[EDR Workflows] Add cypress test coverage for Endpoint exceptions OR operator (#266687)

gergoabraham · web-flow · commit 8698a3479066 · 2026-05-29T16:30:05.000+02:00
## Summary This PR adds e2e cypress test coverage to the OR operator support on the new Endpoint exceptions form: - [x] from Artifacts page - [x] from Alerts page 🎉 All tests passed! - [kibana-flaky-test-suite-runner#12490](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/12490) ## TODO - [x] revert temporary cypress config change for flaky runner 5837829 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed
diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.cy.ts
@@ -6,9 +6,14 @@
  */
 import * as essSecurityHeaders from '@kbn/test-suites-xpack-security/security_solution_cypress/cypress/screens/security_header';
 import * as serverlessSecurityHeaders from '@kbn/test-suites-xpack-security/security_solution_cypress/cypress/screens/serverless_security_header';
-import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants';
+import {
+  ENDPOINT_ARTIFACT_LISTS,
+  EXCEPTION_LIST_ITEM_URL,
+} from '@kbn/securitysolution-list-constants';
+import { recurse } from 'cypress-recurse';
 import { ENDPOINT_EXCEPTIONS_PER_POLICY_OPT_IN_ROUTE } from '../../../../../common/endpoint/constants';
 import {
+  APP_ALERTS_PATH,
   APP_ENDPOINT_EXCEPTIONS_PATH,
   APP_MANAGE_PATH,
   APP_PATH,
@@ -24,6 +29,10 @@ import {
   removeAllArtifacts,
 } from '../../tasks/artifacts';
 import { getArtifactsListTestDataForArtifact } from '../../fixtures/artifacts_page';
+import { indexEndpointHosts } from '../../tasks/index_endpoint_hosts';
+import type { ReturnTypeFromChainable } from '../../types';
+import { performUserActions, type FormAction } from '../../tasks/perform_user_actions';
+import { getArtifactListEmptyStateAddButton } from '../../screens';
 
 describe(
   'Endpoint exceptions - under Security Management/Assets',
@@ -102,6 +111,7 @@ describe(
       });
     });
 
