elastic · szwarckonrad · Apr 10, 2026 · Apr 2, 2026 · Mar 16, 2026 · Mar 20, 2026
@@ -8,9 +8,7 @@ paths:
       summary: Retrieve endpoint exceptions per policy opt-in
       operationId: GetEndpointExceptionsPerPolicyOptIn
       x-codegen-enabled: true
-      x-labels: []
-      #      TODO: When the feature flag `endpointExceptionsMovedUnderManagement` is enabled, remove empty `x-labels` and un-comment the line below.
-      #      x-labels: [ ess, serverless ]
+      x-labels: [ ess, serverless ]
 ### Making changes 
 1. Update the OpenAPI schema YML file and/or the Kibana schema file (see References below for help with OpenAPI YAML format) 
 2. Generate/re-generate the Zod schema validation modules: 
 ```shell 
 yarn --cwd x-pack/solutions/security/plugins/security_solution openapi:generate 
 ``` 
 3. Create a new bundle with the updated APIs: 
 ```shell 
 yarn --cwd x-pack/solutions/security/plugins/security_solution openapi:bundle:endpoint-management 
 ``` 
 4. Ensure that the newly generated files are commited to source 
 export const DEFAULT_BUNDLING_PROCESSORS: Readonly<DocumentNodeProcessor[]> = [ 
   createSkipNodeWithInternalPropProcessor(X_INTERNAL), 
   createSkipInternalPathProcessor('/internal'), 
   createModifyPartialProcessor(), 
 ### Making changes 
  
 1. Update the OpenAPI schema YML file and/or the Kibana schema file (see References below for help with OpenAPI YAML format) 
 2. Generate/re-generate the Zod schema validation modules: 
 ```shell 
 yarn --cwd x-pack/solutions/security/plugins/security_solution openapi:generate 
 ``` 
 3. Create a new bundle with the updated APIs: 
 ```shell 
 yarn --cwd x-pack/solutions/security/plugins/security_solution openapi:bundle:endpoint-management 
 ``` 
 4. Ensure that the newly generated files are commited to source 
 export const DEFAULT_BUNDLING_PROCESSORS: Readonly<DocumentNodeProcessor[]> = [ 
   createSkipNodeWithInternalPropProcessor(X_INTERNAL), 
   createSkipInternalPathProcessor('/internal'), 
   createModifyPartialProcessor(), 
       x-internal: true
       responses:
         '200':
@@ -32,9 +30,7 @@ paths:
       summary: Opt-in to endpoint exceptions per policy
       operationId: PerformEndpointExceptionsPerPolicyOptIn
       x-codegen-enabled: true
-      x-labels: []
-      #      TODO: When the feature flag `endpointExceptionsMovedUnderManagement` is enabled, remove empty `x-labels` and un-comment the line below.
-      #      x-labels: [ ess, serverless ]
+      x-labels: [ ess, serverless ]
       x-internal: true
       responses:
         '200':

@@ -149,8 +149,9 @@ export const allowedExperimentalValues = Object.freeze({
 
   /**
    * Removes Endpoint Exceptions from Rules/Alerts pages, and shows it instead in Manage/Assets.
+   * Additionally: enables import/export for all Endpoint artifacts.
    */
-  endpointExceptionsMovedUnderManagement: false,
+  endpointExceptionsMovedUnderManagement: true,
 
   /**
    * Enables CrowdStrike's RunScript RTR command

@@ -40,6 +40,8 @@ describe('useGetEndpointExceptionsPerPolicyOptIn()', () => {
   });
 
   it('should not call the API when the experimental feature is disabled', () => {
+    testContext.setExperimentalFlag({ endpointExceptionsMovedUnderManagement: false });
+
     const { result } = testContext.renderHook(() => useGetEndpointExceptionsPerPolicyOptIn());
 
     expect(result.current.data).toBeUndefined();

@@ -15,6 +15,7 @@ import {
   getEndpointAuthzInitialState,
 } from '../../common/endpoint/service/authz';
 import {
+  ENDPOINT_EXCEPTIONS_PATH,
   ENDPOINTS_PATH,
   ENTITY_ANALYTICS_MANAGEMENT_PATH,
   MANAGE_PATH,
@@ -23,7 +24,6 @@ import {
   SCRIPT_LIBRARY_PATH,
   SECURITY_FEATURE_ID,
   SecurityPageName,
-  TRUSTED_APPS_PATH,
 } from '../../common/constants';
 import {
   ARTIFACTS,
@@ -135,7 +135,7 @@ export const links: LinkItem = {
           'Manage exceptions, trusted applications, and other settings that control how endpoints are protected and respond to activity.',
       }),
       landingIcon: IconArtifacts,
-      path: TRUSTED_APPS_PATH,
+      path: ENDPOINT_EXCEPTIONS_PATH,
       skipUrlState: true,
       hideTimeline: true,
     },

