diff --git a/solutions/images/security-blocklist.png b/solutions/images/security-blocklist.png
index f739e521ce..8c6e420999 100644
Binary files a/solutions/images/security-blocklist.png and b/solutions/images/security-blocklist.png differ
diff --git a/solutions/images/security-event-filter.png b/solutions/images/security-event-filter.png
deleted file mode 100644
index 9937fff516..0000000000
Binary files a/solutions/images/security-event-filter.png and /dev/null differ
diff --git a/solutions/images/security-event-filters-list.png b/solutions/images/security-event-filters-list.png
index 9dc0dab50c..4232978978 100644
Binary files a/solutions/images/security-event-filters-list.png and b/solutions/images/security-event-filters-list.png differ
diff --git a/solutions/images/security-host-isolation-exceptions-ui.png b/solutions/images/security-host-isolation-exceptions-ui.png
index 250bd4eff2..33340b3b99 100644
Binary files a/solutions/images/security-host-isolation-exceptions-ui.png and b/solutions/images/security-host-isolation-exceptions-ui.png differ
diff --git a/solutions/images/security-trusted-apps-list.png b/solutions/images/security-trusted-apps-list.png
index 828f6e85ea..5bc8ed0830 100644
Binary files a/solutions/images/security-trusted-apps-list.png and b/solutions/images/security-trusted-apps-list.png differ
diff --git a/solutions/images/security-trusted-devices-list.png b/solutions/images/security-trusted-devices-list.png
index 7c69261ad2..2480351672 100644
Binary files a/solutions/images/security-trusted-devices-list.png and b/solutions/images/security-trusted-devices-list.png differ
diff --git a/solutions/security/manage-elastic-defend/blocklist.md b/solutions/security/manage-elastic-defend/blocklist.md
index 4fc5173927..e9413e9950 100644
--- a/solutions/security/manage-elastic-defend/blocklist.md
+++ b/solutions/security/manage-elastic-defend/blocklist.md
@@ -26,6 +26,10 @@ The blocklist is not intended to broadly block benign applications for non-secur
 
 By default, a blocklist entry is recognized globally across all hosts running {{elastic-defend}}. You can also assign a blocklist entry to specific {{elastic-defend}} integration policies, which blocks the process only on hosts assigned to that policy.
 
+## Add a blocklist entry [add-blocklist-entry]
+
+To add a blocklist entry:
+
 1. Depending on your version, do one of the following:
    * {applies_to}`serverless: ga` {applies_to}`stack: ga 9.4+` Go to the **Artifacts** page using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then select the **Blocklist** tab.
    * {applies_to}`stack: ga 9.0-9.3` Go to the **Blocklist** page using the navigation menu or the global search field.
@@ -71,6 +75,11 @@ By default, a blocklist entry is recognized globally across all hosts running {{
     1. Go to the **Policies** page, then click on an integration policy.
     2. On the **Policy settings** tab, ensure that the **Malware protections** and **Blocklist** toggles are switched on. Both settings are enabled by default.
 
+::::{tip}
+:applies_to: { stack: ga 9.4+, serverless: ga }
+
+To add multiple blocklist entries at once, you can import an NDJSON file instead. Refer to [Import and export blocklist entries](#import-export-blocklist).
+::::
 
 
 ## View and manage the blocklist [manage-blocklist]
@@ -83,6 +92,32 @@ The **Blocklist** UI displays all the blocklist entries that have been added to
 :::
 
