[9.1] [Defend Workflows] Fix endpoint exceptions cypress test (elastic#229469) (elastic#231637)

# Backport

This will backport the following commits from `main` to `9.1`:
- [[Defend Workflows] Fix endpoint exceptions cypress test
(elastic#229469)](elastic#229469)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Gergő
Ábrahám","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-08-13T14:10:51Z","message":"[Defend
Workflows] Fix endpoint exceptions cypress test (elastic#229469)\n\n##
Summary\n\nThis PR fixes and re-enables Endpoint Exception cypress
tests, in order\nto keep behavior intact while moving on Endpoint
Exceptions out of\nDetections
(https://github.com/elastic/security-team/issues/11812).\n\n###
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common
scenarios","sha":"2e20740a8d258d962e054f79eef33fa8ef94e1e8","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Defend
Workflows","OLM Sprint","backport:all-open","v9.2.0"],"title":"[Defend
Workflows] Fix endpoint exceptions cypress
test","number":229469,"url":"https://github.com/elastic/kibana/pull/229469","mergeCommit":{"message":"[Defend
Workflows] Fix endpoint exceptions cypress test (elastic#229469)\n\n##
Summary\n\nThis PR fixes and re-enables Endpoint Exception cypress
tests, in order\nto keep behavior intact while moving on Endpoint
Exceptions out of\nDetections
(https://github.com/elastic/security-team/issues/11812).\n\n###
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common
scenarios","sha":"2e20740a8d258d962e054f79eef33fa8ef94e1e8"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/229469","number":229469,"mergeCommit":{"message":"[Defend
Workflows] Fix endpoint exceptions cypress test (elastic#229469)\n\n##
Summary\n\nThis PR fixes and re-enables Endpoint Exception cypress
tests, in order\nto keep behavior intact while moving on Endpoint
Exceptions out of\nDetections
(https://github.com/elastic/security-team/issues/11812).\n\n###
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common
scenarios","sha":"2e20740a8d258d962e054f79eef33fa8ef94e1e8"}}]}]
BACKPORT-->

Co-authored-by: Gergő Ábrahám <[email protected]>

Author: kibanamachine

x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts

@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { deleteEndpointExceptionList } from '../../../../../tasks/api_calls/exceptions';
 import { deleteAlertsAndRules } from '../../../../../tasks/api_calls/common';
 import {
   expandFirstAlert,
@@ -28,7 +29,7 @@ import {
 } from '../../../../../tasks/exceptions';
 import { ALERTS_COUNT } from '../../../../../screens/alerts';
 import {
-  ADD_AND_BTN,
+  ADD_NESTED_BTN,
   EXCEPTION_CARD_ITEM_CONDITIONS,
   EXCEPTION_CARD_ITEM_NAME,
   EXCEPTION_ITEM_VIEWER_CONTAINER,
@@ -40,8 +41,7 @@ import {
 } from '../../../../../tasks/rule_details';
 
 // TODO: https://github.com/elastic/kibana/issues/161539
-// See https://github.com/elastic/kibana/issues/163967
-describe.skip(
+describe(
   'Endpoint Exceptions workflows from Alert',
   { tags: ['@ess', '@serverless', '@skipInServerless'] },
   () => {
@@ -53,6 +53,7 @@ describe.skip(
       cy.task('esArchiverUnload', { archiveName: 'endpoint' });
       login();
       deleteAlertsAndRules();
+      deleteEndpointExceptionList();
 
       cy.task('esArchiverLoad', { archiveName: 'endpoint' });
       createRule(getEndpointRule()).then((rule) => visitRuleDetailsPage(rule.body.id));
@@ -63,6 +64,7 @@ describe.skip(
 
     after(() => {
       cy.task('esArchiverUnload', { archiveName: 'endpoint' });
+      deleteEndpointExceptionList();
     });
 
     it('Should be able to create and close single Endpoint exception from overflow menu', () => {
@@ -99,7 +101,8 @@ describe.skip(
       validateExceptionConditionField('file.Ext.code_signature');
       addExceptionFlyoutItemName(ITEM_NAME);
 
-      cy.get(ADD_AND_BTN).click();
+      // Add non-nested condition
+      cy.get(ADD_NESTED_BTN).click();
       // edit conditions
       addExceptionEntryFieldValueAndSelectSuggestion(ADDITIONAL_ENTRY, 6);
       addExceptionEntryFieldValueValue('foo', 4);

x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/rule_exceptions/auto_populate_with_alert_data.cy.ts

@@ -38,8 +38,8 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles
   const ADDITIONAL_ENTRY = 'host.hostname';
 
   beforeEach(() => {
-    cy.task('esArchiverUnload', { archiveName: 'endpoint' });
-    cy.task('esArchiverLoad', { archiveName: 'endpoint' });
+    cy.task('esArchiverUnload', { archiveName: 'endpoint_2' });
+    cy.task('esArchiverLoad', { archiveName: 'endpoint_2' });
     login();
     createRule(getEndpointRule()).then((rule) => visitRuleDetailsPage(rule.body.id));
 

x-pack/test/security_solution_cypress/cypress/tasks/exceptions/conditions.ts

@@ -80,7 +80,7 @@ export const addExceptionConditions = (exception: Exception) => {
 };
 
 export const validateExceptionConditionField = (value: string) => {
-  cy.get(EXCEPTION_ITEM_CONTAINER).contains('span', value);
+  cy.get(EXCEPTION_ITEM_CONTAINER).get(`input[value="${value}"]`).should('exist');
 };
 
 export const addTwoAndedConditions = (

x-pack/test/security_solution_cypress/es_archives/endpoint/data.json

@@ -59,7 +59,7 @@
         "name": "siem-kibana"
       },
       "agent": {
-        "type": "auditbeat",
+        "type": "endpoint",
         "version": "8.1.0",
         "ephemeral_id": "f6df090f-656a-4a79-a6a1-0c8671c9752d",
         "id": "0ebd469b-c164-4734-00e6-96d018098dc7",

x-pack/test/security_solution_cypress/es_archives/endpoint/mappings.json

@@ -18,6 +18,48 @@
         "@timestamp": {
           "type": "date"
         },
+        "file": {
+          "properties": {
+            "Ext": {
+              "properties": {
+                "code_signature": {
+                  "type": "nested",
+                  "properties": {
+                    "subject_name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    }
+                  }
+                }
+              }
+            },
+            "hash": {
+              "properties": {
+                "sha256": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
+            },
+            "path": {
+              "type": "keyword",
+              "ignore_above": 1024,
+              "fields": {
+                "caseless": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
+                  "normalizer": "lowercase"
+                },
+                "text": {
+                  "type": "text"
+                }
+              }
+            }
+          }
+        },
         "agent": {
           "properties": {
             "ephemeral_id": {
@@ -491,4 +533,4 @@
       }
     }
   }
-}
+}