheema approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@MadameSheema MadameSheema left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Engineering Productivity changes LGTM!

Thanks for tackling the comments :D

dhurley14
dhurley14 approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@dhurley14 dhurley14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DE code changes lgtm

@gergoabraham gergoabraham changed the title [EDR Workflows][9.4] Enable Endpoint exceptions move feature flag [EDR Workflows][‼️ v9.4 ‼️] Enable Endpoint exceptions move feature flag Apr 10, 2026
@gergoabraham gergoabraham added the ci:skip-cypress-osquery Skips osquery cypress checks label Apr 10, 2026
@szwarckonrad szwarckonrad changed the base branch from main to 9.4 April 10, 2026 22:12
@szwarckonrad szwarckonrad enabled auto-merge (squash) April 10, 2026 22:12
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Apr 10, 2026
edited
Loading

💛 Build succeeded, but was flaky

  • Buildkite Build
  • Commit: a8e64f9
  • Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-260983-a8e64f9279e0

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #107 / discover/cascade layout grouping data fetching does not refetch when returning to a previously expanded group
  • [job] [logs] FTR Configs #101 / discover/tabs2 tab filters should carry over filters as WHERE clauses when switching to ES|QL

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 11.7MB 11.7MB +6.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 146.6KB 146.6KB +42.0B

History

cc @gergoabraham

@szwarckonrad szwarckonrad merged commit e7290d4 into elastic:9.4 Apr 10, 2026
14 checks passed
gergoabraham added a commit to gergoabraham/kibana that referenced this pull request Apr 16, 2026
@gergoabraham @szwarckonrad
cherry-pick: [EDR Workflows][v9.4] Enable Endpoint exceptions move fe…
056fd5a 
…ature flag (elastic#260983)

> [!CAUTION]
> Must be retargeted to 9.4 branch as soon as it's cut. Serverless
release will follow later.

This PR enables the Security Solution feature flag
`endpointExceptionsMovedUnderManagement` to:
- hide Endpoint exceptions from Detections and Shared exception list
pages,
- instead, show Endpoint exceptions under Endpoint / Artifacts,
- add an opt-in mechanism to allow users to opt-in to per-policy usage
for Endpoint exceptions,
- and add export/import functionality to all Endpoint artifacts

And in order to do this, it:
- adapts some of the tests,
- deletes some obsolete ones, including fixtures,
- removes Endpoint exception privilege condition for showing Shared
exception list page (see [this
comment](elastic#239634 (comment)))
- enables API documentation (see [this
comment](elastic#259598 (comment)))

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
-

---------

Co-authored-by: Konrad Szwarc <konrad.szwarc@elastic.co>
@gergoabraham gergoabraham mentioned this pull request Apr 16, 2026
Open
3 tasks
@gergoabraham gergoabraham added release_note:feature Makes this part of the condensed release notes and removed release_note:skip Skip the PR/issue when compiling release notes labels Apr 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@macroscopeapp macroscopeapp[bot] macroscopeapp[bot] left review comments

@dhurley14 dhurley14 dhurley14 approved these changes

@ashokaditya ashokaditya ashokaditya approved these changes

@banderror banderror banderror approved these changes

@joeypoon joeypoon joeypoon approved these changes

@PhilippeOberti PhilippeOberti PhilippeOberti approved these changes

@MadameSheema MadameSheema MadameSheema approved these changes

@agusruidiazgd agusruidiazgd agusruidiazgd approved these changes

@maximpn maximpn Awaiting requested review from maximpn maximpn was automatically assigned from elastic/security-detection-rule-management

@tomsonpl tomsonpl Awaiting requested review from tomsonpl

Assignees

@gergoabraham gergoabraham

Labels

backport:skip This PR does not require backporting ci:build-cloud-image ci:build-serverless-image ci:skip-cypress-osquery Skips osquery cypress checks release_note:feature Makes this part of the condensed release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v9.4.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.