Rule exceptions and value lists

edit

To prevent the creation of unwanted alerts, you can add exceptions to these detection rule types:

  • Custom query
  • Event Correlation
  • Indicator match

Exceptions contain the source event conditions that determine when alerts are not generated. They provide a convenient way of allowing trusted processes and network activity to function without producing unnecessary noise.

You can add multiple exceptions to one rule.

In addition to defining exception queries for source event values, rule exceptions can be used with value lists. Value lists are lists of items with the same Elasticsearch data type. You can create value lists with these types:

  • keyword (many ECS fields are keywords)
  • ip
  • ip_range
  • text

After creating value lists, you can use is in list and is not in list operators to define exceptions.

Manage value lists

edit

To create a value list for use with exceptions:

  1. Prepare a txt or csv file with all the values you want to use for determining exceptions from a single list. If you use a txt file, newlines act as value delimiters.

    All values in the file must be of the same Elasticsearch type.

  2. Go to SecurityDetectionsManage detection rules.
  3. Click Upload value lists. The Upload value lists window opens.

    upload lists ui
  4. Select the list type (Keywords, IP addresses, IP ranges, or Text)
  5. Drag or select the csv or txt file that contains the values.
  6. Click Upload list.

When the name of the file you are uploading already exists, the values in the new file are appended to the previously uploaded values.

To view, delete, or export existing lists:

  1. Go to SecurityDetectionsManage detection rules.
  2. In the Value lists pane, click the required action icon.

Add exceptions to a rule

edit

You can add exceptions to a rule via the Rule details page or the Alerts table. When you add an exception, you can also close all alerts that meet the exception’s criteria.

To ensure an exception is successfully applied, make sure that the fields you’ve defined for the exception query are correctly and consistently mapped in their respective indices. Refer to ECS to learn more about supported mappings.

Be careful when adding exceptions to EQL sequence rules. Exceptions are evaluated against every event in the sequence, and when the exception matches any event(s) in the sequence, alerts are not generated. To exclude values from a specific event in the sequence, update the rule’s EQL statement. For example:

`sequence
  [file where file.extension == "exe"
  and file.name != "app-name.exe"]
  [process where true
  and process.name != "process-name.exe"]`
  1. To add an exception via the Rule details page:

    1. Go to the Rule details page of the rule to which you want to add the exception (SecurityDetectionsManage detection rules → <rule name>).
    2. Scroll down to the Trend histogram and select the Exceptions tab.

      exception histogram
    3. Click Add new exception.
  2. To add an exception via the Alerts table:

    1. Go to Detections (SecurityDetections).
    2. Scroll down to the Alerts table and click the More Actions button, then select Add rule exception.

      more action button

      The Add Rule Exception window opens (via the Alerts table).

      add exception ui
  3. Add conditions that define when the exception prevents alerts. You can define multiple conditions with OR and AND relationships. In the example above, the exception prevents the rule from generating alerts when the svchost.exe process runs on agent hostname siem-kibana.

    You can use nested conditions. However, this is only required for these fields. For all other fields, nested conditions should not be used.

    If you have created value lists, you can use them to exclude or include all values in a list with is in list and is not in list operators:

    exceptions ui list

    When using a list, all exception statements must use is in list and is not in list operators.

  4. You can select any of the following:

    • Close this alert: Closes the alert when the exception is added. This option is only available when adding exceptions via the Alerts table.
    • Close all alerts that match this exception and were generated by this rule: Closes all alerts that match the exception’s conditions and were generated only by the current rule.
  5. Click Add Rule Exception.

Add Elastic Endpoint Security exceptions

edit

Like detection rule exceptions, you can add Endpoint agent exceptions via both the Elastic Endpoint Security rule and its generated alerts. Alerts generated from the Elastic Endpoint Security rule have the following fields:

  • signal.original_event.module determined:endpoint
  • signal.original_event.kind:alert

Additionally, you can add Endpoint exceptions via rules that are associated with Elastic endpoint rule exceptions. To associate rules, when creating or editing a rule select the Elastic endpoint exceptions option.

When you add an exception to the Elastic Endpoint Security rule, you can select to add the exception to the endpoint. When selected, the exception is added to both the detection rule and the Elastic Endpoint agent on your hosts.

Binary fields are not supported in detection rule exceptions.

Exceptions added to the Elastic Endpoint Security rule affect all alerts sent from the Endpoint agent. Be careful not to unintentionally prevent some Endpoint alerts.

  1. To add an Endpoint exception via the Rule details page:

    1. Go to the Rule details page and select the Elastic Security Endpoint rule (SecurityDetectionsManage detection rulesElastic Endpoint Security).
    2. Scroll down to the Trend histogram and select the Exceptions tab.
    3. Click Add Endpoint exception.
  2. To add an exception via the Alerts table:

    1. Go to Detections (SecurityDetections).
    2. Scroll down to the Alerts table and, from an Elastic Security Endpoint alert, click the more actions icon, and then select Add Endpoint exception.

      The Add Endpoint Exception window opens (via Alerts table).

      endpoint add exp
  3. If required, modify the conditions.

    Exceptions with nested conditions describes when nested conditions are required.

  4. You can select any of the following:

    • Close this alert: Closes the alert when the exception is added. This option is only available when adding exceptions via the Alerts table.
    • Close all alerts that match this exception, including alerts generated by other rules: Closes all alerts that match the exception’s conditions.
  5. Click Add Exception.

    An exception is created for both the detection rule and the Elastic Endpoint agent.

Exceptions with nested conditions

edit

Some Endpoint objects contain nested fields, and the only way to ensure you are excluding the correct fields is with nested conditions. One example is the process.Ext object:

{
  "ancestry": [],
  "code_signature": {
    "trusted": true,
    "subject_name": "LFC",
    "exists": true,
    "status": "trusted"
  },
  "user": "WDAGUtilityAccount",
  "token": {
    "elevation": true,
    "integrity_level_name": "high",
    "domain": "27FB305D-3838-4",
    "user": "WDAGUtilityAccount",
    "elevation_type": "default",
    "sid": "S-1-5-21-2047949552-857980807-821054962-504"
  }
}

code_signature.subject_name refers to the process signature not the process name.

Only these objects require nested conditions to ensure the exception functions correctly:

  • Endpoint.policy.applied.artifacts.global.identifiers
  • Endpoint.policy.applied.artifacts.user.identifiers
  • Target.dll.Ext.code_signature
  • Target.process.Ext.code_signature
  • Target.process.Ext.token.privileges
  • Target.process.parent.Ext.code_signature
  • Target.process.thread.Ext.token.privileges
  • dll.Ext.code_signature
  • file.Ext.code_signature
  • file.Ext.macro.errors
  • file.Ext.macro.stream
  • process.Ext.code_signature
  • process.Ext.token.privileges
  • process.parent.Ext.code_signature
  • process.thread.Ext.token.privileges

Nested condition example

edit

Creates an exception that excludes all LFC-signed trusted processes:

nested exp