diff --git a/raw-migrated-files/docs-content/serverless/security-add-exceptions.md b/raw-migrated-files/docs-content/serverless/security-add-exceptions.md deleted file mode 100644 index 3f9d330bf..000000000 --- a/raw-migrated-files/docs-content/serverless/security-add-exceptions.md +++ /dev/null @@ -1,300 +0,0 @@ -# Add and manage exceptions [security-add-exceptions] - -You can add exceptions to a rule from the rule details page, the Alerts table, the alert details flyout, or the Shared Exception Lists page. When you add an exception, you can also close all alerts that meet the exception’s criteria. - -::::{important} -* To ensure an exception is successfully applied, ensure that the fields you’ve defined for its query are correctly and consistently mapped in their respective indices. Refer to [ECS](https://www.elastic.co/guide/en/ecs/{{ecs_version}}) to learn more about supported mappings. -* Be careful when adding exceptions to [event correlation](../../../solutions/security/detect-and-alert/create-detection-rule.md#create-eql-rule) rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created. - - To exclude values from a specific event in the sequence, update the rule’s EQL statement. For example: - - ```eql - `sequence - [file where file.extension == "exe" - and file.name != "app-name.exe"] - [process where true - and process.name != "process-name.exe"]` - ``` - -* Be careful when adding exceptions to [indicator match](../../../solutions/security/detect-and-alert/create-detection-rule.md#create-indicator-rule) rules. Exceptions are evaluated against source and indicator indices, so if the exception matches events in *either* index, alerts are not generated. - -:::: - - - -## Add exceptions to a rule [detection-rule-exceptions] - -1. Do one of the following: - - * To add an exception from the rule details page: - - 1. Go to the rule details page of the rule to which you want to add an exception (**Rules** → **Detection rules (SIEM)*** → ***Rule name**). - 2. Scroll down the rule details page, select the **Rule exceptions** tab, then click **Add rule exception**. - - :::{image} ../../../images/serverless--detections-rule-exception-tab.png - :alt: Detail of rule exceptions tab - :class: screenshot - ::: - - * To add an exception from the Alerts table: - - 1. Go to **Alerts**. - 2. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the **More Actions** menu (![Actions menu](../../../images/serverless-boxesHorizontal.svg "")), then select **Add rule exception**. - - * To add an exception from the alert details flyout: - - 1. Go to **Alerts**. - 2. Click the **View details** button from the Alerts table. - 3. In the alert details flyout, click **Take action → Add rule exception**. - - * To add an exception from the Shared Exception Lists page: - - 1. Go to **Rules** → **Shared exception lists**. - 2. Click **Create shared exception list** → **Create exception item**. - -2. In the **Add rule exception** flyout, name the exception. -3. Add conditions that define the exception. When the exception’s query evaluates to `true`, rules don’t generate alerts even when their criteria are met. - - ::::{important} - Rule exceptions are case-sensitive, which means that any character that’s entered as an uppercase or lowercase letter will be treated as such. In the event you *don’t* want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. - - :::: - - - ::::{note} - When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. Data from custom highlighted fields is listed first. A comment that describes the auto-generated exception conditions is also added to the **Add comments** section. - - :::: - - - 1. **Field**: Select a field to identify the event being filtered. - - ::::{note} - A warning displays for fields with conflicts. Using these fields might cause unexpected exceptions behavior. Refer to [Troubleshooting type conflicts and unmapped fields](../../../troubleshoot/security/detection-rules.md) for more information. - - :::: - - 2. **Operator**: Select an operator to define the condition: - - * `is` | `is not` — Must be an exact match of the defined value. - * `is one of` | `is not one of` — Matches any of the defined values. - * `exists` | `does not exist` — The field exists. - * `is in list` | `is not in list` — Matches values in a value list. - - ::::{note} - * An exception defined by a value list must use `is in list` or `is not in list` in all conditions. - * Wildcards are not supported in value lists. - * If a value list can’t be used due to [size or data type](../../../solutions/security/detect-and-alert/create-manage-value-lists.md#create-value-lists), it’ll be unavailable in the **Value** menu. - - :::: - - * `matches` | `does not match` — Allows you to use wildcards in **Value**, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected **Field** data type must be [keyword](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#keyword-field-type), [text](https://www.elastic.co/guide/en/elasticsearch/reference/current/text.html#text-field-type), or [wildcard](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#wildcard-field-type). - - ::::{note} - Some characters must be escaped with a backslash, such as `\` for a literal backslash, `*` for an asterisk, and `\?