 
+### Import and export blocklist entries [import-export-blocklist]
+
+```{applies_to}
+stack: ga 9.4+
+serverless: ga
+```
+
+::::{admonition} Requirements
+* To export blocklist entries, you need the **Blocklist: Read** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md).
+* To import per-policy items, you need the **Blocklist: All** privilege.
+* To import global items, you need the **Blocklist: All** and the **Global artifact management: All** privilege.
+* To import items to a different space, you need the **Global artifact management: All** privilege.
+::::
+
+You can import and export blocklist entries as NDJSON files:
+
+- **When the list is empty**: click **Import blocklist entries**.
+- **When the list has entries**: click the actions menu ({icon}`boxes_vertical`), then select **Import blocklist entries** or **Export blocklist entries**.
+
+When you import an NDJSON file, the imported blocklist entries are appended to your existing entries — existing entries are not removed or overwritten.
+
+Items are processed individually on import — per-policy items that are not visible in the current space are skipped, while the remaining items are imported.
+
+If an imported per-policy item is assigned to a policy that doesn't exist in the current environment, the item is imported with the policy assignment removed.
+
+
 ### Edit a blocklist entry [edit-blocklist-entry]
 
 You can individually modify each blocklist entry. You can also change the policies that a blocklist entry is assigned to.
diff --git a/solutions/security/manage-elastic-defend/elastic-endpoint-exceptions.md b/solutions/security/manage-elastic-defend/elastic-endpoint-exceptions.md
index 431275fe02..78912b157d 100644
--- a/solutions/security/manage-elastic-defend/elastic-endpoint-exceptions.md
+++ b/solutions/security/manage-elastic-defend/elastic-endpoint-exceptions.md
@@ -105,6 +105,10 @@ The **Add Endpoint Exception** flyout opens.
 It might take longer for exceptions to be applied to hosts within larger deployments.
 ::::
 
+::::{tip}
+To add multiple exceptions at once, you can import an NDJSON file instead. Refer to [Import and export {{elastic-endpoint}} exceptions](#import-export-endpoint-exceptions).
+::::
+
 
 ## Nested conditions [nested-conditions]
 
@@ -118,7 +122,24 @@ The **Endpoint exceptions** tab on the **Artifacts** page displays all {{elastic
 * Select one or more policies to show only exceptions assigned to those policies.
 * Under **Additional filters**, select **Global entries** to show exceptions assigned globally, or **Unassigned entries** to show exceptions not assigned to any policy.
 
-You can import and export {{elastic-endpoint}} exceptions as NDJSON files using the actions menu ({icon}`boxes_vertical`) on the **Endpoint exceptions** tab.
+:::{image} /solutions/images/security-endpoint-exceptions.png
+:alt: List of Elastic Endpoint exceptions
+:screenshot:
+:::
+
+### Import and export {{elastic-endpoint}} exceptions [import-export-endpoint-exceptions]
+
+::::{admonition} Requirements
+* To export {{elastic-endpoint}} exceptions, you need the **Endpoint Exceptions: Read** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md).
+* To import per-policy items, you need the **Endpoint Exceptions: All** privilege.
+* To import global items, you need the **Endpoint Exceptions: All** and the **Global artifact management: All** privilege.
+* To import items to a different space, you need the **Global artifact management: All** privilege.
+::::
+
+You can import and export {{elastic-endpoint}} exceptions as NDJSON files:
+
+- **When the list is empty**: click **Import {{elastic-endpoint}}**.
+- **When the list has entries**: click the actions menu ({icon}`boxes_vertical`), then select **Import {{elastic-endpoint}}** or **Export {{elastic-endpoint}}**.
 
 When you import an NDJSON file, the imported exceptions are appended to your existing exceptions — existing entries are not removed or overwritten.
 
@@ -126,10 +147,9 @@ When you import an NDJSON file, the imported exceptions are appended to your exi
 In versions prior to 9.4, importing offered the option to remove all existing exceptions and replace them with the imported ones. Starting in 9.4, import always appends — existing exceptions are never removed. If you're upgrading from an earlier version, this applies whether or not you have opted in to per-policy exceptions.
 ::::
 
-:::{image} /solutions/images/security-endpoint-exceptions.png
-:alt: List of Elastic Endpoint exceptions
-:screenshot:
-:::
+Items are processed individually on import — per-policy items that are not visible in the current space are skipped, while the remaining items are imported.
+
+If an imported per-policy item is assigned to a policy that doesn't exist in the current environment, the item is imported with the policy assignment removed.
 
