Rule exceptions

edit

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

You can associate rule exceptions with detection and endpoint rules to prevent trusted processes and network activity from generating unnecessary alerts, therefore, reducing the number of false positives.

When creating exceptions, you can assign them to individual rules or to multiple rules.

Exceptions for individual rules
edit

Exceptions, also referred to as exception items, contain the source event conditions that determine when alerts shouldn’t be generated.

You can create exceptions that apply exclusively to a single rule. These types of exceptions can’t be used by other rules, and you must manage them from the rule’s details page. To learn more about creating and managing single-rule exceptions, refer to Add and manage exceptions.

An exception item

You can also use value lists to define exceptions for detection rules. Value lists allow you to match an exception against a list of possible values.

Exceptions shared among multiple rules
edit

If you want an exception to apply to multiple rules, you can add an exception to a shared exception list. Shared exception lists allow you to group exceptions together and then associate them with multiple rules. Refer to Create and manage shared exception lists to learn more.

Shared Exception Lists page