From db8d0ae80e69cbea891ff464332c0808982b1abd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 2 Apr 2026 18:40:22 +0200 Subject: [PATCH 01/19] enable feature flag --- .../plugins/security_solution/common/experimental_features.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts b/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts index fb0e2e6a0ad84..e67b24a05441d 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts @@ -154,8 +154,9 @@ export const allowedExperimentalValues = Object.freeze({ /** * Removes Endpoint Exceptions from Rules/Alerts pages, and shows it instead in Manage/Assets. + * Additionally: enables import/export for all Endpoint artifacts. */ - endpointExceptionsMovedUnderManagement: false, + endpointExceptionsMovedUnderManagement: true, /** * Enables CrowdStrike's RunScript RTR command From 62443e1bd0e05f1e103f1b1bba1149544c7d8ff7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Mon, 16 Mar 2026 18:30:52 +0100 Subject: [PATCH 02/19] add cypress test coverage --- .../test/security_solution_cypress/config.ts | 2 ++ .../import_lists.cy.ts | 33 ++++++++++--------- .../fixtures/endpoint_exception_list.ndjson | 2 -- .../cypress/tasks/exceptions_table.ts | 13 ++++++-- 4 files changed, 30 insertions(+), 20 deletions(-) delete mode 100644 x-pack/solutions/security/test/security_solution_cypress/cypress/fixtures/endpoint_exception_list.ndjson diff --git a/x-pack/solutions/security/test/security_solution_cypress/config.ts b/x-pack/solutions/security/test/security_solution_cypress/config.ts index 514d150ffb099..96373c95d641b 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/config.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/config.ts @@ -56,6 +56,8 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { `--xpack.fleet.developer.bundledPackageLocation=./inexistentDir`, '--csp.strict=false', '--csp.warnLegacyBrowsers=false', + // For testing Import flyout with Endpoint artifacts + '--xpack.securitySolution.enableExperimental=["endpointExceptionsMovedUnderManagement"]', ], runOptions: { wait: FLEET_PLUGIN_READY_LOG_MESSAGE_REGEXP, diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/import_lists.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/import_lists.cy.ts index 4ebba57b9a279..bc945878aaabf 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/import_lists.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/import_lists.cy.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ENDPOINT_ARTIFACT_LIST_IDS } from '@kbn/securitysolution-list-constants'; import { IMPORT_SHARED_EXCEPTION_LISTS_CLOSE_BTN, EXCEPTIONS_TABLE_SHOWING_LISTS, @@ -16,7 +17,7 @@ import { importExceptionListWithSelectingCreateNewOption, validateImportExceptionListWentSuccessfully, validateImportExceptionListFailedBecauseExistingListFound, - validateImportExceptionListCreateNewOptionDisabled, + validateImportExceptionListFailedOnArtifactTypePrecheck, } from '../../../../../../tasks/exceptions_table'; import { login } from '../../../../../../tasks/login'; import { visit } from '../../../../../../tasks/navigation'; @@ -24,7 +25,6 @@ import { EXCEPTIONS_URL } from '../../../../../../urls/navigation'; describe('Import Lists', { tags: ['@ess', '@serverless', '@skipInServerless'] }, () => { const LIST_TO_IMPORT_FILENAME = 'cypress/fixtures/7_16_exception_list.ndjson'; - const ENDPOINT_LIST_TO_IMPORT_FILENAME = 'cypress/fixtures/endpoint_exception_list.ndjson'; beforeEach(() => { login(); visit(EXCEPTIONS_URL); @@ -85,27 +85,30 @@ describe('Import Lists', { tags: ['@ess', '@serverless', '@skipInServerless'] }, }); }); - describe('Endpoint Security Exception List', () => { + describe('When importing Endpoint artifacts', () => { + const prepareFile = (listId: string) => + Cypress.Buffer + .from(`{"_version":"WzUxOTM4LDE1XQ==","created_at":"2024-03-18T14:11:18.125Z","created_by":"kibana","description":"Endpoint Security Exception List","id":"endpoint_list","immutable":false,"list_id":"${listId}","name":"Endpoint Security Exception List","namespace_type":"agnostic","os_types":[],"tags":[],"tie_breaker_id":"04deda68-7162-4349-8e34-c315bb9f896f","type":"endpoint","updated_at":"2024-03-19T12:57:31.911Z","updated_by":"elastic","version":1} +{"randomFields":"randomValues","list_id":"${listId}"} +{"exported_exception_list_count":1,"exported_exception_list_item_count":0,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} +`); + before(() => { login(); visit(EXCEPTIONS_URL); waitForExceptionsTableToBeLoaded(); - cy.intercept(/(\/api\/exception_lists\/_import)/).as('import'); - - // Make sure we have Endpoint Security Exception List - importExceptionLists(ENDPOINT_LIST_TO_IMPORT_FILENAME); - validateImportExceptionListWentSuccessfully(); - cy.get(IMPORT_SHARED_EXCEPTION_LISTS_CLOSE_BTN).click(); }); - it('Should not allow to import or create a second Endpoint Security Exception List', () => { - // Try to import another Endpoint Security Exception List - importExceptionLists(ENDPOINT_LIST_TO_IMPORT_FILENAME); + ENDPOINT_ARTIFACT_LIST_IDS.forEach((listId) => { + it(`Should not allow to import Endpoint artifacts to "${listId}" list`, () => { + cy.intercept(/(\/api\/exception_lists\/_import)/, () => { + throw new Error('Import API should not be called when importing ${listId} list'); + }); - validateImportExceptionListFailedBecauseExistingListFound(); + importExceptionLists(prepareFile(listId)); - // Validate that "Create new list" option is disabled - validateImportExceptionListCreateNewOptionDisabled(); + validateImportExceptionListFailedOnArtifactTypePrecheck(); + }); }); }); }); diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/fixtures/endpoint_exception_list.ndjson b/x-pack/solutions/security/test/security_solution_cypress/cypress/fixtures/endpoint_exception_list.ndjson deleted file mode 100644 index ebd1cbc34d25e..0000000000000 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/fixtures/endpoint_exception_list.ndjson +++ /dev/null @@ -1,2 +0,0 @@ -{"_version":"WzUxOTM4LDE1XQ==","created_at":"2024-03-18T14:11:18.125Z","created_by":"kibana","description":"Endpoint Security Exception List","id":"endpoint_list","immutable":false,"list_id":"endpoint_list","name":"Endpoint Security Exception List","namespace_type":"agnostic","os_types":[],"tags":[],"tie_breaker_id":"04deda68-7162-4349-8e34-c315bb9f896f","type":"endpoint","updated_at":"2024-03-19T12:57:31.911Z","updated_by":"elastic","version":1} -{"exported_exception_list_count":1,"exported_exception_list_item_count":0,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions_table.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions_table.ts index 0312c7bc859f3..7247cd7753f31 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions_table.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions_table.ts @@ -56,7 +56,7 @@ export const clearSearchSelection = () => { cy.get(EXCEPTIONS_TABLE_SEARCH_CLEAR).first().click(); }; -export const importExceptionLists = (listsFile: string) => { +export const importExceptionLists = (listsFile: Cypress.FileReference) => { cy.get(IMPORT_SHARED_EXCEPTION_LISTS_BTN).click(); cy.get(INPUT_FILE).should('exist'); cy.get(INPUT_FILE).trigger('click'); @@ -301,6 +301,13 @@ export const validateImportExceptionListFailedBecauseExistingListFound = () => { }); }; -export const validateImportExceptionListCreateNewOptionDisabled = () => { - cy.get(IMPORT_SHARED_EXCEPTION_LISTS_OVERWRITE_CREATE_NEW_CHECKBOX).should('be.disabled'); +export const validateImportExceptionListFailedOnArtifactTypePrecheck = () => { + cy.get(TOASTER).should('have.text', 'There was an error uploading the exception list.'); + cy.get(TOASTER_BODY) + .invoke('text') + .should((bodyText) => { + expect(bodyText).to.match( + /On this page only shared exception lists can be imported, but at least one file contains Endpoint artifacts. Endpoint artifacts can be imported on their respective pages/i + ); + }); }; From ae2db08be42eaef90e819da5848e12ef2fa8e710 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 20 Mar 2026 18:36:55 +0100 Subject: [PATCH 03/19] fix existing cy test to run with FF enabled --- .../components/endpoint_exceptions_flyout.tsx | 2 +- .../endpoint_exceptions.cy.ts | 13 +- .../cypress/screens/exceptions.ts | 6 + .../tasks/exceptions/flyout_options.ts | 38 +- .../es_archives/endpoint/data.json | 17 +- .../es_archives/endpoint/mappings.json | 698 +++++++++--------- 6 files changed, 398 insertions(+), 376 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/pages/endpoint_exceptions/view/components/endpoint_exceptions_flyout.tsx b/x-pack/solutions/security/plugins/security_solution/public/management/pages/endpoint_exceptions/view/components/endpoint_exceptions_flyout.tsx index a9438edf06a5e..0ab9ffde085dc 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/pages/endpoint_exceptions/view/components/endpoint_exceptions_flyout.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/management/pages/endpoint_exceptions/view/components/endpoint_exceptions_flyout.tsx @@ -164,7 +164,7 @@ export const EndpointExceptionsFlyout: React.FC = > -