` for a question mark. Windows paths must be divided with double backslashes (for example, `C:\Windows\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider. - - :::: - - - ::::{important} - Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching. - - :::: - - 3. **Value**: Enter the value associated with the **Field**. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**. - - ::::{note} - Identical, case-sensitive values are supported for the `is one of` and `is not one of` operators. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field. - - :::: - - - In the following example, the exception was created from the Rules page and prevents the rule from generating alerts when the `svchost.exe` process runs on hostname `siem-kibana`. - - :::{image} ../../../images/serverless--detections-add-exception-ui.png - :alt: detections add exception ui - :class: screenshot - ::: - -4. Click **AND** or **OR** to create multiple conditions and define their relationships. -5. Click **Add nested condition** to create conditions using nested fields. This is only required for [these nested fields](../../../solutions/security/detect-and-alert/add-manage-exceptions.md). For all other fields, nested conditions should not be used. -6. Choose to add the exception to a rule or a shared exception list. - - ::::{note} - If you are creating an exception from the Shared Exception Lists page, you can add the exception to multiple rules. - - :::: - - - ::::{tip} - If a shared exception list doesn’t exist, you can [create one](../../../solutions/security/detect-and-alert/create-manage-shared-exception-lists.md) from the Shared Exception Lists page. - - :::: - -7. (Optional) Enter a comment describing the exception. -8. (Optional) Enter a future expiration date and time for the exception. -9. Select one of the following alert actions: - - * **Close this alert**: Closes the alert when the exception is added. This option is only available when adding exceptions from the Alerts table. - * **Close all alerts that match this exception and were generated by this rule**: Closes all alerts that match the exception’s conditions and were generated only by the current rule. - -10. Click **Add rule exception**. - - -## Add {{elastic-endpoint}} exceptions [endpoint-rule-exceptions] - -You can add {{elastic-endpoint}} exceptions to [endpoint protection rules](../../../solutions/security/manage-elastic-defend/endpoint-protection-rules.md) or to rules that are associated with {{elastic-endpoint}} rule exceptions. To associate rules when creating or editing a rule, select the [**{{elastic-endpoint}} exceptions**](../../../solutions/security/detect-and-alert/create-detection-rule.md#rule-ui-advanced-params) option. - -Endpoint exceptions are added to the endpoint protection rules **and** the {{elastic-endpoint}} on your hosts. - -::::{important} -Exceptions added to the endpoint protection rules affect all alerts sent from {{elastic-endpoint}}. Be careful not to unintentionally prevent useful Endpoint alerts. - -Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one {{elastic-endpoint}} alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the [European Institute for Computer Anti-Virus Research (EICAR)](https://www.eicar.org/). - -:::: - - -::::{important} -[Binary fields](https://www.elastic.co/guide/en/elasticsearch/reference/current/binary.html) are not supported in detection rule exceptions. - -:::: - - -1. Do one of the following: - - * To add an Endpoint exception from the rule details page: - - 1. Go to the rule details page (**Rules** → **Detection rules (SIEM)**), and then search for and select one of the [endpoint protection rules](../../../solutions/security/manage-elastic-defend/endpoint-protection-rules.md). - 2. Scroll down the rule details page, select the **Endpoint exceptions** tab, then click **Add endpoint exception**. - - * To add an Endpoint exception from the Alerts table: - - 1. Go to **Alerts**. - 2. Scroll down to the Alerts table, and from an {{elastic-endpoint}} alert, click the **More actions** menu (![Actions menu](../../../images/serverless-boxesHorizontal.svg "")), then select **Add Endpoint exception**. - - * To add an Endpoint exception from Shared Exception Lists