Create and manage shared exception lists
editCreate and manage shared exception lists
editShared exception lists allow you to group exceptions together and then apply them to multiple rules. Use the Shared Exception Lists page to set up shared exception lists.
Exception lists created in 8.5 and earlier become shared exception lists in 8.6 or later. You can access all shared exception lists from the Shared Exception Lists page.
Create shared exception lists
editSet up shared exception lists to contain exception items:
- Go to Manage → Shared Exception Lists.
- Click Create shared exception list → Create shared list.
- Give the shared exception list a name.
- (Optional) Provide a description.
- Click Create shared exception list.
Add exception items to shared exception lists
editAdd exception items:
- Go to Manage → Shared Exception Lists.
-
Click Create shared exception list → Create exception item.
You can add exceptions to an empty shared exception list by expanding the list, or viewing its details page and clicking Create rule exception. After creating an exception, you can associate the shared exception list with rules. Refer to Associate shared exception lists with rules to learn more.
-
In the Add rule exception flyout, name the exception item and add conditions that define when the exception prevents alerts. When the exception’s query conditions are met (the query evaluates to
true
), rules do not generate alerts even when other rule criteria are met.- Field: Select a field to identify the event being filtered.
-
Operator: Select an operator to define the condition:
-
is
|is not
— Must be an exact match of the defined value. -
is one of
|is not one of
— Matches any of the defined values. -
exists
|does not exist
— The field exists. -
is in list
|is not in list
— Matches values in a value list.-
An exception defined by a value list must use
is in list
oris not in list
in all conditions. - Wildcards are not supported in value lists.
- If a value list can’t be used due to size or data type, it’ll be unavailable in the Value menu.
-
An exception defined by a value list must use
-
matches
|does not match
— Allows you to use wildcards in Value, such asC:\path\*\app.exe
. Available wildcards are?
(match one character) and*
(match zero or more characters). The selected Field data type must be keyword, text, or wildcard.Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using
process.name
orfile.name
can help limit the scope of wildcard matching.
-
-
Value: Enter the value associated with the Field. To enter multiple values (when using
is one of
oris not one of
), enter each value, then press Return.
- Click AND or OR to create multiple conditions and define their relationships.
- Click Add nested condition to create conditions using nested fields. This is only required for these nested fields. For all other fields, nested conditions should not be used.
-
Choose to add the exception to shared exception lists.
This option will be unavailable if a shared exception list doesn’t exist. In addition, you can’t add an endpoint exception item to the Endpoint Security Exception List from this UI. Refer to Add Elastic Endpoint exceptions for instructions about creating endpoint exceptions.
- (Optional) Enter a comment describing the exception.
- (Optional) Close all alerts that match this exception and were generated by this rule: Closes all alerts that match the exception’s conditions and were generated only by the current rule.
- Click Add rule exception.
Associate shared exception lists with rules
editApply shared exception lists to rules:
- Go to Manage → Shared Exception Lists.
-
Do one of the following:
- Select a shared exception list’s name to open its details page, then click Manage rules.
- Find the shared exception list you want to assign to rules, then click More actions (…) → Manage rules.
-
Click the toggles in the Link column to select the rules you want to link to the exception list.
If you know a rule’s name, you can enter it into the search bar.
- Click Save.
-
(Optional) To verify that the shared exception list was added to the rules you selected:
- Open a rule’s details page (Manage → Rules → Rule name).
- Scroll down the page, and then select the Rule exceptions tab.
-
Navigate to the exception items that are included in the shared exception list. Click the Affects shared list link to view the associated shared exception lists.
View and filter exception lists
editThe Shared Exception Lists page displays each shared exception list on an individual row, with the most recently created list at the top. Each row contains these details about the shared exception list:
- Shared exception list name
- Date the list was created
- Username of the user who created the list
- Number of exception items in the shared exception list
- Number of rules the shared exception list affects
To view the details of an exception item within a shared exception list, expand a row.
To filter exception lists by a specific value, enter a value in the search bar. You can search the following attributes:
-
name
-
list_id
-
created_by
If no attribute is selected, the app searches the list name by default.
Manage shared exception lists
editYou can edit, export, import, and delete shared exception lists from the Shared Exception Lists page.
Exception lists created in 8.5 and earlier become shared exception lists in 8.6 or later. You can access all shared exception lists from the Shared Exception Lists page.
To export or delete an exception list, select the required action button on the appropriate list. Note the following:
-
Exception lists are exported to
.ndjson
files. - Exception lists are also exported as part of any exported detection rules configured with exceptions. Refer to Export and import rules.
- If an exception list is linked to any rules, you’ll get a warning asking you to confirm the deletion.