+

{ENDPOINT_EXCEPTIONS_PAGE_LABELS.flyoutCreateTitle}

diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts index e14b0261b80cc..4615cd9795667 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts @@ -33,6 +33,8 @@ import { import { ALERTS_COUNT } from '../../../../../screens/alerts'; import { ADD_NESTED_BTN, + ENDPOINT_EXCEPTION_ITEM_CONFIRM_BTN, + ENDPOINT_EXCEPTION_ITEM_NAME_INPUT, EXCEPTION_CARD_ITEM_CONDITIONS, EXCEPTION_CARD_ITEM_NAME, EXCEPTION_ITEM_VIEWER_CONTAINER, @@ -53,7 +55,6 @@ describe( const ADDITIONAL_ENTRY = 'host.hostname'; beforeEach(() => { - cy.task('esArchiverUnload', { archiveName: 'endpoint' }); login(); deleteAlertsAndRules(); deleteEndpointExceptionList(); @@ -82,8 +83,8 @@ describe( validateExceptionConditionField('file.Ext.code_signature'); selectCloseSingleAlerts(); - addExceptionFlyoutItemName(ITEM_NAME); - submitNewExceptionItem(); + addExceptionFlyoutItemName(ITEM_NAME, ENDPOINT_EXCEPTION_ITEM_NAME_INPUT); + submitNewExceptionItem(ENDPOINT_EXCEPTION_ITEM_CONFIRM_BTN); // Instead of immediately checking if the Opened Alert has moved to the closed tab, // use the waitForAlerts method to create a buffer, allowing the alerts some time to @@ -105,7 +106,7 @@ describe( // As the endpoint.alerts-* is used to trigger the alert the // file.Ext.code_signature will be auto-populated validateExceptionConditionField('file.Ext.code_signature'); - addExceptionFlyoutItemName(ITEM_NAME); + addExceptionFlyoutItemName(ITEM_NAME, ENDPOINT_EXCEPTION_ITEM_NAME_INPUT); // Add non-nested condition cy.get(ADD_NESTED_BTN).click(); @@ -114,13 +115,13 @@ describe( addExceptionEntryFieldValueValue('foo', 4); // Change the name again - editExceptionFlyoutItemName(ITEM_NAME_EDIT); + editExceptionFlyoutItemName(ITEM_NAME_EDIT, ENDPOINT_EXCEPTION_ITEM_NAME_INPUT); // validate the condition is still "agent.name" or got rest after the name is changed validateExceptionConditionField(ADDITIONAL_ENTRY); selectCloseSingleAlerts(); - submitNewExceptionItem(); + submitNewExceptionItem(ENDPOINT_EXCEPTION_ITEM_CONFIRM_BTN); // Endpoint Exception will move to Endpoint List under Exception tab of rule goToEndpointExceptionsTab(); diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/exceptions.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/exceptions.ts index 847b2175426b9..4d66b1d2c31eb 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/exceptions.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/exceptions.ts @@ -11,6 +11,9 @@ export const CLOSE_SINGLE_ALERT_CHECKBOX = '[data-test-subj="closeAlertOnAddExce export const CONFIRM_BTN = '[data-test-subj="addExceptionConfirmButton"]'; +export const ENDPOINT_EXCEPTION_ITEM_CONFIRM_BTN = + '[data-test-subj="add-endpoint-exception-confirm-button"]'; + export const FIELD_INPUT = '[data-test-subj="fieldAutocompleteComboBox"] [data-test-subj="comboBoxSearchInput"]'; @@ -128,6 +131,9 @@ export const EXCEPTION_CARD_ITEM_CONDITIONS = // Exception flyout components export const EXCEPTION_ITEM_NAME_INPUT = 'input[data-test-subj="exceptionFlyoutNameInput"]'; +export const ENDPOINT_EXCEPTION_ITEM_NAME_INPUT = + 'input[data-test-subj="endpointExceptions-form-name-input"]'; + export const ADD_TO_SHARED_LIST_RADIO_LABEL = '[data-test-subj="addToListsRadioOption"] label'; export const ADD_TO_SHARED_LIST_RADIO_INPUT = 'input[id="add_to_lists"]'; diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions/flyout_options.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions/flyout_options.ts index 36d98573e370b..e49b0d5fcb394 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions/flyout_options.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions/flyout_options.ts @@ -33,24 +33,30 @@ export const showMappingConflictsWarningMessage = (message: string, index = 0) = cy.get(EXCEPTION_FIELD_MAPPING_CONFLICTS_DESCRIPTION).eq(index).should('have.text', message); }; -export const addExceptionFlyoutItemName = (name: string) => { +export const addExceptionFlyoutItemName = ( + name: string, + selector: string = EXCEPTION_ITEM_NAME_INPUT +) => { // waitUntil reduces the flakiness of this task because sometimes // there are background process/events happening which prevents cypress // to completely write the name of the exception before it page re-renders // thereby cypress losing the focus on the input element. - cy.waitUntil(() => cy.get(EXCEPTION_ITEM_NAME_INPUT).then(($el) => Cypress.dom.isAttached($el))); - cy.get(EXCEPTION_ITEM_NAME_INPUT).should('exist'); - cy.get(EXCEPTION_ITEM_NAME_INPUT).scrollIntoView(); - cy.get(EXCEPTION_ITEM_NAME_INPUT).should('be.visible'); - cy.get(EXCEPTION_ITEM_NAME_INPUT).first().focus(); - cy.get(EXCEPTION_ITEM_NAME_INPUT).type(`{selectall}${name}{enter}`, { force: true }); - cy.get(EXCEPTION_ITEM_NAME_INPUT).should('have.value', name); + cy.waitUntil(() => cy.get(selector).then(($el) => Cypress.dom.isAttached($el))); + cy.get(selector).should('exist'); + cy.get(selector).scrollIntoView(); + cy.get(selector).should('be.visible'); + cy.get(selector).first().focus(); + cy.get(selector).type(`{selectall}${name}{enter}`, { force: true }); + cy.get(selector).should('have.value', name); }; -export const editExceptionFlyoutItemName = (name: string) => { - cy.get(EXCEPTION_ITEM_NAME_INPUT).clear(); - cy.get(EXCEPTION_ITEM_NAME_INPUT).type(`{selectall}${name}{enter}`); - cy.get(EXCEPTION_ITEM_NAME_INPUT).should('have.value', name); +export const editExceptionFlyoutItemName = ( + name: string, + selector: string = EXCEPTION_ITEM_NAME_INPUT +) => { + cy.get(selector).clear(); + cy.get(selector).type(`{selectall}${name}{enter}`); + cy.get(selector).should('have.value', name); }; export const selectBulkCloseAlerts = () => { @@ -71,8 +77,8 @@ export const selectOs = (os: string) => { cy.get(OS_INPUT).type(`${os}{downArrow}{enter}`); }; -export const submitNewExceptionItem = () => { - cy.get(CONFIRM_BTN).should('exist'); +export const submitNewExceptionItem = (selector: string = CONFIRM_BTN) => { + cy.get(selector).should('exist'); /* Sometimes a toaster error message unrelated with the test performed is displayed. The toaster is blocking the confirm button we have to click. Using force true would solve the issue, but should not be used. There are some tests that use the closeErrorToast() method to close error toasters before continuing with the interactions with the page. @@ -84,8 +90,8 @@ export const submitNewExceptionItem = () => { closeErrorToast(); } }); - cy.get(CONFIRM_BTN).click(); - cy.get(CONFIRM_BTN).should('not.exist'); + cy.get(selector).click(); + cy.get(selector).should('not.exist'); }; export const submitEditedExceptionItem = () => { diff --git a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/data.json b/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/data.json index a7f577105c4d9..b7ba950a9f565 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/data.json +++ b/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/data.json @@ -2,7 +2,8 @@ "type": "doc", "value": { "id": "_aZE5nwBOpWiDwiSth_F", - "index": "endpoint.alerts-cypress", + "data_stream": "logs-endpoint.alerts-default", + "index": ".ds-logs-endpoint.alerts-default-2023.02.15-000001", "source": { "@timestamp": "2023-02-15T16:37:12.225Z", "file": { @@ -69,8 +70,12 @@ "module": "endpoint", "dataset": "process", "kind": "alert", - "category": ["process"], - "type": ["start"], + "category": [ + "process" + ], + "type": [ + "start" + ], "action": "process_started", "code": "test" }, @@ -89,7 +94,9 @@ }, "executable": "/bin/zsh", "name": "zsh", - "args": ["-zsh"], + "args": [ + "-zsh" + ], "entity_id": "q6pltOhTWlQx3BCD", "entry_leader": { "entity_id": "q6pltOhTWlQx3BCD", @@ -126,4 +133,4 @@ } } } -} +} \ No newline at end of file diff --git a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/mappings.json b/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/mappings.json index da54afa121a80..c494125913bda 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/mappings.json +++ b/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/mappings.json @@ -1,251 +1,137 @@ { - "type": "index", + "type": "data_stream", "value": { - "aliases": { - "endgame": { - "is_write_index": false - } - }, - "settings": { - "index": { - "refresh_interval": "5s" + "data_stream": "logs-endpoint.alerts-default", + "template": { + "name": "logs-endpoint.alerts-test-archiver", + "_meta": { + "managed": true, + "namespace": "default" }, - "index.mapping.total_fields.limit": 2000 - }, - "index": "endpoint.alerts-cypress", - "mappings": { - "properties": { - "@timestamp": { - "type": "date" - }, - "file": { + "index_patterns": [ + "logs-endpoint.alerts-*" + ], + "data_stream": {}, + "template": { + "mappings": { "properties": { - "Ext": { + "@timestamp": { + "type": "date" + }, + "file": { "properties": { - "code_signature": { - "type": "nested", + "Ext": { + "properties": { + "code_signature": { + "type": "nested", + "properties": { + "subject_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "trusted": { + "type": "boolean" + } + } + } + } + }, + "hash": { "properties": { - "subject_name": { + "sha256": { "type": "keyword", "ignore_above": 1024 + } + } + }, + "path": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "caseless": { + "type": "keyword", + "ignore_above": 1024, + "normalizer": "lowercase" }, - "trusted": { - "type": "boolean" + "text": { + "type": "text" } } } } }, - "hash": { + "agent": { "properties": { - "sha256": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "path": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "caseless": { - "type": "keyword", - "ignore_above": 1024, - "normalizer": "lowercase" + "ephemeral_id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } }, - "text": { - "type": "text" - } - } - } - } - }, - "agent": { - "properties": { - "ephemeral_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "type": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "version": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "destination": { - "properties": { - "port": { - "type": "long" - } - } - }, - "ecs": { - "properties": { - "version": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "event": { - "properties": { - "action": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "category": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "dataset": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "kind": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "module": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "type": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "host": { - "properties": { - "architecture": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "hostname": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "ip": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + "id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "type": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "version": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } } } }, - "mac": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + "destination": { + "properties": { + "port": { + "type": "long" } } }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + "ecs": { + "properties": { + "version": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } } } }, - "os": { + "event": { "properties": { - "build": { + "action": { "type": "text", "fields": { "keyword": { @@ -254,7 +140,7 @@ } } }, - "family": { + "category": { "type": "text", "fields": { "keyword": { @@ -263,7 +149,7 @@ } } }, - "kernel": { + "dataset": { "type": "text", "fields": { "keyword": { @@ -272,7 +158,7 @@ } } }, - "name": { + "kind": { "type": "text", "fields": { "keyword": { @@ -281,7 +167,7 @@ } } }, - "platform": { + "module": { "type": "text", "fields": { "keyword": { @@ -298,8 +184,21 @@ "ignore_above": 256 } } + } + } + }, + "host": { + "properties": { + "architecture": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } }, - "version": { + "hostname": { "type": "text", "fields": { "keyword": { @@ -307,43 +206,26 @@ "ignore_above": 256 } } - } - } - } - } - }, - "message": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "process": { - "properties": { - "args": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "entity_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "entry_leader": { - "properties": { - "entity_id": { + }, + "id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "ip": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "mac": { "type": "text", "fields": { "keyword": { @@ -361,12 +243,76 @@ } } }, - "pid": { - "type": "long" + "os": { + "properties": { + "build": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "family": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "kernel": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "platform": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "type": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "version": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } } } }, - "executable": { + "message": { "type": "text", "fields": { "keyword": { @@ -375,9 +321,9 @@ } } }, - "hash": { + "process": { "properties": { - "sha1": { + "args": { "type": "text", "fields": { "keyword": { @@ -385,62 +331,28 @@ "ignore_above": 256 } } - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "parent": { - "properties": { - "pid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "working_directory": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "service": { - "properties": { - "type": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "user": { - "properties": { - "effective": { - "properties": { - "group": { + }, + "entity_id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "entry_leader": { "properties": { - "id": { + "entity_id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "name": { "type": "text", "fields": { "keyword": { @@ -448,10 +360,13 @@ "ignore_above": 256 } } + }, + "pid": { + "type": "long" } } }, - "id": { + "executable": { "type": "text", "fields": { "keyword": { @@ -459,12 +374,21 @@ "ignore_above": 256 } } - } - } - }, - "group": { - "properties": { - "id": { + }, + "hash": { + "properties": { + "sha1": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } + }, + "name": { "type": "text", "fields": { "keyword": { @@ -473,7 +397,20 @@ } } }, - "name": { + "parent": { + "properties": { + "pid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "working_directory": { "type": "text", "fields": { "keyword": { @@ -484,26 +421,47 @@ } } }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + "service": { + "properties": { + "type": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } } } }, - "saved": { + "user": { "properties": { + "effective": { + "properties": { + "group": { + "properties": { + "id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } + }, + "id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } + }, "group": { "properties": { "id": { @@ -514,6 +472,15 @@ "ignore_above": 256 } } + }, + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } } } }, @@ -525,6 +492,41 @@ "ignore_above": 256 } } + }, + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "saved": { + "properties": { + "group": { + "properties": { + "id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } + }, + "id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } } } } From a5643914323b7ccc5e4557d622684b2098c7b3b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 20 Mar 2026 18:37:29 +0100 Subject: [PATCH 04/19] remove obsolete test (see #258556) --- .../add_edit_endpoint_exception.cy.ts | 237 ------------------ 1 file changed, 237 deletions(-) delete mode 100644 x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/rule_details_flow/add_edit_endpoint_exception.cy.ts diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/rule_details_flow/add_edit_endpoint_exception.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/rule_details_flow/add_edit_endpoint_exception.cy.ts deleted file mode 100644 index 7924780c43624..0000000000000 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/rule_details_flow/add_edit_endpoint_exception.cy.ts +++ /dev/null @@ -1,237 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { getNewRule } from '../../../../../objects/rule'; - -import { createRule } from '../../../../../tasks/api_calls/rules'; -import { login } from '../../../../../tasks/login'; -import { - openEditException, - openExceptionFlyoutFromEmptyViewerPrompt, - searchForExceptionItem, - visitRuleDetailsPage, - waitForPageToBeLoaded as waitForRuleDetailsPageToBeLoaded, -} from '../../../../../tasks/rule_details'; -import { - addExceptionConditions, - addExceptionFlyoutItemName, - editException, - editExceptionFlyoutItemName, - selectOs, - submitEditedExceptionItem, - submitNewExceptionItem, -} from '../../../../../tasks/exceptions'; - -import { deleteAlertsAndRules } from '../../../../../tasks/api_calls/common'; -import { - NO_EXCEPTIONS_EXIST_PROMPT, - EXCEPTION_ITEM_VIEWER_CONTAINER, - NO_EXCEPTIONS_SEARCH_RESULTS_PROMPT, - CLOSE_ALERTS_CHECKBOX, - CONFIRM_BTN, - ADD_TO_RULE_OR_LIST_SECTION, - CLOSE_SINGLE_ALERT_CHECKBOX, - EXCEPTION_ITEM_CONTAINER, - VALUES_INPUT, - EXCEPTION_CARD_ITEM_NAME, - EXCEPTION_CARD_ITEM_CONDITIONS, - FIELD_INPUT_PARENT, -} from '../../../../../screens/exceptions'; -import { - createEndpointExceptionList, - createEndpointExceptionListItem, - deleteEndpointExceptionList, - deleteExceptionLists, -} from '../../../../../tasks/api_calls/exceptions'; - -// https://github.com/elastic/kibana/issues/187279 -describe( - 'Add endpoint exception from rule details', - { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] }, - () => { - const ITEM_NAME = 'Sample Exception List Item'; - const NEW_ITEM_NAME = 'Exception item-EDITED'; - const ITEM_FIELD = 'event.code'; - const