page: - - 1. Go to **Rules** → **Shared exception lists**. - 2. Expand the Endpoint Security Exception List or click the list name to open the list’s details page. Next, click **Add endpoint exception**. - - ::::{note} - The Endpoint Security Exception List is automatically created. By default, it’s associated with endpoint protection rules and any rules with the [**{{elastic-endpoint}} exceptions**](../../../solutions/security/detect-and-alert/create-detection-rule.md#rule-ui-advanced-params) option selected. - - :::: - - - The **Add Endpoint Exception** flyout opens. - - :::{image} ../../../images/serverless--detections-endpoint-add-exp.png - :alt: detections endpoint add exp - :class: screenshot - ::: - -2. If required, modify the conditions. Refer to [Exceptions with nested conditions](../../../solutions/security/detect-and-alert/add-manage-exceptions.md#ex-nested-conditions) for more information on when nested conditions are required. - - ::::{important} - Rule exceptions are case-sensitive, which means that any character that’s entered as an uppercase or lowercase letter will be treated as such. In the event you *don’t* want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. - - :::: - - - ::::{note} - * Fields with conflicts are marked with a warning icon (![Warning](../../../images/serverless-warning.svg "")). Using these fields might cause unexpected exceptions behavior. For more information, refer to [Troubleshooting type conflicts and unmapped fields](../../../troubleshoot/security/detection-rules.md). - * Identical, case-sensitive values are supported for the `is one of` and `is not one of` operators. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field. - - :::: - -3. (Optional) Add a comment to the exception. -4. You can select any of the following: - - * **Close this alert**: Closes the alert when the exception is added. This option is only available when adding exceptions from the Alerts table. - * **Close all alerts that match this exception and were generated by this rule**: Closes all alerts that match the exception’s conditions. - -5. Click **Add Endpoint Exception**. An exception is created for both the detection rule and the {{elastic-endpoint}}. - - ::::{note} - It might take longer for exceptions to be applied to hosts within larger deployments. - - :::: - - - -## Exceptions with nested conditions [ex-nested-conditions] - -Some Endpoint objects contain nested fields, and the only way to ensure you are excluding the correct fields is with nested conditions. One example is the `process.Ext` object: - -```json -{ - "ancestry": [], - "code_signature": { - "trusted": true, - "subject_name": "LFC", - "exists": true, - "status": "trusted" - }, - "user": "WDAGUtilityAccount", - "token": { - "elevation": true, - "integrity_level_name": "high", - "domain": "27FB305D-3838-4", - "user": "WDAGUtilityAccount", - "elevation_type": "default", - "sid": "S-1-5-21-2047949552-857980807-821054962-504" - } -} -``` - -Only these objects require nested conditions to ensure the exception functions correctly: - -* `Endpoint.policy.applied.artifacts.global.identifiers` -* `Endpoint.policy.applied.artifacts.user.identifiers` -* `Target.dll.Ext.code_signature` -* `Target.process.Ext.code_signature` -* `Target.process.Ext.token.privileges` -* `Target.process.parent.Ext.code_signature` -* `Target.process.thread.Ext.token.privileges` -* `dll.Ext.code_signature` -* `file.Ext.code_signature` -* `file.Ext.macro.errors` -* `file.Ext.macro.stream` -* `process.Ext.code_signature` -* `process.Ext.token.privileges` -* `process.parent.Ext.code_signature` -* `process.thread.Ext.token.privileges` - - -### Nested condition example [security-add-exceptions-nested-condition-example] - -Creates an exception that excludes all LFC-signed trusted processes: - -:::{image} ../../../images/serverless--detections-nested-exp.png -:alt: detections nested exp -:class: screenshot -::: - - -## View and manage exceptions [manage-exception] - -To view a rule’s exceptions, open the rule’s details page (**Rules** → **Detection rules (SIEM)*** → ****Rule name****), then scroll down and select the ***Rule exceptions*** or ***Endpoint exceptions*** tab. All exceptions that belong to the rule will display in a list. From the list, you can filter, edit, and delete exceptions. You can also toggle between ***Active exceptions** and **Expired exceptions**. - -:::{image} ../../../images/serverless--detections-manage-default-rule-list.png -:alt: A default rule list -:class: screenshot -::: - - -## Find rules using the same exceptions [rules-using-same-exception] - -To find out if an exception is used by other rules, select the **Rule exceptions** or **Endpoint exceptions** tab, navigate to an exception list