elastic/kibana

[Security Solution] Exception lists are removed during rule import rule import, causing false positives

Open

#256010 opened on Mar 4, 2026

View on GitHub
 (2 comments) (0 reactions) (0 assignees)TypeScript (19,065 stars) (8,021 forks)batch import
Feature:Rule ExceptionsFeature:Rule Import/ExportTeam: SecuritySolutionTeam:Detection EngineTeam:Detection Rule ManagementTeam:Detections and Respbuggood first issueimpact:mediumtriage:keep

Description

This issue was created using Cursor

Summary

When using POST /api/detection_engine/rules/_import with overwrite_exceptions=true, there is a race condition that causes false-positive alerts. Existing exception list items are deleted before new items are written back, creating a window where running rules see empty exception lists and generate alerts that should have been suppressed.

Expected Behavior

Importing rules and exceptions with overwrite flags should be an atomic-like operation. Running rules should never evaluate against partially-imported (empty) exception lists.

Actual Behavior

The overwrite flow in importExceptionLists deletes all existing exception list items first (deleteListItemsToBeOverwritten), then new items are imported in a separate subsequent step (importExceptionListItems). During this window, any enabled rule that fires will query the now-empty exception lists and produce alerts that should have been excluded.

Steps to Reproduce

  1. Create a detection rule with an exception list that excludes certain events
  2. Enable the rule so it runs on a schedule (e.g., every 5 minutes)
  3. Use the import API with overwrite=true and overwrite_exceptions=true to re-import the same rule and exceptions
  4. If the rule fires during the import window (between exception item deletion and re-creation), alerts are generated for events that should be excluded

Root Cause

The exception overwrite uses a delete-then-recreate pattern with no transactional guarantees:

  1. importExceptionLists() → calls deleteListItemsToBeOverwritten() to remove all items from overwritten lists
  2. importExceptionListItems() → writes new items back

Between steps 1 and 2, the exception lists exist but contain zero items. There is no mechanism to pause rules during import.

Contributor guide

Tech stack
typescriptnodejsreact
Domain
backendapisecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
3-5 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Familiarity with Kibana security solutionUnderstanding of race conditionsExperience with TypeScript async/await
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
25
Research direction
Examine the `importExceptionLists` and related functions in the Kibana security solution plugin, specifically the `deleteListItemsToBeOverwritten` and `importExceptionListItems` steps. Investigate the rule execution pipeline to understand how exception lists are queried during rule evaluation. Consider implementing a two phase commit or a temporary state that prevents rules from querying empty lists during the import window.