FIELD_DIFFERENT_FROM_EXISTING_ITEM_FIELD = 'agent.type'; - - before(() => { - cy.task('esArchiverLoad', { archiveName: 'auditbeat_multiple' }); - }); - - after(() => { - cy.task('esArchiverUnload', { archiveName: 'auditbeat_multiple' }); - }); - - beforeEach(() => { - deleteExceptionLists(); - deleteEndpointExceptionList(); - - login(); - deleteAlertsAndRules(); - }); - - describe('without exception items', () => { - beforeEach(() => { - createEndpointExceptionList().then((response) => { - createRule( - getNewRule({ - query: 'event.code:*', - index: ['auditbeat*'], - exceptions_list: [ - { - id: response.body.id, - list_id: response.body.list_id, - type: response.body.type, - namespace_type: response.body.namespace_type, - }, - ], - rule_id: '2', - enabled: false, - }) - ).then((rule) => visitRuleDetailsPage(rule.body.id, { tab: 'endpoint_exceptions' })); - }); - }); - - it('creates an exception item', () => { - // when no exceptions exist, empty component shows with action to add exception - - cy.get(NO_EXCEPTIONS_EXIST_PROMPT).should('exist'); - - // open add exception modal - openExceptionFlyoutFromEmptyViewerPrompt(); - - // submit button is disabled if no paramerters were added - cy.get(CONFIRM_BTN).should('have.attr', 'disabled'); - - // for endpoint exceptions, must specify OS - selectOs('windows'); - - // add exception item conditions - addExceptionConditions({ - field: 'event.code', - operator: 'is', - values: ['foo'], - }); - - // Name is required so want to check that submit is still disabled - cy.get(CONFIRM_BTN).should('have.attr', 'disabled'); - - // add exception item name - addExceptionFlyoutItemName(ITEM_NAME); - - // Option to add to rule or add to list should NOT appear - cy.get(ADD_TO_RULE_OR_LIST_SECTION).should('not.exist'); - - // not testing close alert functionality here, just ensuring that the options appear as expected - cy.get(CLOSE_SINGLE_ALERT_CHECKBOX).should('not.exist'); - cy.get(CLOSE_ALERTS_CHECKBOX).should('exist'); - - // submit - submitNewExceptionItem(); - - // new exception item displays - cy.get(EXCEPTION_ITEM_VIEWER_CONTAINER).should('have.length', 1); - }); - }); - - // FLAKY: https://github.com/elastic/kibana/issues/179582 - describe.skip('with exception items', () => { - beforeEach(() => { - createEndpointExceptionList().then((response) => { - createEndpointExceptionListItem({ - comments: [], - description: 'Exception list item', - entries: [ - { - field: ITEM_FIELD, - operator: 'included', - type: 'match', - value: 'foo', - }, - ], - name: ITEM_NAME, - tags: [], - type: 'simple', - os_types: ['windows'], - }); - - createRule( - getNewRule({ - name: 'Rule with exceptions', - query: 'event.code:*', - index: ['auditbeat*'], - exceptions_list: [ - { - id: response.body.id, - list_id: response.body.list_id, - type: response.body.type, - namespace_type: response.body.namespace_type, - }, - ], - rule_id: '2', - enabled: false, - }) - ).then((rule) => { - visitRuleDetailsPage(rule.body.id, { tab: 'endpoint_exceptions' }); - waitForRuleDetailsPageToBeLoaded('Rule with exceptions'); - }); - }); - }); - - it('edits an endpoint exception item', () => { - // displays existing exception items - cy.get(EXCEPTION_ITEM_VIEWER_CONTAINER).should('have.length', 1); - cy.get(NO_EXCEPTIONS_EXIST_PROMPT).should('not.exist'); - cy.get(EXCEPTION_CARD_ITEM_NAME).should('have.text', ITEM_NAME); - cy.get(EXCEPTION_CARD_ITEM_CONDITIONS).should('have.text', ` ${ITEM_FIELD}IS foo`); - - // open edit exception modal - openEditException(); - - // edit exception item name - editExceptionFlyoutItemName(NEW_ITEM_NAME); - - // check that the existing item's field is being populated - cy.get(EXCEPTION_ITEM_CONTAINER) - .eq(0) - .find(FIELD_INPUT_PARENT) - .eq(0) - .should('have.value', ITEM_FIELD); - cy.get(VALUES_INPUT).should('have.value', 'foo'); - - // edit conditions - editException(FIELD_DIFFERENT_FROM_EXISTING_ITEM_FIELD, 0, 0); - - // submit - submitEditedExceptionItem(); - - // new exception item displays - cy.get(EXCEPTION_ITEM_VIEWER_CONTAINER).should('have.length', 1); - - // check that updates stuck - cy.get(EXCEPTION_CARD_ITEM_NAME).should('have.text', NEW_ITEM_NAME); - cy.get(EXCEPTION_CARD_ITEM_CONDITIONS).should('have.text', ' agent.typeIS foo'); - }); - - it('allows user to search for items', () => { - cy.get(EXCEPTION_ITEM_VIEWER_CONTAINER).should('have.length', 1); - - // can search for an exception value - searchForExceptionItem('foo'); - - // new exception item displays - cy.get(EXCEPTION_ITEM_VIEWER_CONTAINER).should('have.length', 1); - - // displays empty search result view if no matches found - searchForExceptionItem('abc'); - - // new exception item displays - cy.get(NO_EXCEPTIONS_SEARCH_RESULTS_PROMPT).should('exist'); - }); - }); - } -); From 55c5ada5ffacf904e9e291a11199a3d7d82e8873 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 2 Apr 2026 18:56:56 +0200 Subject: [PATCH 05/19] update text in test --- .../security_solution_cypress/cypress/tasks/exceptions_table.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions_table.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions_table.ts index 7247cd7753f31..da7b4c809659a 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions_table.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions_table.ts @@ -307,7 +307,7 @@ export const validateImportExceptionListFailedOnArtifactTypePrecheck = () => { .invoke('text') .should((bodyText) => { expect(bodyText).to.match( - /On this page only shared exception lists can be imported, but at least one file contains Endpoint artifacts. Endpoint artifacts can be imported on their respective pages/i + /You can only import shared exception lists here, but at least one of the imported files contains endpoint artifacts. Import endpoint artifacts from their dedicated pages instead./i ); }); }; From 3c102119c7b9a7aa64faabe32b65415285b9e223 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 8 Apr 2026 14:38:47 +0200 Subject: [PATCH 06/19] fix test typo --- .../shared_exception_list_page/import_lists.cy.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/import_lists.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/import_lists.cy.ts index bc945878aaabf..680ad93e8aa70 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/import_lists.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/import_lists.cy.ts @@ -102,7 +102,7 @@ describe('Import Lists', { tags: ['@ess', '@serverless', '@skipInServerless'] }, ENDPOINT_ARTIFACT_LIST_IDS.forEach((listId) => { it(`Should not allow to import Endpoint artifacts to "${listId}" list`, () => { cy.intercept(/(\/api\/exception_lists\/_import)/, () => { - throw new Error('Import API should not be called when importing ${listId} list'); + throw new Error(`Import API should not be called when importing ${listId} list`); }); importExceptionLists(prepareFile(listId)); From d34b9d56b467bfb4b2f22fa0a5c79d88cc63aba4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 8 Apr 2026 14:40:36 +0200 Subject: [PATCH 07/19] adapt tests to Endpoint exceptions removed from Shared exception list page --- .../shared_exception_list_page/filter_table.cy.ts | 12 ++++++------ .../shared_exception_list_page/manage_lists.cy.ts | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/filter_table.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/filter_table.cy.ts index 95f75c38a05be..ef9867331ef8a 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/filter_table.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/filter_table.cy.ts @@ -74,15 +74,15 @@ describe('Filter Lists', { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] // Using cy.contains because we do not care about the exact text, // just checking number of lists shown - cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '3'); + cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '2'); // Single word search - searchForExceptionList('Endpoint'); + searchForExceptionList('my'); // Using cy.contains because we do not care about the exact text, // just checking number of lists shown cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '1'); - cy.get(EXCEPTIONS_TABLE_LIST_NAME).should('have.text', 'Endpoint Security Exception List'); + cy.get(EXCEPTIONS_TABLE_LIST_NAME).should('have.text', EXCEPTION_LIST_NAME); // Multi word search clearSearchSelection(); @@ -105,17 +105,17 @@ describe('Filter Lists', { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] // Field search clearSearchSelection(); - searchForExceptionList('list_id:endpoint_list'); + searchForExceptionList('list_id:exception_list_1'); // Using cy.contains because we do not care about the exact text, // just checking number of lists shown cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '1'); - cy.get(EXCEPTIONS_TABLE_LIST_NAME).should('have.text', 'Endpoint Security Exception List'); + cy.get(EXCEPTIONS_TABLE_LIST_NAME).should('have.text', EXCEPTION_LIST_NAME); clearSearchSelection(); // Using cy.contains because we do not care about the exact text, // just checking number of lists shown - cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '3'); + cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '2'); }); }); diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/manage_lists.