@@ -175,7 +175,7 @@ export const EndpointExceptionsFlyout: React.FC<EndpointExceptionsFlyoutProps> =
     >
       <EuiFlyoutHeader hasBorder>
         <EuiTitle>
-          <h2 id={endpointExceptionsFlyoutTitleId}>
+          <h2 id={endpointExceptionsFlyoutTitleId} data-test-subj="exceptionFlyoutTitle">
             {ENDPOINT_EXCEPTIONS_PAGE_LABELS.flyoutCreateTitle}
           </h2>
         </EuiTitle>

@@ -20,7 +20,6 @@ import {
   RULES_CREATE_PATH,
   RULES_LANDING_PATH,
   RULES_PATH,
-  SECURITY_FEATURE_ID,
 } from '../../common/constants';
 import {
   ADD_RULES,
@@ -95,10 +94,7 @@ export const links: LinkItem = {
       }),
       landingIcon: IconConsoleCloud,
       path: EXCEPTIONS_PATH,
-      capabilities: [
-        EXCEPTIONS_UI_READ_PRIVILEGES,
-        `${SECURITY_FEATURE_ID}.showEndpointExceptions`,
-      ],
+      capabilities: [EXCEPTIONS_UI_READ_PRIVILEGES],
       skipUrlState: true,
       hideTimeline: true,
       globalSearchKeywords: [

@@ -16,6 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     'trustedAppsAdvancedMode',
     'filterProcessDescendantsForTrustedAppsEnabled',
     'trustedDevices',
+    'endpointExceptionsMovedUnderManagement',
   ];
 
   return {

@@ -16,6 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     'trustedAppsAdvancedMode',
     'filterProcessDescendantsForTrustedAppsEnabled',
     'trustedDevices',
+    'endpointExceptionsMovedUnderManagement',
   ];
 
   return {

@@ -10,10 +10,6 @@ import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-t
 import expect from '@kbn/expect';
 import { BY_POLICY_ARTIFACT_TAG_PREFIX } from '@kbn/security-solution-plugin/common/endpoint/service/artifacts';
 import { ExceptionsListItemGenerator } from '@kbn/security-solution-plugin/common/endpoint/data_generators/exceptions_list_item_generator';
-import {
-  getImportExceptionsListSchemaMock,
-  toNdJsonString,
-} from '@kbn/lists-plugin/common/schemas/request/import_exceptions_schema.mock';
 import type TestAgent from 'supertest/lib/agent';
 import type { PolicyTestResourceInfo } from '@kbn/test-suites-xpack-security-endpoint/services/endpoint_policy';
 import type { ArtifactTestData } from '@kbn/test-suites-xpack-security-endpoint/services/endpoint_artifacts';
@@ -167,24 +163,6 @@ export default function ({ getService }: FtrProviderContext) {
       }
     });
 
-    it('should return 400 for import of endpoint exceptions', async () => {
-      await endpointPolicyManagerSupertest
-        .post(`${EXCEPTION_LIST_URL}/_import?overwrite=false`)
-        .set('kbn-xsrf', 'true')
-        .attach(
-          'file',
-          Buffer.from(
-            toNdJsonString([getImportExceptionsListSchemaMock(eventFilterData.artifact.list_id)])
-          ),
-          'exceptions.ndjson'
-        )
-        .expect(400, {
-          status_code: 400,
-          message:
-            'EndpointArtifactError: Import is not supported for Endpoint artifact exceptions',
-        });
-    });
-
     describe('and has authorization to manage endpoint security', () => {
       for (const eventFilterApiCall of eventFilterCalls) {
         it(`should error on [${eventFilterApiCall.method}] if more than one OS is set`, async () => {

@@ -12,10 +12,6 @@ import {
   BY_POLICY_ARTIFACT_TAG_PREFIX,
   GLOBAL_ARTIFACT_TAG,
 } from '@kbn/security-solution-plugin/common/endpoint/service/artifacts';
-import {
-  getImportExceptionsListSchemaMock,
-  toNdJsonString,
-} from '@kbn/lists-plugin/common/schemas/request/import_exceptions_schema.mock';
 import { ExceptionsListItemGenerator } from '@kbn/security-solution-plugin/common/endpoint/data_generators/exceptions_list_item_generator';
 import type TestAgent from 'supertest/lib/agent';
 import type { PolicyTestResourceInfo } from '@kbn/test-suites-xpack-security-endpoint/services/endpoint_policy';
@@ -169,26 +165,6 @@ export default function ({ getService }: FtrProviderContext) {
       }
     });
 
-    it('should return 400 for import of endpoint exceptions', async () => {
-      await endpointPolicyManagerSupertest
-        .post(`${EXCEPTION_LIST_URL}/_import?overwrite=false`)
-        .set('kbn-xsrf', 'true')
-        .attach(
-          'file',
-          Buffer.from(
-            toNdJsonString([
-              getImportExceptionsListSchemaMock(hostIsolationExceptionData.artifact.list_id),
-            ])
-          ),
-          'exceptions.ndjson'
-        )
-        .expect(400, {
-          status_code: 400,
-          message:
-            'EndpointArtifactError: Import is not supported for Endpoint artifact exceptions',
-        });
-    });
-
     describe('and has authorization to manage endpoint security', () => {
       for (const hostIsolationExceptionApiCall of hostIsolationExceptionCalls) {
         it(`[${hostIsolationExceptionApiCall.method}] if invalid condition entry fields are used`, async () => {