+    // Only running on ESS, because on Serverless we cannot remove the opt-in status SO
     describe('Per-policy opt-in behaviour', { tags: ['@ess'] }, () => {
       before(() => {
         removeAllArtifacts();
@@ -143,5 +153,264 @@ describe(
         });
       });
     });
+
+    describe('OR operator', { tags: ['@ess', '@serverless'] }, () => {
+      let endpointData: ReturnTypeFromChainable<typeof indexEndpointHosts> | undefined;
+
+      const artifactNameActions: FormAction[] = [
+        {
+          type: 'input',
+          selector: 'endpointExceptions-form-name-input',
+          value: 'Endpoint exception name',
+        },
+        {
+          type: 'input',
+          selector: 'endpointExceptions-form-description-input',
+          value: 'This is the endpoint exception description',
+        },
+      ];
+
+      const firstConditionActions: FormAction[] = [
+        {
+          type: 'input',
+          selector: 'fieldAutocompleteComboBox',
+          value: 'agent.version',
+        },
+        {
+          type: 'click',
+          selector: 'valuesAutocompleteMatch',
+        },
+        {
+          type: 'input',
+          selector: 'valuesAutocompleteMatch',
+          value: '1234',
+        },
+        {
+          type: 'click',
+          selector: 'endpointExceptions-form-description-input',
+        },
+      ];
+
+      before(() => {
+        indexEndpointHosts().then((indexEndpoints) => {
+          endpointData = indexEndpoints;
+        });
+      });
+
+      beforeEach(() => {
+        removeAllArtifacts();
+      });
+
+      after(() => {
+        removeAllArtifacts();
+
+        endpointData?.cleanup();
+        endpointData = undefined;
+      });
+
+      const addConditionWithOR = (field: string, value: string) => {
+        cy.getByTestSubj('exceptionsOrButton').click();
+
+        cy.getByTestSubj('fieldAutocompleteComboBox').last().type(field);
+        cy.getByTestSubj('valuesAutocompleteMatch').last().click();
+        cy.getByTestSubj('valuesAutocompleteMatch').last().type(value);
+      };
+
+      const shouldHaveConditionsOnScreen = (conditions: string[]) =>
+        cy
+          .getByTestSubj('endpointExceptionsListPage-card-criteriaConditions-condition')
+          .then(($conditions) => {
+            const conditionsText = $conditions.map((_, element) => Cypress.$(element).text()).get();
+
+            expect(conditionsText).to.include.members(conditions);
+          });
+
+      describe('on Artifacts page', () => {
+        it('should create 2 artifacts when using 1 OR operator during CREATE', () => {
+          cy.intercept('POST', EXCEPTION_LIST_ITEM_URL).as('createExceptionItem');
+
+          login();
+          cy.visit(APP_ENDPOINT_EXCEPTIONS_PATH);
+
+          getArtifactListEmptyStateAddButton('endpointExceptions').click();
+
+          performUserActions(artifactNameActions);
+          performUserActions(firstConditionActions);
+
+          addConditionWithOR('agent.type', 'endpoint');
+
+          cy.getByTestSubj('endpointExceptionsListPage-flyout-submitButton').click();
+
+          // There should be 2 artifacts created
+          cy.get('@createExceptionItem.all').should('have.length', 2);
+
+          // All with same name
+          cy.getByTestSubj('endpointExceptionsListPage-card-header-title')
+            .should('have.length', 2)
+            .each((card) => expect(card).to.have.text('Endpoint exception name'));
+
+          // and different conditions
+          shouldHaveConditionsOnScreen(['AND agent.versionIS 1234', 'AND agent.typeIS endpoint']);
+        });
+
+        it('should create 3 artifacts when using 2 OR operators during CREATE', () => {
+          cy.intercept('POST', EXCEPTION_LIST_ITEM_URL).as('createExceptionItem');
+
+          login();
+          cy.visit(APP_ENDPOINT_EXCEPTIONS_PATH);
+
+          getArtifactListEmptyStateAddButton('endpointExceptions').click();
+
+          performUserActions(artifactNameActions);
+          performUserActions(firstConditionActions);
+
+          addConditionWithOR('agent.type', 'endpoint');
+          addConditionWithOR('host.user.email', 'cheese');
+
+          cy.getByTestSubj('endpointExceptionsListPage-flyout-submitButton').click();
+
+          // There should be 3 artifacts created
+          cy.get('@createExceptionItem.all').should('have.length', 3);
+
+          // All with same name
+          cy.getByTestSubj('endpointExceptionsListPage-card-header-title')
+            .should('have.length', 3)
+            .each((card) => expect(card).to.have.text('Endpoint exception name'));
+
+          // and different conditions
+          shouldHaveConditionsOnScreen([
+            'AND agent.versionIS 1234',
+            'AND agent.typeIS endpoint',
+            'AND host.user.emailIS cheese',
+          ]);
+        });
+
+        it('should create multiple artifacts when using OR operator during EDIT', () => {
+          login();
+          cy.visit(APP_ENDPOINT_EXCEPTIONS_PATH);
+
+          // Create one artifact
+          getArtifactListEmptyStateAddButton('endpointExceptions').click();