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/manage_lists.cy.ts index 049a29bdd334f..71273d34b5702 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/manage_lists.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/manage_lists.cy.ts @@ -132,13 +132,13 @@ describe( it('Delete exception list without rule reference', () => { // Using cy.contains because we do not care about the exact text, // just checking number of lists shown - cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '3'); + cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '2'); deleteExceptionListWithoutRuleReferenceByListId(getExceptionList1().list_id); // Using cy.contains because we do not care about the exact text, // just checking number of lists shown - cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '2'); + cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '1'); }); it('Deletes exception list with rule reference', () => { @@ -147,13 +147,13 @@ describe( // Using cy.contains because we do not care about the exact text, // just checking number of lists shown - cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '3'); + cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '2'); deleteExceptionListWithRuleReferenceByListId(getExceptionList2().list_id); // Using cy.contains because we do not care about the exact text, // just checking number of lists shown - cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '2'); + cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '1'); }); }); } From cb1ad34abfab0ce6b82befb4bc4d9ee196629b39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 8 Apr 2026 14:41:50 +0200 Subject: [PATCH 08/19] adapt test to Endpoint exceptions tab removed from Rule details page --- .../endpoint_exceptions.cy.ts | 19 ++++++++++--------- .../cypress/screens/rule_details.ts | 2 -- .../cypress/tasks/rule_details.ts | 6 +++--- .../cypress/urls/navigation.ts | 1 + 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts index 4615cd9795667..f245b8a1845f8 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts @@ -35,12 +35,9 @@ import { ADD_NESTED_BTN, ENDPOINT_EXCEPTION_ITEM_CONFIRM_BTN, ENDPOINT_EXCEPTION_ITEM_NAME_INPUT, - EXCEPTION_CARD_ITEM_CONDITIONS, - EXCEPTION_CARD_ITEM_NAME, - EXCEPTION_ITEM_VIEWER_CONTAINER, } from '../../../../../screens/exceptions'; import { - goToEndpointExceptionsTab, + goToEndpointExceptions, visitRuleDetailsPage, waitForTheRuleToBeExecuted, } from '../../../../../tasks/rule_details'; @@ -123,13 +120,17 @@ describe( selectCloseSingleAlerts(); submitNewExceptionItem(ENDPOINT_EXCEPTION_ITEM_CONFIRM_BTN); - // Endpoint Exception will move to Endpoint List under Exception tab of rule - goToEndpointExceptionsTab(); + goToEndpointExceptions(); // new exception item displays - cy.get(EXCEPTION_ITEM_VIEWER_CONTAINER).should('have.length', 1); - cy.get(EXCEPTION_CARD_ITEM_NAME).should('have.text', ITEM_NAME_EDIT); - cy.get(EXCEPTION_CARD_ITEM_CONDITIONS).contains('span', ADDITIONAL_ENTRY); + cy.get('[data-test-subj="endpointExceptionsListPage-card"]').should('have.length', 1); + cy.get('[data-test-subj="endpointExceptionsListPage-card-header-title"]').should( + 'have.text', + ITEM_NAME_EDIT + ); + cy.get( + '[data-test-subj="endpointExceptionsListPage-card-criteriaConditions-condition"]' + ).contains('span', ADDITIONAL_ENTRY); }); } ); diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/rule_details.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/rule_details.ts index 27e65990825a1..97f2cf0463517 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/rule_details.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/rule_details.ts @@ -52,8 +52,6 @@ export const INDEX_PATTERNS_DETAILS = 'Index patterns'; export const INVESTIGATION_FIELDS_DETAILS = 'Custom highlighted fields'; -export const ENDPOINT_EXCEPTIONS_TAB = 'a[data-test-subj="navigation-endpoint_exceptions"]'; - export const INDICATOR_INDEX_PATTERNS = 'Indicator index patterns'; export const INDICATOR_INDEX_QUERY = 'Indicator index query'; diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/rule_details.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/rule_details.ts index 7a8ab1d57c705..edbbad638a621 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/rule_details.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/rule_details.ts @@ -24,7 +24,6 @@ import { DETAILS_TITLE, EDIT_EXCEPTION_BTN, EDIT_RULE_SETTINGS_LINK, - ENDPOINT_EXCEPTIONS_TAB, EXCEPTION_ITEM_ACTIONS_BUTTON, EXCEPTIONS_TAB, EXCEPTIONS_TAB_ACTIVE_FILTER, @@ -65,6 +64,7 @@ import { addsFields, closeFieldsBrowser, filterFieldsBrowser } from './fields_br import { visit } from './navigation'; import { LOCAL_DATE_PICKER_APPLY_BUTTON_TIMELINE } from '../screens/date_picker'; import { GAP_AUTO_FILL_LOGS_TABLE } from '../screens/rule_gaps'; +import { ENDPOINT_EXCEPTIONS_URL } from '../urls/navigation'; interface VisitRuleDetailsPageOptions { tab?: RuleDetailsTabs; @@ -158,8 +158,8 @@ export const viewExpiredExceptionItems = () => { cy.get(EXCEPTIONS_TAB_ACTIVE_FILTER).click(); }; -export const goToEndpointExceptionsTab = () => { - cy.get(ENDPOINT_EXCEPTIONS_TAB).click(); +export const goToEndpointExceptions = () => { + cy.visit(ENDPOINT_EXCEPTIONS_URL); }; export const openEditException = (index = 0) => { diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/urls/navigation.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/urls/navigation.ts index fb17299a37f7a..51da5ccff6ad1 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/urls/navigation.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/urls/navigation.ts @@ -19,6 +19,7 @@ export const POLICIES_URL = '/app/security/administration/policy'; /** Any artifact tab lives under this path prefix (trusted apps, event filters, blocklist, etc.) */ export const ADMINISTRATION_URL_PREFIX = '/app/security/administration'; export const TRUSTED_APPS_URL = '/app/security/administration/trusted_apps'; +export const ENDPOINT_EXCEPTIONS_URL = '/app/security/administration/endpoint_exceptions'; export const EVENT_FILTERS_URL = '/app/security/administration/event_filters'; export const BLOCKLIST_URL = '/app/security/administration/blocklist'; export const HOST_ISOLATION_EXCEPTIONS_URL = `app/security/administration/host_isolation_exceptions`; From ada873ae85e1d3c1d59700cec6b93d4972de7eab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 8 Apr 2026 14:42:47 +0200 Subject: [PATCH 09/19] update Endpoint Security rule dummy with correct index --- .../test/security_solution_cypress/cypress/objects/rule.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/objects/rule.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/objects/rule.ts index e3310f5258ad8..4fd1e3b216eb0 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/objects/rule.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/objects/rule.ts @@ -481,7 +481,7 @@ export const getEditedRule = (): QueryRuleCreateProps => export const getEndpointRule = (): QueryRuleCreateProps => ({ type: 'query', query: 'event.kind:alert and event.module:(endpoint and not endgame)', - index: ['endpoint.alerts-*'], + index: ['logs-endpoint.alerts-*'], name: 'Endpoint Rule', description: 'The new rule description.', severity: 'high', From e6713c817c16263240440bda32d419917d7d3fd5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 8 Apr 2026 14:44:16 +0200 Subject: [PATCH 10/19] use `endpoint` esArchive with correct index --- .../auto_populate_with_alert_data.cy.ts | 31 ++++++++++++------- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/rule_exceptions/auto_populate_with_alert_data.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/rule_exceptions/auto_populate_with_alert_data.cy.ts index 766990a824a76..f877a00f082bb 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/rule_exceptions/auto_populate_with_alert_data.