[Detection Engine] Remove Endpoint List bootstrap calls from Rule-related routes (elastic#258266)

rylnd · kibanamachine · web-flow · commit f912fdcf915e · 2026-04-03T08:59:55.000-07:00
## Summary This PR removes two calls to `createEndpointList()` from rule-related code paths. [PR elastic#233289](elastic#233289) removed the use of endpoint exceptions in rules, so ensuring the endpoint list exists in these rule routes is no longer required. Dropping these calls fixes a 9.3 issue where users with **only** the Rules Kibana feature could not preview rules, because the routes were invoking `createEndpointList()`, which depended on list/exception permissions those users do not have. The problem was first seen on the Alerts RBAC branch but affects current 9.3 behavior. ### Expected behavior for rules that reference an endpoint exception list - **Until the feature flag is enabled/removed:** Rules keep using any associated endpoint exception list when the `endpointExceptionsMovedUnderManagement` feature flag is off. No change to that behavior. - **When the user cannot read the endpoint exception list:** Endpoint exceptions are ignored (no error). Rule creation and preview succeed; only endpoint exception list items are skipped for that execution. A new integration test under `create_rules` covers this: a user with only the Rules feature can create and preview a rule that references the endpoint exception list, and the preview completes successfully with no errors while endpoint exceptions are ignored. --- ## How to Review 1. **Feature flag and execution:** Ensure rule execution and `getExceptions` still respect `endpointExceptionsMovedUnderManagement` (endpoint lists filtered out when the flag is on) and that missing read permission for the endpoint list results in endpoint exceptions being ignored, not in failures. 1. **New integration test:** Run the new test that uses a role with only the Rules feature (e.g. `rulesAllPreviewIndexRole`), creates a rule that references the endpoint exception list, and runs a rule preview. It should pass and assert that the preview returns no errors (validating that endpoint exceptions are ignored when the user cannot read the endpoint list). 1. **Regression:** Run the existing detections/rule creation and prebuilt-rule installation tests to confirm no regressions from removing `createEndpointList()`. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/create_rule/route.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/create_rule/route.ts
@@ -61,8 +61,6 @@ export const createRuleRoute = (router: SecuritySolutionPluginRouter): void => {
 
           const rulesClient = await ctx.alerting.getRulesClient();
           const detectionRulesClient = ctx.securitySolution.getDetectionRulesClient();
-          const exceptionsClient = ctx.lists?.getExceptionListClient();
-          const { canWriteEndpointList } = await ctx.securitySolution.getEndpointAuthz();
 
           if (request.body.rule_id != null) {
             const rule = await readRules({
@@ -78,10 +76,6 @@ export const createRuleRoute = (router: SecuritySolutionPluginRouter): void => {
             }
           }
 
-          // This will create the endpoint list if it does not exist yet
-          if (canWriteEndpointList) {
-            await exceptionsClient?.createEndpointList();
-          }
           checkDefaultRuleExceptionListReferences({
             exceptionLists: request.body.exceptions_list,
           });
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts
@@ -152,9 +152,6 @@ export const previewRulesRoute = (
           });
           throwAuthzError(await mlAuthz.validateRuleType(internalRule.params.type));
 
-          const listsContext = await context.lists;
-          await listsContext?.getExceptionListClient().createEndpointList();
-
           const spaceId = siemClient.getSpaceId();
           const previewId = uuidv4();
           const username = security?.authc.getCurrentUser(request)?.username;
diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/find_rule_exception_references.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/find_rule_exception_references.ts
@@ -221,7 +221,7 @@ export default ({ getService }: FtrProviderContext) => {
         .expect(200);
 
       const refs = references.references.flatMap((ref: RuleReferencesSchema) => Object.keys(ref));
-      expect(refs.sort()).to.eql(['i_exist', 'i_exist_2', 'endpoint_list'].sort());
+      expect(refs.sort()).to.eql(['i_exist', 'i_exist_2'].sort());
     });
   });
 };
diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_preview/preview_rules.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_preview/preview_rules.ts
@@ -105,12 +105,25 @@ export default ({ getService }: FtrProviderContext) => {
         });
 