 ### Edit an {{elastic-endpoint}} exception [edit-endpoint-exception]
 
diff --git a/solutions/security/manage-elastic-defend/event-filters.md b/solutions/security/manage-elastic-defend/event-filters.md
index c6f59024d1..c6c5492861 100644
--- a/solutions/security/manage-elastic-defend/event-filters.md
+++ b/solutions/security/manage-elastic-defend/event-filters.md
@@ -30,6 +30,8 @@ Since an event filter blocks an event from streaming to {{es}}, be conscious of
 
 By default, event filters are recognized globally across all hosts running {{elastic-defend}}. You can also assign an event filter to a specific {{elastic-defend}} integration policy, which would filter endpoint events from the hosts assigned to that policy.
 
+## Add an event filter [add-event-filter]
+
 Create event filters from the **Hosts** page or, depending on your version, from the **Artifacts** ({applies_to}`serverless: ga` {applies_to}`stack: ga 9.4+`) or **Event filters** ({applies_to}`stack: ga 9.0-9.3`) page.
 
 1. Do one of the following:
@@ -47,11 +49,6 @@ Create event filters from the **Hosts** page or, depending on your version, from
     * {applies_to}`stack: ga 9.0-9.3` To create an event filter from the **Event filters** page, click **Add event filter**.
 
 
-    :::{image} /solutions/images/security-event-filter.png
-    :alt: Add event filter flyout
-    :screenshot:
-    :::
-
 2. Fill in these fields in the **Details** section:
 
     1. `Name`: Enter a name for the event filter.
@@ -99,6 +96,12 @@ Create event filters from the **Hosts** page or, depending on your version, from
 6. Add a comment if you want to provide more information about the event filter (optional).
 7. Click **Add event filter**. The new filter is added to the **Event filters** list.
 
+::::{tip}
+:applies_to: { stack: ga 9.4+, serverless: ga }
+
+To add multiple event filters at once, you can import an NDJSON file instead. Refer to [Import and export event filters](#import-export-event-filters).
+::::
+
 
 ## View and manage event filters [manage-event-filters]
 
@@ -110,6 +113,32 @@ The **Event filters** UI displays all the event filters that have been added to
 :::
 
 
+### Import and export event filters [import-export-event-filters]
+
+```{applies_to}
+stack: ga 9.4+
+serverless: ga
+```
+
+::::{admonition} Requirements
+* To export event filters, you need the **Event Filters: Read** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md).
+* To import per-policy items, you need the **Event Filters: All** privilege.
+* To import global items, you need the **Event Filters: All** and the **Global artifact management: All** privilege.
+* To import items to a different space, you need the **Global artifact management: All** privilege.
+::::
+
+You can import and export event filters as NDJSON files:
+
+- **When the list is empty**: click **Import event filters**.
+- **When the list has entries**: click the actions menu ({icon}`boxes_vertical`), then select **Import event filters** or **Export event filters**.
+
+When you import an NDJSON file, the imported event filters are appended to your existing entries — existing entries are not removed or overwritten.
+
+Items are processed individually on import — per-policy items that are not visible in the current space are skipped, while the remaining items are imported.
+
+If an imported per-policy item is assigned to a policy that doesn't exist in the current environment, the item is imported with the policy assignment removed.
+
+
 ### Edit an event filter [edit-event-filter]
 
 You can individually modify each event filter. You can also change the policies that an event filter is assigned to.
diff --git a/solutions/security/manage-elastic-defend/host-isolation-exceptions.md b/solutions/security/manage-elastic-defend/host-isolation-exceptions.md
index ea2d68bf1a..3a14eed046 100644
--- a/solutions/security/manage-elastic-defend/host-isolation-exceptions.md
+++ b/solutions/security/manage-elastic-defend/host-isolation-exceptions.md
@@ -32,6 +32,10 @@ Host isolation exceptions support IPv4 addresses, with optional classless inter-
 
 By default, a host isolation exception is recognized globally across all hosts running {{elastic-defend}}. You can also assign a host isolation exception to a specific {{elastic-defend}} integration policy, affecting only the hosts assigned to that policy.
 