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/rule_exceptions/auto_populate_with_alert_data.cy.ts @@ -38,8 +38,7 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles const ADDITIONAL_ENTRY = 'host.hostname'; beforeEach(() => { - cy.task('esArchiverUnload', { archiveName: 'endpoint_2' }); - cy.task('esArchiverLoad', { archiveName: 'endpoint_2' }); + cy.task('esArchiverLoad', { archiveName: 'endpoint' }); login(); createRule(getEndpointRule()).then((rule) => visitRuleDetailsPage(rule.body.id, { tab: 'alerts' }) @@ -48,7 +47,6 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles waitForAlertsToPopulate(); }); after(() => { - cy.task('esArchiverUnload', { archiveName: 'endpoint' }); deleteAlertsAndRules(); }); afterEach(() => { @@ -73,6 +71,12 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles type: 'match', value: 'siem-kibana', }, + { + field: 'agent.id', + operator: 'included', + type: 'match', + value: '0ebd469b-c164-4734-00e6-96d018098dc7', + }, { field: 'user.name', operator: 'included', @@ -104,10 +108,6 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles value: ['-zsh'], }, ]); - cy.wrap(response?.body[0].comments[0].comment).should( - 'contain', - 'Exception conditions are pre-filled with relevant data from an alert with the alert id (_id):' - ); }); }); @@ -144,6 +144,12 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles type: 'match', value: 'siem-kibana', }, + { + field: 'agent.id', + operator: 'included', + type: 'match', + value: '0ebd469b-c164-4734-00e6-96d018098dc7', + }, { field: 'user.name', operator: 'included', @@ -163,16 +169,16 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles value: '123', }, { - field: 'process.name', + field: 'host.hostname', operator: 'included', type: 'match', - value: 'zsh', + value: 'foo', }, { - field: 'host.hostname', + field: 'process.args', operator: 'included', - type: 'match', - value: 'foo', + type: 'match_any', + value: ['-zsh'], }, ]); cy.wrap(response?.body[0].comments[0].comment).should( @@ -206,6 +212,7 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles 'user.name', 'process.executable', 'file.path', + 'process.name', ]; /** From 69406311b87a88c5afa52407b719c4364bab75e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 8 Apr 2026 14:44:51 +0200 Subject: [PATCH 11/19] remove now unused `endpoint_2` esArchive --- .../es_archives/endpoint_2/data.json | 129 ----- .../es_archives/endpoint_2/mappings.json | 494 ------------------ 2 files changed, 623 deletions(-) delete mode 100644 x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/data.json delete mode 100644 x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/mappings.json diff --git a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/data.json b/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/data.json deleted file mode 100644 index c8e78bbe7c623..0000000000000 --- a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/data.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "type": "doc", - "value": { - "id": "_wZE5nwBOpWiDwiSth_W", - "index": "endpoint.alerts-cypress-1", - "source": { - "@timestamp": "2023-02-15T16:37:12.225Z", - "file": { - "Ext": { - "code_signature": { - "subject_name": "test", - "trusted": true - } - }, - "path": "123", - "hash": { - "sha256": "test" - } - }, - "host": { - "hostname": "test.local", - "architecture": "x86_64", - "os": { - "platform": "darwin", - "version": "10.16", - "family": "darwin", - "name": "Mac OS X", - "kernel": "21.3.0", - "build": "21D62", - "type": "macos" - }, - "id": "44426D67-79AB-547C-7777-440AB8F5DDD2", - "ip": [ - "fe80::bade:48ff:fe00:1122", - "fe81::4ab:9565:1199:be3", - "192.168.5.175", - "fe80::40d7:d0ff:fe66:f55", - "fe81::40d8:d0ff:fe66:f55", - "fe82::c2c:6bdf:3307:dce0", - "fe83::5069:fcd5:e31c:7059", - "fe80::ce81:b2c:bd2c:69e", - "fe80::febc:bbc1:c517:827b", - "fe80::6d09:bee6:55a5:539d", - "fe80::c920:752e:1e0e:edc9", - "fe80::a4a:ca38:761f:83e2" - ], - "mac": [ - "ad:df:48:00:11:22", - "a6:86:e7:ae:5a:b6", - "a9:83:e7:ae:5a:b6", - "43:d8:d0:66:0f:55", - "42:d8:d0:66:0f:57", - "82:70:c7:c2:3c:01", - "82:70:c6:c2:4c:00", - "82:76:a6:c2:3c:05", - "82:70:c6:b2:3c:04", - "82:71:a6:c2:3c:01" - ], - "name": "siem-kibana" - }, - "agent": { - "type": "auditbeat", - "version": "8.1.0", - "ephemeral_id": "f6df090f-656a-4a79-a6a1-0c8671c9752d", - "id": "0ebd469b-c164-4734-00e6-96d018098dc7", - "name": "test.local" - }, - "event": { - "module": "endpoint", - "dataset": "process", - "kind": "alert", - "category": ["process"], - "type": ["start"], - "action": "process_started", - "code": "test" - }, - "destination": { - "port": 80 - }, - "process": { - "start": "2022-03-04T19:41:32.902Z", - "pid": 30884, - "working_directory": "/Users/test/security_solution", - "hash": { - "sha1": "ae2d46c38fa207efbea5fcecd6294eebbf5af00f" - }, - "parent": { - "pid": 777 - }, - "executable": "/bin/zsh", - "name": "zsh", - "args": ["-zsh"], - "entity_id": "q6pltOhTWlQx3BCD", - "entry_leader": { - "entity_id": "q6pltOhTWlQx3BCD", - "name": "fake entry", - "pid": 2342342 - } - }, - "message": "Process zsh (PID: 27884) by user test STARTED", - "user": { - "id": "505", - "group": { - "name": "staff", - "id": "20" - }, - "effective": { - "id": "505", - "group": { - "id": "20" - } - }, - "saved": { - "id": "505", - "group": { - "id": "20" - } - }, - "name": "test" - }, - "service": { - "type": "system" - }, - "ecs": { - "version": "8.0.0" - } - } - } -} diff --git a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/mappings.json b/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/mappings.json deleted file mode 100644 index a63c3c6d5854b..0000000000000 --- a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/mappings.json +++ /dev/null @@ -1,494 +0,0 @@ -{ - "type": "index", - "value": { - "aliases": { - "endgame": { - "is_write_index": false - } - }, - "settings": { - "index": { - "refresh_interval": "5s" - }, - "index.mapping.total_fields.limit": 2000 - }, - "index": "endpoint.alerts-cypress-1", - "mappings": { - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "ephemeral_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "type": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "version": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "destination": { - "properties": { - "port": { - "type": "long" - } - } - }, - "ecs": { - "properties": { - "version": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "event": { - "properties": { - "action": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "category": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "dataset": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "kind": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "module": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "type": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "host": { - "properties": { - "architecture": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "hostname": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "ip": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "mac": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "os": { - "properties": { - "build": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "family": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "kernel": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "platform": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "type": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "version": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - } - } - }, - "message": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "process": { - "properties": { - "args": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "entity_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "entry_leader": { - "properties": { - "entity_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "pid": { - "type": "long" - } - } - }, - "executable": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "hash": { - "properties": { - "sha1": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "parent": { - "properties": { - "pid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "working_directory": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "service": { - "properties": { - "type": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "user": { - "properties": { - "effective": { - "properties": { - "group": { - "properties": { - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "group": { - "properties": { - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "saved": { - "properties": { - "group": { - "properties": { - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - } - } - } - } - } - } -} From a76b687f3e8abc05780d8a7c8dd0ddaf337dd290 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 8 Apr 2026 14:59:42 +0200 Subject: [PATCH 12/19] add Endpoint Exceptions (and other missing) artifacts to navigation test --- .../e2e/explore/navigation/navigation.cy.ts | 24 ++++++++++++------- .../cypress/urls/navigation.ts | 1 + 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/explore/navigation/navigation.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/explore/navigation/navigation.cy.ts index b1bdca307e28a..9f6f65d0c18de 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/explore/navigation/navigation.