         it('should NOT be able to preview a rule', async () => {
-          await supertestWithoutAuth
+          // t1_analyst has Rules read but not preview index privileges; they get 200 with an error
+          // in the body (no longer 403, since we no longer call createEndpointList on this route).
+          const { body } = await supertestWithoutAuth
             .post(DETECTION_ENGINE_RULES_PREVIEW)
             .auth(role, 'changeme')
             .set('kbn-xsrf', 'true')
             .send(getSimplePreviewRule())
-            .expect(403);
+            .expect(200);
+
+          const { logs } = getSimpleRulePreviewOutput(undefined, [
+            {
+              errors: [
+                'Missing "read" privileges for the ".preview.alerts-security.alerts" or ".internal.preview.alerts-security.alerts" indices. Without these privileges you cannot use the Rule Preview feature.',
+              ],
+              warnings: [],
+              duration: 0,
+            },
+          ]);
+          expect(body).to.eql({ logs });
         });
       });
 
diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_creation/trial_license_complete_tier/create_rules.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_creation/trial_license_complete_tier/create_rules.ts
@@ -16,6 +16,7 @@ import {
 } from '@kbn/security-solution-plugin/common/constants';
 import { ExceptionListTypeEnum } from '@kbn/securitysolution-io-ts-list-types';
 import { ROLES } from '@kbn/security-solution-plugin/common/test';
+import { ENDPOINT_ARTIFACT_LISTS, ENDPOINT_LIST_URL } from '@kbn/securitysolution-list-constants';
 
 import {
   deleteAllRules,
@@ -40,9 +41,12 @@ import {
   fetchRule,
   waitForAlertToComplete,
   refreshIndex,
+  rulesAllPreviewIndexRole,
+  createExceptionListItem,
 } from '../../../utils';
 import { createUserAndRole, deleteUserAndRole } from '../../../../../config/services/common';
 import { ROLE } from '../../../../../config/services/security_solution_edr_workflows_roles_users';
+import { deleteAllExceptions } from '../../../../lists_and_exception_lists/utils';
 
 export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
@@ -748,5 +752,83 @@ export default ({ getService }: FtrProviderContext) => {
         );
       });
     });
+
+    describe('@skipInServerless as a user with only the Rules feature', () => {
+      beforeEach(async () => {
+        await deleteAllRules(supertest, log);
+        await utils.createSuperTestWithCustomRole(rulesAllPreviewIndexRole);
+      });
+
+      afterEach(async () => {
+        await utils.cleanUpCustomRoles();
+        await deleteAllRules(supertest, log);
+        await deleteAllExceptions(supertest, log);
+      });
+
+      it('creates and previews a rule that references the endpoint exception list', async () => {
+        // ensure the endpoint list exists
+        await supertest.post(ENDPOINT_LIST_URL).set('kbn-xsrf', 'true').send().expect(200);
+        // add 1 item to the existing endpoint exception list, which will be queried by the rule
+        await createExceptionListItem(supertest, log, {
+          description: 'item description',
+          entries: [
+            {
+              field: 'keyword',
+              operator: 'included',
+              type: 'match',
+              value: 'something',
+            },
+          ],
+          list_id: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id,
+          name: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id,
+          os_types: [],
+          type: 'simple',
+          namespace_type: 'agnostic',
+        });
+
+        const ruleParams = getCustomQueryRuleParams({
+          rule_id: 'rule-with-endpoint-exception-list',
+          exceptions_list: [
+            {
+              id: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id,
+              list_id: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id,
+              namespace_type: 'agnostic',
+              type: 'endpoint',
+            },
+          ],
+        });
+
+        const restrictedApis = detectionsApi.withUser({
+          username: rulesAllPreviewIndexRole.name,
+          password: 'changeme',
+        });
+
+        const { body: createdRule } = await restrictedApis
+          .createRule({ body: ruleParams })
+          .expect(200);
+
+        expect(createdRule.exceptions_list).toHaveLength(1);
+        expect(createdRule.exceptions_list?.[0]).toMatchObject({
+          list_id: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id,
+          type: 'endpoint',
+        });
+
+        const { body: previewBody } = await restrictedApis
+          .rulePreview({
+            query: {},
+            body: {
+              ...ruleParams,
+              invocationCount: 1,
+              timeframeEnd: new Date().toISOString(),
+            },
+          })
+          .expect(200);
+
+        expect(previewBody.previewId).toBeDefined();
+        expect(previewBody.logs.length).toBeGreaterThan(0);
+        expect(previewBody.logs[0].duration).toBeGreaterThan(0);
+        expect(previewBody.logs[0].errors).toHaveLength(0);
+      });
+    });
   });
 };
diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/utils/auth/roles.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/utils/auth/roles.ts
@@ -5,9 +5,38 @@
  * 2.0.
  */
 