+## Add a host isolation exception [add-host-isolation-exception]
+
+To add a host isolation exception:
+
 1. Depending on your version, do one of the following:
    * {applies_to}`serverless: ga` {applies_to}`stack: ga 9.4+` Go to the **Artifacts** page using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then select the **Host isolation exceptions** tab.
    * {applies_to}`stack: ga 9.0-9.3` Go to the **Host isolation exceptions** page using the navigation menu or the global search field.
@@ -54,6 +58,12 @@ By default, a host isolation exception is recognized globally across all hosts r
 
 5. Click **Add Host isolation exception**. The new exception is added to the **Host isolation exceptions** list.
 
+::::{tip}
+:applies_to: { stack: ga 9.4+, serverless: ga }
+
+To add multiple host isolation exceptions at once, you can import an NDJSON file instead. Refer to [Import and export host isolation exceptions](#import-export-host-isolation-exceptions).
+::::
+
 
 ## View and manage host isolation exceptions [manage-host-isolation-exceptions]
 
@@ -65,6 +75,32 @@ The **Host isolation exceptions** UI displays all the host isolation exceptions
 :::
 
 
+### Import and export host isolation exceptions [import-export-host-isolation-exceptions]
+
+```{applies_to}
+stack: ga 9.4+
+serverless: ga
+```
+
+::::{admonition} Requirements
+* To export host isolation exceptions, you need the **Host Isolation Exceptions: Read** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md).
+* To import per-policy items, you need the **Host Isolation Exceptions: All** privilege.
+* To import global items, you need the **Host Isolation Exceptions: All** and the **Global artifact management: All** privilege.
+* To import items to a different space, you need the **Global artifact management: All** privilege.
+::::
+
+You can import and export host isolation exceptions as NDJSON files:
+
+- **When the list is empty**: click **Import host isolation exceptions**.
+- **When the list has entries**: click the actions menu ({icon}`boxes_vertical`), then select **Import host isolation exceptions** or **Export host isolation exceptions**.
+
+When you import an NDJSON file, the imported host isolation exceptions are appended to your existing entries — existing entries are not removed or overwritten.
+
+Items are processed individually on import — per-policy items that are not visible in the current space are skipped, while the remaining items are imported.
+
+If an imported per-policy item is assigned to a policy that doesn't exist in the current environment, the item is imported with the policy assignment removed.
+
+
 ### Edit a host isolation exception [edit-host-isolation-exception]
 
 You can individually modify each host isolation exception and change the policies that a host isolation exception is assigned to.
diff --git a/solutions/security/manage-elastic-defend/trusted-applications.md b/solutions/security/manage-elastic-defend/trusted-applications.md
index f786dbf13e..ad5d43a407 100644
--- a/solutions/security/manage-elastic-defend/trusted-applications.md
+++ b/solutions/security/manage-elastic-defend/trusted-applications.md
@@ -48,6 +48,8 @@ Additionally, trusted applications still generate process events for visualizati
 
 By default, a trusted application is recognized globally across all hosts running {{elastic-defend}}. You can also assign a trusted application to a specific {{elastic-defend}} integration policy, enabling the application to be trusted by only the hosts assigned to that policy.
 