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/explore/navigation/navigation.cy.ts @@ -62,6 +62,9 @@ import { RULES_COVERAGE_URL, OSQUERY_URL, HOSTS_URL, + ENDPOINT_EXCEPTIONS_URL, + HOST_ISOLATION_EXCEPTIONS_URL, + TRUSTED_DEVICES_URL, } from '../../../urls/navigation'; import { RULES_MANAGEMENT_URL } from '../../../urls/rules_management'; import { @@ -182,14 +185,19 @@ describe('top-level navigation common to all pages in the Security app', { tags: navigateFromHeaderTo(ARTIFACTS); cy.url().should('include', ADMINISTRATION_URL_PREFIX); }); - it('artifact tab deep links still resolve', () => { - visit(TRUSTED_APPS_URL); - cy.url().should('include', TRUSTED_APPS_URL); - visit(EVENT_FILTERS_URL); - cy.url().should('include', EVENT_FILTERS_URL); - visit(BLOCKLIST_URL); - cy.url().should('include', BLOCKLIST_URL); - }); + for (const [artifactName, artifactUrl] of [ + ['trusted apps', TRUSTED_APPS_URL], + ['event filters', EVENT_FILTERS_URL], + ['blocklist', BLOCKLIST_URL], + ['endpoint exceptions', ENDPOINT_EXCEPTIONS_URL], + ['host isolation exceptions', HOST_ISOLATION_EXCEPTIONS_URL], + ['trusted devices', TRUSTED_DEVICES_URL], + ]) { + it(`${artifactName} deep links still resolve`, () => { + visit(artifactUrl); + cy.url().should('include', artifactUrl); + }); + } it('navigates to the CSP Benchmarks page', () => { navigateFromHeaderTo(CSP_BENCHMARKS); cy.url().should('include', CSP_BENCHMARKS_URL); diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/urls/navigation.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/urls/navigation.ts index 51da5ccff6ad1..85046bc1f50ac 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/urls/navigation.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/urls/navigation.ts @@ -19,6 +19,7 @@ export const POLICIES_URL = '/app/security/administration/policy'; /** Any artifact tab lives under this path prefix (trusted apps, event filters, blocklist, etc.) */ export const ADMINISTRATION_URL_PREFIX = '/app/security/administration'; export const TRUSTED_APPS_URL = '/app/security/administration/trusted_apps'; +export const TRUSTED_DEVICES_URL = '/app/security/administration/trusted_devices'; export const ENDPOINT_EXCEPTIONS_URL = '/app/security/administration/endpoint_exceptions'; export const EVENT_FILTERS_URL = '/app/security/administration/event_filters'; export const BLOCKLIST_URL = '/app/security/administration/blocklist'; From 25502d70e45d5ce64208b1fd892dfd4a80d040e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 8 Apr 2026 15:10:06 +0200 Subject: [PATCH 13/19] fix jest tests --- .../hooks/artifacts/use_endpoint_per_policy_opt_in.test.ts | 2 ++ .../plugins/security_solution/public/management/links.ts | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/hooks/artifacts/use_endpoint_per_policy_opt_in.test.ts b/x-pack/solutions/security/plugins/security_solution/public/management/hooks/artifacts/use_endpoint_per_policy_opt_in.test.ts index 42fc5ffe72f07..8dfe0fb52756d 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/hooks/artifacts/use_endpoint_per_policy_opt_in.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/hooks/artifacts/use_endpoint_per_policy_opt_in.test.ts @@ -40,6 +40,8 @@ describe('useGetEndpointExceptionsPerPolicyOptIn()', () => { }); it('should not call the API when the experimental feature is disabled', () => { + testContext.setExperimentalFlag({ endpointExceptionsMovedUnderManagement: false }); + const { result } = testContext.renderHook(() => useGetEndpointExceptionsPerPolicyOptIn()); expect(result.current.data).toBeUndefined(); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/links.ts b/x-pack/solutions/security/plugins/security_solution/public/management/links.ts index 389a2f6290ae2..9f1dabc098f31 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/links.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/links.ts @@ -15,6 +15,7 @@ import { getEndpointAuthzInitialState, } from '../../common/endpoint/service/authz'; import { + ENDPOINT_EXCEPTIONS_PATH, ENDPOINTS_PATH, ENTITY_ANALYTICS_MANAGEMENT_PATH, MANAGE_PATH, @@ -23,7 +24,6 @@ import { SCRIPT_LIBRARY_PATH, SECURITY_FEATURE_ID, SecurityPageName, - TRUSTED_APPS_PATH, } from '../../common/constants'; import { ARTIFACTS, @@ -135,7 +135,7 @@ export const links: LinkItem = { 'Manage exceptions, trusted applications, and other settings that control how endpoints are protected and respond to activity.', }), landingIcon: IconArtifacts, - path: TRUSTED_APPS_PATH, + path: ENDPOINT_EXCEPTIONS_PATH, skipUrlState: true, hideTimeline: true, }, From b72ed3aab01dda0287d6c3754d1bb0904cacf44a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 8 Apr 2026 15:14:58 +0200 Subject: [PATCH 14/19] remove obsolete test --- .../artifacts/endpoint_exceptions.no_ff.cy.ts | 67 ------------------- 1 file changed, 67 deletions(-) delete mode 100644 x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.no_ff.cy.ts diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.no_ff.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.no_ff.cy.ts deleted file mode 100644 index 9eed1c1c481b5..0000000000000 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.no_ff.cy.ts +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ -import * as essSecurityHeaders from '@kbn/test-suites-xpack-security/security_solution_cypress/cypress/screens/security_header'; -import * as serverlessSecurityHeaders from '@kbn/test-suites-xpack-security/security_solution_cypress/cypress/screens/serverless_security_header'; -import { - APP_ENDPOINT_EXCEPTIONS_PATH, - APP_PATH, - RULES_FEATURE_ID, - SECURITY_FEATURE_ID, -} from '../../../../../common/constants'; -import { login, ROLE } from '../../tasks/login'; - -describe('Endpoint exceptions - preserving behaviour without `endpointExceptionsMovedUnderManagement` feature flag', () => { - describe('ESS', { tags: ['@ess'] }, () => { - const loginWithReadAccess = () => { - login.withCustomKibanaPrivileges({ - [SECURITY_FEATURE_ID]: ['read', 'endpoint_exceptions_read'], - [RULES_FEATURE_ID]: ['read'], - }); - }; - - it('should not display Endpoint Exceptions in Administration page', () => { - loginWithReadAccess(); - cy.visit('app/security/manage'); - cy.getByTestSubj('LandingItem').should('not.contain', 'Endpoint exceptions'); - }); - - it('should not display Endpoint Exceptions in Manage side panel', () => { - loginWithReadAccess(); - cy.visit(APP_PATH); - - essSecurityHeaders.openNavigationPanelFor(essSecurityHeaders.ARTIFACTS); - cy.getByTestSubj('solutionSideNavPanel') - .find('[data-test-subj="solutionSideNavPanelLink-endpoint_exceptions"]') - .should('not.exist'); - }); - - it('should display Not Found page when opening url directly', () => { - loginWithReadAccess(); - cy.visit(APP_ENDPOINT_EXCEPTIONS_PATH); - cy.getByTestSubj('notFoundPage').should('exist'); - }); - }); - - describe('Serverless', { tags: ['@serverless', '@skipInServerlessMKI'] }, () => { - it('should not display Endpoint Exceptions in Assets side panel ', () => { - // instead of testing with the lowest access (READ), we're testing with t3_analyst with WRITE access, - // as we neither have any role with READ access, nor custom roles on serverless yet - login(ROLE.t3_analyst); - cy.visit(APP_PATH); - - serverlessSecurityHeaders.showMoreItems(); - serverlessSecurityHeaders.openNavigationPanelFor(serverlessSecurityHeaders.ARTIFACTS); - cy.get('[data-test-subj~="nav-item-id-endpoint_exceptions"]').should('not.exist'); - }); - - it('should display Not Found page when opening url directly', () => { - login(ROLE.t3_analyst); - cy.visit(APP_ENDPOINT_EXCEPTIONS_PATH); - cy.getByTestSubj('notFoundPage').should('exist'); - }); - }); -}); From af06ab6056c3290b190da1643647927b31843b9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 8 Apr 2026 15:19:35 +0200 Subject: [PATCH 15/19] remove obsolete import API test cases --- .../event_filters.ts | 22 ----------------- .../host_isolation_exceptions.ts | 24 ------------------- 2 files changed, 46 deletions(-) diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/event_filters.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/event_filters.ts index e6d39dd22c8f8..bd42ebacfe574 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/event_filters.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/event_filters.ts @@ -10,10 +10,6 @@ import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-t import expect from '@kbn/expect'; import { BY_POLICY_ARTIFACT_TAG_PREFIX } from '@kbn/security-solution-plugin/common/endpoint/service/artifacts'; import { ExceptionsListItemGenerator } from '@kbn/security-solution-plugin/common/endpoint/data_generators/exceptions_list_item_generator'; -import { - getImportExceptionsListSchemaMock, - toNdJsonString, -} from '@kbn/lists-plugin/common/schemas/request/import_exceptions_schema.mock'; import type TestAgent from 'supertest/lib/agent'; import type { PolicyTestResourceInfo } from '@kbn/test-suites-xpack-security-endpoint/services/endpoint_policy'; import type { ArtifactTestData } from '@kbn/test-suites-xpack-security-endpoint/services/endpoint_artifacts'; @@ -167,24 +163,6 @@ export default function ({ getService }: FtrProviderContext) { } }); - it('should return 400 for import of endpoint exceptions', async () => { - await endpointPolicyManagerSupertest - .post(`${EXCEPTION_LIST_URL}/_import?overwrite=false`) - .set('kbn-xsrf', 'true') - .attach( - 'file', - Buffer.from( - toNdJsonString([getImportExceptionsListSchemaMock(eventFilterData.artifact.list_id)]) - ), - 'exceptions.ndjson' - ) - .expect(400, { - status_code: 400, - message: - 'EndpointArtifactError: Import is not supported for Endpoint artifact exceptions', - }); - }); - describe('and has authorization to manage endpoint security', () => { for (const eventFilterApiCall of eventFilterCalls) { it(`should error on [${eventFilterApiCall.method}] if more than one OS is set`, async () => { diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/host_isolation_exceptions.