@@ -56,6 +56,8 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
         `--xpack.fleet.developer.bundledPackageLocation=./inexistentDir`,
         '--csp.strict=false',
         '--csp.warnLegacyBrowsers=false',
+        // For testing Import flyout with Endpoint artifacts
+        '--xpack.securitySolution.enableExperimental=["endpointExceptionsMovedUnderManagement"]',
       ],
       runOptions: {
         wait: FLEET_PLUGIN_READY_LOG_MESSAGE_REGEXP,

@@ -33,12 +33,14 @@ import {
 import { ALERTS_COUNT } from '../../../../../screens/alerts';
 import {
   ADD_NESTED_BTN,
-  EXCEPTION_CARD_ITEM_CONDITIONS,
-  EXCEPTION_CARD_ITEM_NAME,
-  EXCEPTION_ITEM_VIEWER_CONTAINER,
+  ENDPOINT_EXCEPTION_CARD,
+  ENDPOINT_EXCEPTION_CARD_CONDITIONS,
+  ENDPOINT_EXCEPTION_CARD_HEADER_TITLE,
+  ENDPOINT_EXCEPTION_ITEM_CONFIRM_BTN,
+  ENDPOINT_EXCEPTION_ITEM_NAME_INPUT,
 } from '../../../../../screens/exceptions';
 import {
-  goToEndpointExceptionsTab,
+  goToEndpointExceptions,
   visitRuleDetailsPage,
   waitForTheRuleToBeExecuted,
 } from '../../../../../tasks/rule_details';
@@ -53,7 +55,6 @@ describe(
     const ADDITIONAL_ENTRY = 'host.hostname';
 
     beforeEach(() => {
-      cy.task('esArchiverUnload', { archiveName: 'endpoint' });
       login();
       deleteAlertsAndRules();
       deleteEndpointExceptionList();
@@ -82,8 +83,8 @@ describe(
       validateExceptionConditionField('file.Ext.code_signature');
 
       selectCloseSingleAlerts();
-      addExceptionFlyoutItemName(ITEM_NAME);
-      submitNewExceptionItem();
+      addExceptionFlyoutItemName(ITEM_NAME, ENDPOINT_EXCEPTION_ITEM_NAME_INPUT);
+      submitNewExceptionItem(ENDPOINT_EXCEPTION_ITEM_CONFIRM_BTN);
 
       // Instead of immediately checking if the Opened Alert has moved to the closed tab,
       // use the waitForAlerts method to create a buffer, allowing the alerts some time to
@@ -105,7 +106,7 @@ describe(
       // As the endpoint.alerts-* is used to trigger the alert the
       // file.Ext.code_signature will be auto-populated
       validateExceptionConditionField('file.Ext.code_signature');
-      addExceptionFlyoutItemName(ITEM_NAME);
+      addExceptionFlyoutItemName(ITEM_NAME, ENDPOINT_EXCEPTION_ITEM_NAME_INPUT);
 
       // Add non-nested condition
       cy.get(ADD_NESTED_BTN).click();
@@ -114,21 +115,20 @@ describe(
       addExceptionEntryFieldValueValue('foo', 4);
 
       // Change the name again
-      editExceptionFlyoutItemName(ITEM_NAME_EDIT);
+      editExceptionFlyoutItemName(ITEM_NAME_EDIT, ENDPOINT_EXCEPTION_ITEM_NAME_INPUT);
 
       // validate the condition is still "agent.name" or got rest after the name is changed
       validateExceptionConditionField(ADDITIONAL_ENTRY);
 
       selectCloseSingleAlerts();
-      submitNewExceptionItem();
+      submitNewExceptionItem(ENDPOINT_EXCEPTION_ITEM_CONFIRM_BTN);
 
-      // Endpoint Exception will move to Endpoint List under Exception tab of rule
-      goToEndpointExceptionsTab();
+      goToEndpointExceptions();
 
       // new exception item displays
-      cy.get(EXCEPTION_ITEM_VIEWER_CONTAINER).should('have.length', 1);
-      cy.get(EXCEPTION_CARD_ITEM_NAME).should('have.text', ITEM_NAME_EDIT);
-      cy.get(EXCEPTION_CARD_ITEM_CONDITIONS).contains('span', ADDITIONAL_ENTRY);
+      cy.get(ENDPOINT_EXCEPTION_CARD).should('have.length', 1);
+      cy.get(ENDPOINT_EXCEPTION_CARD_HEADER_TITLE).should('have.text', ITEM_NAME_EDIT);
+      cy.get(ENDPOINT_EXCEPTION_CARD_CONDITIONS).contains('span', ADDITIONAL_ENTRY);
     });
   }
 );