-import { RULES_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants';
+import {
+  RULES_FEATURE_ID_V2,
+  RULES_FEATURE_ID_V3,
+} from '@kbn/security-solution-features/constants';
 import type { CustomRole } from '../../../../config/services/types';
 
+/** Role with Rules V2 ALL and preview indices access. Should be able to create rules and preview them. **/
+export const rulesAllPreviewIndexRole: CustomRole = {
+  name: 'rules_all_preview_index',
+  privileges: {
+    elasticsearch: {
+      indices: [
+        {
+          names: [
+            '.preview.alerts-security.alerts-*',
+            '.internal.preview.alerts-security.alerts-*',
+          ],
+          privileges: ['read'],
+        },
+      ],
+    },
+    kibana: [
+      {
+        feature: {
+          [RULES_FEATURE_ID_V2]: ['all'],
+        },
+        spaces: ['*'],
+      },
+    ],
+  },
+};
+
 /** Role with only Rules V3 ALL (no Alerts or other SIEM features). */
 export const rulesAllV3OnlyRole: CustomRole = {
   name: 'rules_all_v3_only',
diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts
@@ -5,7 +5,10 @@
  * 2.0.
  */
 
-import { deleteEndpointExceptionList } from '../../../../../tasks/api_calls/exceptions';
+import {
+  createEndpointExceptionList,
+  deleteEndpointExceptionList,
+} from '../../../../../tasks/api_calls/exceptions';
 import { deleteAlertsAndRules } from '../../../../../tasks/api_calls/common';
 import {
   expandFirstAlert,
@@ -54,6 +57,7 @@ describe(
       login();
       deleteAlertsAndRules();
       deleteEndpointExceptionList();
+      createEndpointExceptionList();
 
       cy.task('esArchiverLoad', { archiveName: 'endpoint' });
       createRule(getEndpointRule()).then((rule) =>
diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/filter_table.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/filter_table.cy.ts
@@ -11,7 +11,11 @@ import {
   EXCEPTIONS_TABLE_SHOWING_LISTS,
   EXCEPTIONS_TABLE_LIST_NAME,
 } from '../../../../../../screens/exceptions';
-import { createExceptionList } from '../../../../../../tasks/api_calls/exceptions';
+import {
+  createEndpointExceptionList,
+  createExceptionList,
+  deleteExceptionLists,
+} from '../../../../../../tasks/api_calls/exceptions';
 import { createRule } from '../../../../../../tasks/api_calls/rules';
 import {
   waitForExceptionsTableToBeLoaded,
@@ -41,6 +45,8 @@ const getExceptionList2 = () => ({
 describe('Filter Lists', { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] }, () => {
   beforeEach(() => {
     login();
+    deleteExceptionLists();
+    createEndpointExceptionList();
 
     // Create exception list associated with a rule
     createExceptionList(getExceptionList2(), getExceptionList2().list_id).then((response) =>
diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/manage_lists.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/manage_lists.cy.ts
@@ -32,6 +32,7 @@ import {
   EXCEPTIONS_TABLE_SHOWING_LISTS,
 } from '../../../../../../screens/exceptions';
 import {
+  createEndpointExceptionList,
   createExceptionList,
   deleteExceptionLists,
 } from '../../../../../../tasks/api_calls/exceptions';
@@ -64,6 +65,7 @@ describe(
       beforeEach(() => {
         deleteAlertsAndRules();
         deleteExceptionLists();
+        createEndpointExceptionList();
         createRule(getNewRule({ name: 'Another rule' }));
 
         // Create exception list associated with a rule