+          performUserActions(artifactNameActions);
+          performUserActions(firstConditionActions);
+          cy.getByTestSubj('endpointExceptionsListPage-flyout-submitButton').click();
+          cy.getByTestSubj('endpointExceptionsListPage-card').should('have.length', 1);
+
+          // Open artifact to edit
+          cy.getByTestSubj('endpointExceptionsListPage-card-header-actions-button').click();
+          cy.getByTestSubj('endpointExceptionsListPage-card-cardEditAction').click();
+
+          addConditionWithOR('agent.type', 'endpoint');
+          addConditionWithOR('host.user.email', 'cheese');
+
+          cy.intercept('PUT', EXCEPTION_LIST_ITEM_URL).as('updateExceptionItem');
+          cy.intercept('POST', EXCEPTION_LIST_ITEM_URL).as('createExceptionItem');
+
+          cy.getByTestSubj('endpointExceptionsListPage-flyout-submitButton').click();
+
+          // There should be 1 artifact edited and 2 new created
+          cy.get('@updateExceptionItem.all').should('have.length', 1);
+          cy.get('@createExceptionItem.all').should('have.length', 2);
+
+          // All 3 with the same name
+          cy.getByTestSubj('endpointExceptionsListPage-card-header-title')
+            .should('have.length', 3)
+            .each((card) => expect(card).to.have.text('Endpoint exception name'));
+
+          // and different conditions
+          shouldHaveConditionsOnScreen([
+            'AND agent.versionIS 1234',
+            'AND agent.typeIS endpoint',
+            'AND host.user.emailIS cheese',
+          ]);
+        });
+      });
+
+      describe('on Alerts page', () => {
+        const clearPrefilledConditions = () =>
+          recurse(
+            () => {
+              cy.getByTestSubj('builderItemEntryDeleteButton').first().click();
+              return cy.getByTestSubj('builderItemEntryDeleteButton').first();
+            },
+
+            // recurse until first button is disabled
+            (firstDeleteButton) => firstDeleteButton.prop('disabled') === true,
+
+            { delay: 100 }
+          );
+
+        it('should create 2 artifacts when using 1 OR operator during CREATE', () => {
+          cy.intercept('POST', EXCEPTION_LIST_ITEM_URL).as('createExceptionItem');
+
+          login();
+          cy.visit(APP_ALERTS_PATH);
+
+          cy.getByTestSubj('timeline-context-menu-button').first().click();
+          cy.getByTestSubj('add-endpoint-exception-menu-item').click();
+
+          clearPrefilledConditions();
+
+          performUserActions(artifactNameActions);
+          performUserActions(firstConditionActions);
+
+          addConditionWithOR('agent.type', 'endpoint');
+
+          cy.getByTestSubj(`add-endpoint-exception-confirm-button`).click();
+
+          // There should be 2 artifacts created
+          cy.get('@createExceptionItem.all').should('have.length', 2);
+
+          // Navigate to Endpoint Exceptions page to check the artifacts
+          cy.visit(APP_ENDPOINT_EXCEPTIONS_PATH);
+
+          // All with same name
+          cy.getByTestSubj('endpointExceptionsListPage-card-header-title')
+            .should('have.length', 2)
+            .each((card) => expect(card).to.have.text('Endpoint exception name'));
+
+          // and different conditions
+          shouldHaveConditionsOnScreen(['AND agent.versionIS 1234', 'AND agent.typeIS endpoint']);
+        });
+
+        it('should create 3 artifacts when using 2 OR operators during CREATE', () => {
+          cy.intercept('POST', EXCEPTION_LIST_ITEM_URL).as('createExceptionItem');
+
+          login();
+          cy.visit(APP_ALERTS_PATH);
+
+          cy.getByTestSubj('timeline-context-menu-button').first().click();
+          cy.getByTestSubj('add-endpoint-exception-menu-item').click();
+
+          clearPrefilledConditions();
+
+          performUserActions(artifactNameActions);
+          performUserActions(firstConditionActions);
+
+          addConditionWithOR('agent.type', 'endpoint');
+          addConditionWithOR('host.user.email', 'cheese');
+
+          cy.getByTestSubj(`add-endpoint-exception-confirm-button`).click();
+
+          // There should be 3 artifacts created
+          cy.get('@createExceptionItem.all').should('have.length', 3);
+
+          // Navigate to Endpoint Exceptions page to check the artifacts
+          cy.visit(APP_ENDPOINT_EXCEPTIONS_PATH);
+
+          // All with same name
+          cy.getByTestSubj('endpointExceptionsListPage-card-header-title')
+            .should('have.length', 3)
+            .each((card) => expect(card).to.have.text('Endpoint exception name'));
+
+          // and different conditions
+          shouldHaveConditionsOnScreen([
+            'AND agent.versionIS 1234',
+            'AND agent.typeIS endpoint',
+            'AND host.user.emailIS cheese',
+          ]);
+        });
+      });
+    });
   }
 );
diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/serverless/roles/complete_with_endpoint_roles_threat_intelligence_analyst.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/serverless/roles/complete_with_endpoint_roles_threat_intelligence_analyst.cy.ts
@@ -53,7 +53,9 @@ describe(
     });
 
