[Security Solution] Exception lists are removed during rule import rule import, causing false positives

[nikitaindik]

This issue was created using Cursor

Summary

When using POST /api/detection_engine/rules/_import with overwrite_exceptions=true, there is a race condition that causes false-positive alerts. Existing exception list items are deleted before new items are written back, creating a window where running rules see empty exception lists and generate alerts that should have been suppressed.

Expected Behavior

Importing rules and exceptions with overwrite flags should be an atomic-like operation. Running rules should never evaluate against partially-imported (empty) exception lists.

Actual Behavior

The overwrite flow in importExceptionLists deletes all existing exception list items first (deleteListItemsToBeOverwritten), then new items are imported in a separate subsequent step (importExceptionListItems). During this window, any enabled rule that fires will query the now-empty exception lists and produce alerts that should have been excluded.

Steps to Reproduce

1. Create a detection rule with an exception list that excludes certain events
2. Enable the rule so it runs on a schedule (e.g., every 5 minutes)
3. Use the import API with overwrite=true and overwrite_exceptions=true to re-import the same rule and exceptions
4. If the rule fires during the import window (between exception item deletion and re-creation), alerts are generated for events that should be excluded

Root Cause

The exception overwrite uses a delete-then-recreate pattern with no transactional guarantees:

1. importExceptionLists() → calls deleteListItemsToBeOverwritten() to remove all items from overwritten lists
2. importExceptionListItems() → writes new items back

Between steps 1 and 2, the exception lists exist but contain zero items. There is no mechanism to pause rules during import.

[elasticmachine]

Pinging @elastic/security-detection-engine (Team:Detection Engine)