+## Add a trusted application [add-trusted-app]
+
 To add a trusted application:
 
 1. Depending on your version, do one of the following:
@@ -139,6 +141,12 @@ To add a trusted application:
 
 5. Click **Add trusted application**. The application is added to the **Trusted applications** list.
 
+::::{tip}
+:applies_to: { stack: ga 9.4+, serverless: ga }
+
+To add multiple trusted applications at once, you can import an NDJSON file instead. Refer to [Import and export trusted applications](#import-export-trusted-apps).
+::::
+
 
 ## View and manage trusted applications [trusted-apps-list]
 
@@ -150,6 +158,32 @@ The **Trusted applications** UI displays all the trusted applications that have
 :::
 
 
+### Import and export trusted applications [import-export-trusted-apps]
+
+```{applies_to}
+stack: ga 9.4+
+serverless: ga
+```
+
+::::{admonition} Requirements
+* To export trusted applications, you need the **Trusted Applications: Read** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md).
+* To import per-policy items, you need the **Trusted Applications: All** privilege.
+* To import global items, you need the **Trusted Applications: All** and the **Global artifact management: All** privilege.
+* To import items to a different space, you need the **Global artifact management: All** privilege.
+::::
+
+You can import and export trusted applications as NDJSON files:
+
+- **When the list is empty**: click **Import trusted applications**.
+- **When the list has entries**: click the actions menu ({icon}`boxes_vertical`), then select **Import trusted applications** or **Export trusted applications**.
+
+When you import an NDJSON file, the imported trusted applications are appended to your existing entries — existing entries are not removed or overwritten.
+
+Items are processed individually on import — per-policy items that are not visible in the current space are skipped, while the remaining items are imported.
+
+If an imported per-policy item is assigned to a policy that doesn't exist in the current environment, the item is imported with the policy assignment removed.
+
+
 ### Edit a trusted application [edit-trusted-app]
 
 You can individually modify each trusted application. You can also change the policies that a trusted application is assigned to.
diff --git a/solutions/security/manage-elastic-defend/trusted-devices.md b/solutions/security/manage-elastic-defend/trusted-devices.md
index 201c3be131..0c892b5571 100644
--- a/solutions/security/manage-elastic-defend/trusted-devices.md
+++ b/solutions/security/manage-elastic-defend/trusted-devices.md
@@ -37,6 +37,12 @@ Add a trusted device to exempt it from device control:
     * **Per Policy**: Assign the trusted device to one or more specific {{elastic-defend}} integration policies.
 6. Click **Add trusted device**.
 
+::::{tip}
+:applies_to: { stack: ga 9.4+, serverless: ga }
+
+To add multiple trusted devices at once, you can import an NDJSON file instead. Refer to [Import and export trusted devices](#import-export-trusted-devices).
+::::
+
 ## View and manage trusted devices
 
 The **Trusted devices** UI displays all the trusted devices that have been added to the {{security-app}}. To refine the list, use the search bar to search by name, description, or field value.
@@ -47,6 +53,32 @@ The **Trusted devices** UI displays all the trusted devices that have been added
 :::
 
 
+### Import and export trusted devices [import-export-trusted-devices]
+
+```{applies_to}
+stack: ga 9.4+
+serverless: ga
+```
+
+::::{admonition} Requirements
+* To export trusted devices, you need the **Trusted Devices: Read** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md).
+* To import per-policy items, you need the **Trusted Devices: All** privilege.
+* To import global items, you need the **Trusted Devices: All** and the **Global artifact management: All** privilege.
+* To import items to a different space, you need the **Global artifact management: All** privilege.
+::::
+
+You can import and export trusted devices as NDJSON files:
+
+- **When the list is empty**: click **Import trusted devices**.
+- **When the list has entries**: click the actions menu ({icon}`boxes_vertical`), then select **Import trusted devices** or **Export trusted devices**.
+
+When you import an NDJSON file, the imported trusted devices are appended to your existing entries — existing entries are not removed or overwritten.
+
+Items are processed individually on import — per-policy items that are not visible in the current space are skipped, while the remaining items are imported.
+
+If an imported per-policy item is assigned to a policy that doesn't exist in the current environment, the item is imported with the policy assignment removed.
+
+
 ### Edit a trusted device
 
 You can individually modify each trusted device. You can also change the policies that a trusted device is assigned to.