[EDR Workflow] Default Endpoint exception as Global when creating from Alerts page

[gergoabraham]

Summary

Note

After endpointExceptionsMovedUnderManagement FF is enabled, and after user has opted in to per-policy Endpoint exceptions...

...the Endpoint exception create form shows the Policy selector:

This should be defaulted to 'Global' when trying to create an Endpoint exception on the Alerts page:

• to harmonize with historic behavior: so far Endpoint exceptions used to be always global,
• to harmonize with Endpoint artifact pages: there we also default to global.

Screen recording

User with Global artifact management privilege

Screen.Recording.2026-04-09.at.15.12.35.mov

User without Global artifact management privilege

Screen.Recording.2026-04-09.at.15.15.39.mov

Note

actually this cannot be tested in this PR manually, because it is hidden behind another hidden bug: https://github.com/elastic/security-team/issues/16784
but the unit test shows the behavior

Todo

• update backport labels in case 9.4 branch is cut

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

• Unit or functional tests were updated or added to match the most common scenarios

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[paul-tavares]

👍

[tomsonpl]

Nice clean change! Small, well-scoped, and good test coverage for both privilege branches. Left one minor nit about defensive tag merging, but otherwise LGTM 👍

[tomsonpl]

nit (non-blocking): The tags field here overwrites whatever defaultEndpointExceptionItems returns. Currently that's likely empty, but as a defensive measure you could mergeinstead of replace:

Suggested change

	tags: canManageGlobalArtifacts ? [GLOBAL_ARTIFACT_TAG] : [],
	tags: [
	...(initialException.tags ?? []),
	...(canManageGlobalArtifacts ? [GLOBAL_ARTIFACT_TAG] : []),
	],

This way if defaultEndpointExceptionItems ever evolves to set tags, they won't be silently dropped.

[gergoabraham]

that's a really good point, thanks. updated:
341184a

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 32a8a54

Failed CI Steps

• FTR Configs #34
• FTR Configs #163

Test Failures

• [job] [logs] FTR Configs #34 / serverless observability UI - ML and Discover discover/observabilitySolution/context_awareness extension getRowIndicatorProvider should render log.level row indicators on Surrounding documents page

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	11.7MB	11.7MB	+276.0B

History

• 💛 Build #424879 was flaky 83a3d22
• 💔 Build #424803 failed 3dd269e

cc @gergoabraham