     describe('for role: threat_intelligence_analyst', () => {
-      const deniedPages = allPages.filter(({ id }) => id !== 'blocklist' && id !== 'endpointList');
+      const deniedPages = allPages.filter(
+        ({ id }) => id !== 'blocklist' && id !== 'endpointList' && id !== 'endpointExceptions'
+      );
 
       beforeEach(() => {
         login(ROLE.threat_intelligence_analyst);
@@ -70,6 +72,13 @@ describe(
         );
       });
 
+      it(`should have CRUD access to: Endpoint exceptions`, () => {
+        cy.visit(pageById.endpointExceptions.url);
+        getArtifactListEmptyStateAddButton(
+          pageById.endpointExceptions.id as EndpointArtifactPageId
+        ).should('exist');
+      });
+
       for (const { url, title } of deniedPages) {
         it(`should NOT have access to: ${title}`, () => {
           cy.visit(url);
diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/artifacts.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/artifacts.ts
@@ -13,6 +13,7 @@ import type { UserAuthzAccessLevel } from './types';
 
 const artifactPageTopTestSubjPrefix: Readonly<Record<EndpointArtifactPageId, string>> = {
   trustedApps: 'trustedAppsListPage',
+  endpointExceptions: 'endpointExceptionsListPage',
   trustedDevices: 'trustedDevicesList',
   eventFilters: 'EventFiltersListPage',
   hostIsolationExceptions: 'hostIsolationExceptionsListPage',
diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/page_reference.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/page_reference.ts
@@ -8,6 +8,7 @@
 import { keyBy } from 'lodash';
 import {
   APP_BLOCKLIST_PATH,
+  APP_ENDPOINT_EXCEPTIONS_PATH,
   APP_ENDPOINTS_PATH,
   APP_EVENT_FILTERS_PATH,
   APP_HOST_ISOLATION_EXCEPTIONS_PATH,
@@ -20,6 +21,7 @@ import {
 export interface EndpointManagementPageMap {
   endpointList: EndpointManagementPage;
   policyList: EndpointManagementPage;
+  endpointExceptions: EndpointManagementPage;
   trustedApps: EndpointManagementPage;
   trustedDevices: EndpointManagementPage;
   eventFilters: EndpointManagementPage;
@@ -31,7 +33,12 @@ export interface EndpointManagementPageMap {
 export type EndpointManagementPageId = keyof EndpointManagementPageMap;
 export type EndpointArtifactPageId = keyof Pick<
   EndpointManagementPageMap,
-  'trustedApps' | 'trustedDevices' | 'eventFilters' | 'hostIsolationExceptions' | 'blocklist'
+  | 'trustedApps'
+  | 'trustedDevices'
+  | 'eventFilters'
+  | 'hostIsolationExceptions'
+  | 'blocklist'
+  | 'endpointExceptions'
 >;
 
 interface EndpointManagementPage {
@@ -55,6 +62,12 @@ export const getEndpointManagementPageList = (): EndpointManagementPage[] => {
       url: APP_POLICIES_PATH,
       pageTestSubj: 'policyListPage',
     },
+    {
+      id: 'endpointExceptions',
+      title: 'Endpoint Exceptions Page',
+      url: APP_ENDPOINT_EXCEPTIONS_PATH,
+      pageTestSubj: 'endpointExceptionsListPage-container',
+    },
     {
       id: 'trustedApps',
       title: 'Trusted Apps Page',