item, then click **Affects *X* rules**. - -::::{note} -Changes that you make to the exception also apply to other rules that use the exception. - -:::: - - -:::{image} ../../../images/serverless--detections-exception-affects-multiple-rules.png -:alt: Exception that affects multiple rules -:class: screenshot -::: diff --git a/raw-migrated-files/docs-content/serverless/security-rule-exceptions.md b/raw-migrated-files/docs-content/serverless/security-rule-exceptions.md deleted file mode 100644 index 15c123f04..000000000 --- a/raw-migrated-files/docs-content/serverless/security-rule-exceptions.md +++ /dev/null @@ -1,37 +0,0 @@ -# Rule exceptions [security-rule-exceptions] - -You can associate rule exceptions with detection and endpoint rules to prevent trusted processes and network activity from generating unnecessary alerts, therefore, reducing the number of false positives. - -When creating exceptions, you can assign them to [individual rules](../../../solutions/security/detect-and-alert/rule-exceptions.md#rule-exceptions-intro) or to [multiple rules](../../../solutions/security/detect-and-alert/rule-exceptions.md#shared-exception-list-intro). - - -## Exceptions for individual rules [rule-exceptions-intro] - -Exceptions, also referred to as *exception items*, contain the source event conditions that determine when alerts shouldn’t be generated. - -You can create exceptions that apply exclusively to a single rule. These types of exceptions can’t be used by other rules, and you must manage them from the rule’s details page. To learn more about creating and managing single-rule exceptions, refer to [Add and manage exceptions](../../../solutions/security/detect-and-alert/add-manage-exceptions.md). - -:::{image} ../../../images/serverless--detections-exception-item-example.png -:alt: An exception item -:class: screenshot -::: - -::::{note} -You can also use [value lists](../../../solutions/security/detect-and-alert/create-manage-value-lists.md) to define exceptions for detection rules. Value lists allow you to match an exception against a list of possible values. - -:::: - - - -## Exceptions shared among multiple rules [shared-exception-list-intro] - -If you want an exception to apply to multiple rules, you can add an exception to a shared exception list. Shared exception lists allow you to group exceptions together and then associate them with multiple rules. Refer to [Create and manage shared exception lists](../../../solutions/security/detect-and-alert/create-manage-shared-exception-lists.md) to learn more. - -:::{image} ../../../images/serverless--detections-rule-exceptions-page.png -:alt: Shared Exception Lists page -:class: screenshot -::: - - - - diff --git a/raw-migrated-files/docs-content/serverless/security-shared-exception-lists.md b/raw-migrated-files/docs-content/serverless/security-shared-exception-lists.md deleted file mode 100644 index fd5674191..000000000 --- a/raw-migrated-files/docs-content/serverless/security-shared-exception-lists.md +++ /dev/null @@ -1,146 +0,0 @@ -# Create and manage shared exception lists [security-shared-exception-lists] - -Shared exception lists allow you to group exceptions together and then apply them to multiple rules. Use the Shared Exception Lists page to set up shared exception lists. - -:::{image} ../../../images/serverless--detections-rule-exceptions-page.png -:alt: Shared Exception Lists page -:class: screenshot -::: - - -## Create shared exception lists [create-shared-exception-list] - -Set up shared exception lists to contain exception items: - -1. Go to **Rules** → **Shared exception lists**. -2. Click **Create shared exception list** → **Create shared list**. -3. Give the shared exception list a name. -4. (Optional) Provide a description. -5. Click **Create shared exception list**. - - -## Add exception items to shared exception lists [add-exception-items] - -Add exception items: - -1. Go to **Rules** → **Shared exception lists**. -2. Click **Create shared exception list** → **Create exception item**. - - ::::{tip} - You can add exceptions to an empty shared exception list by expanding the list, or viewing its details page and clicking **Create rule exception**. After creating an exception, you can associate the shared exception list with rules. Refer to [Associate shared exception lists with rules](../../../solutions/security/detect-and-alert/create-manage-shared-exception-lists.md#link-shared-exception-lists) to learn more. - - :::: - -3. In the **Add rule exception** flyout, name the exception item and add conditions that define when the exception prevents alerts. When the exception’s query conditions are met (the query evaluates to `true`), rules do not generate alerts even when other rule criteria are met. - - 