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/host_isolation_exceptions.ts index b78f0a4917bd1..e6ca56d663569 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/host_isolation_exceptions.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/host_isolation_exceptions.ts @@ -12,10 +12,6 @@ import { BY_POLICY_ARTIFACT_TAG_PREFIX, GLOBAL_ARTIFACT_TAG, } from '@kbn/security-solution-plugin/common/endpoint/service/artifacts'; -import { - getImportExceptionsListSchemaMock, - toNdJsonString, -} from '@kbn/lists-plugin/common/schemas/request/import_exceptions_schema.mock'; import { ExceptionsListItemGenerator } from '@kbn/security-solution-plugin/common/endpoint/data_generators/exceptions_list_item_generator'; import type TestAgent from 'supertest/lib/agent'; import type { PolicyTestResourceInfo } from '@kbn/test-suites-xpack-security-endpoint/services/endpoint_policy'; @@ -169,26 +165,6 @@ export default function ({ getService }: FtrProviderContext) { } }); - it('should return 400 for import of endpoint exceptions', async () => { - await endpointPolicyManagerSupertest - .post(`${EXCEPTION_LIST_URL}/_import?overwrite=false`) - .set('kbn-xsrf', 'true') - .attach( - 'file', - Buffer.from( - toNdJsonString([ - getImportExceptionsListSchemaMock(hostIsolationExceptionData.artifact.list_id), - ]) - ), - 'exceptions.ndjson' - ) - .expect(400, { - status_code: 400, - message: - 'EndpointArtifactError: Import is not supported for Endpoint artifact exceptions', - }); - }); - describe('and has authorization to manage endpoint security', () => { for (const hostIsolationExceptionApiCall of hostIsolationExceptionCalls) { it(`[${hostIsolationExceptionApiCall.method}] if invalid condition entry fields are used`, async () => { From 6fe7f9fb5f82a9e11a6500520dfbd7ac7162621c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 8 Apr 2026 15:27:14 +0200 Subject: [PATCH 16/19] Shared exception lists page privilege cleanup --- .../plugins/security_solution/public/rules/links.ts | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/public/rules/links.ts b/x-pack/solutions/security/plugins/security_solution/public/rules/links.ts index bbd33930fc3a9..4dc7136e254a8 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/rules/links.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/rules/links.ts @@ -20,7 +20,6 @@ import { RULES_CREATE_PATH, RULES_LANDING_PATH, RULES_PATH, - SECURITY_FEATURE_ID, } from '../../common/constants'; import { ADD_RULES, @@ -95,10 +94,7 @@ export const links: LinkItem = { }), landingIcon: IconConsoleCloud, path: EXCEPTIONS_PATH, - capabilities: [ - EXCEPTIONS_UI_READ_PRIVILEGES, - `${SECURITY_FEATURE_ID}.showEndpointExceptions`, - ], + capabilities: [EXCEPTIONS_UI_READ_PRIVILEGES], skipUrlState: true, hideTimeline: true, globalSearchKeywords: [ From 3df0cb195a748e401aa5cd54144d880b155a49ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 8 Apr 2026 15:33:07 +0200 Subject: [PATCH 17/19] enable API docs --- .../endpoint_exceptions_per_policy_opt_in.schema.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/endpoint_exceptions_per_policy_opt_in/endpoint_exceptions_per_policy_opt_in.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/endpoint_exceptions_per_policy_opt_in/endpoint_exceptions_per_policy_opt_in.schema.yaml index d6b9580b8d80d..c3ad45f9b007d 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/endpoint_exceptions_per_policy_opt_in/endpoint_exceptions_per_policy_opt_in.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/endpoint_exceptions_per_policy_opt_in/endpoint_exceptions_per_policy_opt_in.schema.yaml @@ -8,9 +8,7 @@ paths: summary: Retrieve endpoint exceptions per policy opt-in operationId: GetEndpointExceptionsPerPolicyOptIn x-codegen-enabled: true - x-labels: [] - # TODO: When the feature flag `endpointExceptionsMovedUnderManagement` is enabled, remove empty `x-labels` and un-comment the line below. - # x-labels: [ ess, serverless ] + x-labels: [ ess, serverless ] x-internal: true responses: '200': @@ -32,9 +30,7 @@ paths: summary: Opt-in to endpoint exceptions per policy operationId: PerformEndpointExceptionsPerPolicyOptIn x-codegen-enabled: true - x-labels: [] - # TODO: When the feature flag `endpointExceptionsMovedUnderManagement` is enabled, remove empty `x-labels` and un-comment the line below. - # x-labels: [ ess, serverless ] + x-labels: [ ess, serverless ] x-internal: true responses: '200': From 57636ba0ff20c0b4c613446af72020887aa1a665 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 8 Apr 2026 17:22:18 +0200 Subject: [PATCH 18/19] update test config so test case can pick up FF state --- .../artifacts/trial_license_complete_tier/configs/ess.config.ts | 1 + .../trial_license_complete_tier/configs/serverless.config.ts | 1 + 2 files changed, 2 insertions(+) diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/ess.config.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/ess.config.ts index 00593b5fa3a78..3867966f3bc32 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/ess.config.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/ess.config.ts @@ -16,6 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { 'trustedAppsAdvancedMode', 'filterProcessDescendantsForTrustedAppsEnabled', 'trustedDevices', + 'endpointExceptionsMovedUnderManagement', ]; return { diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/serverless.config.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/serverless.config.ts index 4c034a31c9276..43d2efba74756 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/serverless.config.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/serverless.config.ts @@ -16,6 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { 'trustedAppsAdvancedMode', 'filterProcessDescendantsForTrustedAppsEnabled', 'trustedDevices', + 'endpointExceptionsMovedUnderManagement', ]; return { From f75f04836916dda9616d96b4a75f2e39261c7922 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 9 Apr 2026 13:34:28 +0200 Subject: [PATCH 19/19] cy: extract selectors to screen folder --- .../alerts_table_flow/endpoint_exceptions.cy.ts | 14 ++++++-------- .../cypress/screens/exceptions.ts | 8 ++++++++ 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts index f245b8a1845f8..7d873b188234c 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts @@ -33,6 +33,9 @@ import { import { ALERTS_COUNT } from '../../../../../screens/alerts'; import { ADD_NESTED_BTN, + ENDPOINT_EXCEPTION_CARD, + ENDPOINT_EXCEPTION_CARD_CONDITIONS, + ENDPOINT_EXCEPTION_CARD_HEADER_TITLE, ENDPOINT_EXCEPTION_ITEM_CONFIRM_BTN, ENDPOINT_EXCEPTION_ITEM_NAME_INPUT, } from '../../../../../screens/exceptions'; @@ -123,14 +126,9 @@ describe( goToEndpointExceptions(); // new exception item displays - cy.get('[data-test-subj="endpointExceptionsListPage-card"]').should('have.length', 1); - cy.get('[data-test-subj="endpointExceptionsListPage-card-header-title"]').should( - 'have.text', - ITEM_NAME_EDIT - ); - cy.get( - '[data-test-subj="endpointExceptionsListPage-card-criteriaConditions-condition"]' - ).contains('span', ADDITIONAL_ENTRY); + cy.get(ENDPOINT_EXCEPTION_CARD).should('have.length', 1); + cy.get(ENDPOINT_EXCEPTION_CARD_HEADER_TITLE).should('have.text', ITEM_NAME_EDIT); + cy.get(ENDPOINT_EXCEPTION_CARD_CONDITIONS).contains('span', ADDITIONAL_ENTRY); }); } ); diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/exceptions.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/exceptions.ts index 4d66b1d2c31eb..09820508c1d5c 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/exceptions.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/exceptions.ts @@ -134,6 +134,14 @@ export const EXCEPTION_ITEM_NAME_INPUT = 'input[data-test-subj="exceptionFlyoutN export const ENDPOINT_EXCEPTION_ITEM_NAME_INPUT = 'input[data-test-subj="endpointExceptions-form-name-input"]'; +export const ENDPOINT_EXCEPTION_CARD = '[data-test-subj="endpointExceptionsListPage-card"]'; + +export const ENDPOINT_EXCEPTION_CARD_HEADER_TITLE = + '[data-test-subj="endpointExceptionsListPage-card-header-title"]'; + +export const ENDPOINT_EXCEPTION_CARD_CONDITIONS = + '[data-test-subj="endpointExceptionsListPage-card-criteriaConditions-condition"]'; + export const ADD_TO_SHARED_LIST_RADIO_LABEL = '[data-test-subj="addToListsRadioOption"] label'; export const ADD_TO_SHARED_LIST_RADIO_INPUT = 'input[id="add_to_lists"]';