1. **Field**: Select a field to identify the event being filtered. - 2. **Operator**: Select an operator to define the condition: - - * `is` | `is not` — Must be an exact match of the defined value. - * `is one of` | `is not one of` — Matches any of the defined values. - * `exists` | `does not exist` — The field exists. - * `is in list` | `is not in list` — Matches values in a value list. - - ::::{note} - * An exception defined by a value list must use `is in list` or `is not in list` in all conditions. - * Wildcards are not supported in value lists. - * If a value list can’t be used due to [size or data type](../../../solutions/security/detect-and-alert/create-manage-value-lists.md#create-value-lists), it’ll be unavailable in the **Value** menu. - - :::: - - * `matches` | `does not match` — Allows you to use wildcards in **Value**, such as `C:\path*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected **Field** data type must be [keyword](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#keyword-field-type), [text](https://www.elastic.co/guide/en/elasticsearch/reference/current/text.html#text-field-type), or [wildcard](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#wildcard-field-type). - - ::::{important} - Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching. - - :::: - - 3. **Value**: Enter the value associated with the **Field**. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**. - -4. Click **AND** or **OR** to create multiple conditions and define their relationships. -5. Click **Add nested condition** to create conditions using nested fields. This is only required for [these nested fields](../../../solutions/security/detect-and-alert/add-manage-exceptions.md). For all other fields, nested conditions should not be used. -6. Choose to add the exception to shared exception lists. - - ::::{note} - This option will be unavailable if a shared exception list doesn’t exist. In addition, you can’t add an endpoint exception item to the Endpoint Security Exception List from this UI. Refer to [Add {{elastic-endpoint}} exceptions](../../../solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) for instructions about creating endpoint exceptions. - - :::: - -7. (Optional) Enter a comment describing the exception. -8. (Optional) Enter a future expiration date and time for the exception. -9. (Optional) **Close all alerts that match this exception and were generated by this rule**: Closes all alerts that match the exception’s conditions and were generated only by the current rule. -10. Click **Add rule exception**. - - -## Associate shared exception lists with rules [link-shared-exception-lists] - -Apply shared exception lists to rules: - -1. Go to **Rules** → **Shared exception lists**. -2. Do one of the following: - - * Select a shared exception list’s name to open its details page, then click **Link rules**. - * Find the shared exception list you want to assign to rules, then from the **More actions** menu (![Actions menu](../../../images/serverless-boxesHorizontal.svg "")), select **Link rules**. - -3. Click the toggles in the **Link** column to select the rules you want to link to the exception list. - - ::::{tip} - If you know a rule’s name, you can enter it into the search bar. - - :::: - -4. Click **Save**. -5. (Optional) To verify that the shared exception list was added to the rules you selected: - - 1. Open a rule’s details page (**Rules** → **Detection rules (SIEM)*** → ***Rule name**). - 2. Scroll down the page, and then select the **Rule exceptions** tab. - 3. Navigate to the exception items that are included in the shared exception list. Click the **Affects shared list** link to view the associated shared exception lists. - - :::{image} ../../../images/serverless--detections-associated-shared-exception-list.png - :alt: Associated shared exceptions - :class: screenshot - ::: - - - -## View and filter exception lists [view-shared-exception-lists] - -The Shared Exception Lists page displays each shared exception list on an individual row, with the most recently created list at the top. Each row contains these details about the shared exception list: - -* Shared exception list name -* Date the list was created -* Username of the user who created the list -* Number of exception items in the shared exception list -* Number of rules the shared exception list affects - -To view the details of an exception item within a shared exception list, expand a row. - -:::{image} ../../../images/serverless--detections-view-filter-shared-exception.png -:alt: Associated shared exceptions -:class: screenshot -::: - -To filter exception lists by a specific value, enter a value in the search bar. You can search the following attributes: - -* `name` -* `list_id` -* `created_by` - -If no attribute is selected, the app searches the list name by default. - - -## Manage shared exception lists [manage-exception-lists] - -You can edit, export, import, duplicate, and delete shared exception lists from the Shared Exception Lists page. - -To export or delete an exception list, select the required action button on the appropriate list. Note the following: - -* Exception lists are exported to `.ndjson` files. -* Exception lists are also exported as part of any exported detection rules configured with exceptions. Refer to [Export and import rules](../../../solutions/security/detect-and-alert/manage-detection-rules.md#import-export-rules-ui). -* If an exception list is linked to any rules, you’ll get a warning asking you to confirm the deletion. -* If an exception list contains expired exceptions, you can choose whether to include them in the exported file. - -:::{image} ../../../images/serverless--detections-actions-exception-list.png -:alt: Detail of Exception lists table with export and delete buttons highlighted -:class: screenshot -::: diff --git a/raw-migrated-files/docs-content/serverless/security-value-lists-exceptions.md b/raw-migrated-files/docs-content/serverless/security-value-lists-exceptions.md deleted file mode 100644 index d4a22b36b..000000000 --- a/raw-migrated-files/docs-content/serverless/security-value-lists-exceptions.md +++ /dev/null @@ -1,101 +0,0 @@ -# Create and manage value lists [security-value-lists-exceptions] - -Value lists hold multiple values of the same Elasticsearch data type, such as IP addresses, which are used to determine when an exception prevents an alert from being generated. You can use value lists to define exceptions for detection rules; however, you cannot use value lists to define endpoint rule exceptions. - -Value lists are lists of items with the same {{es}} [data type](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html). You can create value lists with these types: - -* `Keywords` (many [ECS fields](https://www.elastic.co/guide/en/ecs/{{ecs_version}}/ecs-field-reference.html) are keywords) -* `IP Addresses` -* `IP Ranges` -* `Text` - -After creating value lists, you can use `is in list` and `is not in list` operators to [define exceptions](../../../solutions/security/detect-and-alert/add-manage-exceptions.md). - -::::{tip} -You can also use a value list as the [indicator match index](../../../solutions/security/detect-and-alert/create-detection-rule.md#indicator-value-lists) when creating an indicator match rule. - -:::: - - - -## Create value lists [create-value-lists] - -When you create a value list for a rule exception, be mindful of the list’s size and data type. All rule types support value list exceptions, but extremely large lists or certain data types have limitations. - -Custom query, machine learning, and indicator match rules support the following value list types and sizes: - -* **Keywords** or **IP addresses** list types with more than 65,536 values -* **IP ranges** list type with over 200 dash notation values (for example, `127.0.0.1-127.0.0.4` is one value) or more than 65,536 CIDR notation values - -To create a value list: - -1. Prepare a `txt` or `csv` file with all the values you want to use for determining exceptions from a single list. If you use a `txt` file, new lines act as delimiters. - - ::::{important} - * All values in the file must be of the same {{es}} type. - * Wildcards are not supported in value lists. Values must be literal values. - * The maximum accepted file size is 9 million bytes. - - :::: - -2. Go to **Rules** → **Detection rules (SIEM)**. -3. Click **Manage value lists**. The **Manage value lists** window opens. - - ![Manage value lists flyout](../../../images/serverless--detections-upload-lists-ui.png "") - -4. Select the list type (**Keywords**, **IP addresses***, ***IP ranges***, or ***Text**) from the **Type of value list** drop-down. -5. Drag or select the `csv` or `txt` file that contains the values. -6. Click **Import value list**. - -::::{note} -If you import a file with a name that already exists, a new list is not created. The imported values are added to the existing list instead. - -:::: - - - -## Manage value lists [manage-value-lists] - -You can edit, remove, or export existing value lists. - - -### Edit value lists [edit-value-lists] - -1. Go to **Rules** → **Detection rules (SIEM)**. -2. Click **Manage value lists**. The **Manage value lists** window opens. -3. In the **Value lists** table, click the value list you want to edit. -4. Do any of the following: - - * **Filter items in the list**: Use the KQL search bar to find values in the list. Depending on your list’s type, you can filter by the `keyword`, `ip_range`, `ip`, or `text` fields. For example, to filter by Gmail addresses in a value list of the `keyword` type, enter `keyword:*gmail.com` into the search bar. - - You can also filter by the `updated_by` field (for example, `updated_by:testuser`), or the `updated at` field (for example, `updated_at < now`). - - * **Add individual items to the list**: Click **Create list item**, enter a value, then click **Add list item**. - * **Bulk upload list items**: Drag or select the `csv` or `txt` file that contains the values that you want to add, then click **Upload**. - * **Edit a value**: In the Value column, go to the value you want to edit and click the **Edit*** button (![Edit](../../../images/serverless-pencil.svg "")). When you’re done editing, click the ***Save** button (![Save](../../../images/serverless-check.svg "")) to save your changes. Click the **Cancel** button (![Edit](../../../images/serverless-cross.svg "")) to revert your changes. - * **Remove a value**: Click the **Remove value** button (![Remove value list](../../../images/serverless-trash.svg "")) to delete a value from the list. - - ![Manage items in a value list](../../../images/serverless--detections-edit-value-lists.png "") - - -::::{tip} -You can also edit value lists while creating and managing exceptions that use value lists. - -:::: - - - -### Export or remove value lists [export-remove-value-lists] - -1. Go to **Rules** → **Detection rules (SIEM)**. -2. Click **Manage value lists**. The **Manage value lists** window opens. -3. From the **Value lists** table, you can: - - * Click the **Export value list** button (![Export value list](../../../images/serverless-exportAction.svg "")) to export the value list. - * Click the **Remove value list** button (![Remove value list](../../../images/serverless-trash.svg "")) to delete the value list. - - -:::{image} ../../../images/serverless--detections-manage-value-list.png -:alt: Import value list flyout with action buttons highlighted -:class: screenshot -::: diff --git a/raw-migrated-files/security-docs/security/add-exceptions.md b/raw-migrated-files/security-docs/security/add-exceptions.md deleted file mode 100644 index 7a152ef4a..000000000 --- a/raw-migrated-files/security-docs/security/add-exceptions.md +++ /dev/null @@ -1,298 +0,0 @@ -# Add and manage exceptions [add-exceptions] - -You can add exceptions to a rule from the rule details page, the Alerts table, the alert details flyout, or the Shared Exception Lists page. When you add an exception, you can also close all alerts that meet the exception’s criteria. - -::::{important} -* To ensure an exception is successfully applied, ensure that the fields you’ve defined for its query are correctly and consistently mapped in their respective indices. Refer to [ECS](https://www.elastic.co/guide/en/ecs/{{ecs_version}}) to learn more about supported mappings. -* Be careful when adding exceptions to [event correlation](../../../solutions/security/detect-and-alert/create-detection-rule.md#create-eql-rule) rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created. - - To exclude values from a specific event in the sequence, update the rule’s EQL statement. For example: - - ```eql - `sequence - [file where file.extension == "exe" - and file.name != "app-name.exe"] - [process where true - and process.name != "process-name.exe"]` - ``` - -* Be careful when adding exceptions to [indicator match](../../../solutions/security/detect-and-alert/create-detection-rule.md#create-indicator-rule) rules. Exceptions are evaluated against source and indicator indices, so if the exception matches events in *either* index, alerts are not generated. - -:::: - - - -## Add exceptions to a rule [detection-rule-exceptions] - -1. Do one of the following: - - * To add an exception from the rule details page: - - 1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). - 2. In the Rules table, search for the rule that you want to add an exception to, then click its name to open the rule details. - 3. Scroll down the rule details page, select the **Rule exceptions** tab, then click **Add rule exception**. - - :::{image} ../../../images/security-rule-exception-tab.png - :alt: Detail of rule exceptions tab - :class: screenshot - ::: - - * To add an exception from the Alerts table: - - 1. Find **Alerts** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). - 2. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the **More Actions** menu (**…​**), then select **Add rule exception**. - - * To add an exception from the alert details flyout: - - 1. Find **Alerts** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). - 2. Click the **View details** button from the Alerts table. - 3. In the alert details flyout, click **Take action → Add rule exception**. - - * To add an exception from the Shared Exception Lists page: - - 1. Find the **Shared exception lists** page in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). - 2. Click **Create shared exception list** → **Create exception item**. - -2. In the **Add rule exception** flyout, name the exception. -3. Add conditions that define the exception. When the exception’s query evaluates to `true`, rules don’t generate alerts even when their criteria are met. - - ::::{important} - Rule exceptions are case-sensitive, which means that any character that’s entered as an uppercase or lowercase letter will be treated as such. In the event you *don’t* want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. - :::: - - - ::::{note} - When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. Data from custom highlighted fields is listed first. A comment that describes the auto-generated exception conditions is also added to the **Add comments** section. - :::: - - - 1. **Field**: Select a field to identify the event being filtered. - - ::::{note} - A warning displays for fields with conflicts. Using these fields might cause unexpected exceptions behavior. Refer to [Troubleshooting type conflicts and unmapped fields](../../../troubleshoot/security/detection-rules.md#rule-exceptions-field-conflicts) for more information. - - :::: - - 2. **Operator**: Select an operator to define the condition: - - * `is` | `is not` — Must be an exact match of the defined value. - * `is one of` | `is not one of` — Matches any of the defined values. - * `exists` | `does not exist` — The field exists. - * `is in list` | `is not in list` — Matches values in a value list. - - ::::{note} - * An exception defined by a value list must use `is in list` or `is not in list` in all conditions. - * Wildcards are not supported in value lists. - * If a value list can’t be used due to [size or data type](../../../solutions/security/detect-and-alert/create-manage-value-lists.md#manage-value-lists), it’ll be unavailable in the **Value** menu. - - :::: - - * `matches` | `does not match` — Allows you to use wildcards in **Value**, such as `C:\\path\\*\\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected **Field** data type must be [keyword](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#keyword-field-type), [text](https://www.elastic.co/guide/en/elasticsearch/reference/current/text.html#text-field-type), or [wildcard](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#wildcard-field-type). - - ::::{note} - Some characters must be escaped with a backslash, such as `\\` for a literal backslash, `\*` for an asterisk, and `\?` for a question mark. Windows paths must be divided with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider. - :::: - - - ::::{important} - Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching. - :::: - - 3. **Value**: Enter the value associated with the **Field**. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**. - - ::::{note} - The `is one of` and `is not one of` operators support identical, case-sensitive values. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field. - :::: - - - In the following example, the exception was created from the Rules page and prevents the rule from generating alerts when the `svchost.exe` process runs on hostname `siem-kibana`. - - :::{image} ../../../images/security-add-exception-ui.png - :alt: add exception ui - :class: screenshot - ::: - -4. Click **AND** or **OR** to create multiple conditions and define their relationships. -5. Click **Add nested condition** to create conditions using nested fields. This is only required for [these nested fields](../../../solutions/security/detect-and-alert/add-manage-exceptions.md#nested-field-list). For all other fields, nested conditions should not be used. -6. Choose to add the exception to a rule or a shared exception list. - - ::::{note} - If you are creating an exception from the Shared Exception Lists page, you can add the exception to multiple rules. - :::: - - - ::::{tip} - If a shared exception list doesn’t exist, you can [create one](../../../solutions/security/detect-and-alert/create-manage-shared-exception-lists.md) from the Shared Exception Lists page. - :::: - -7. (Optional) Enter a comment describing the exception. -8. (Optional) Enter a future expiration date and time for the exception. -9. Select one of the following alert actions: - - * **Close this alert**: Closes the alert when the exception is added. This option is only available when adding exceptions from the Alerts table. - * **Close all alerts that match this exception and were generated by this rule**: Closes all alerts that match the exception’s conditions and were generated only by the current rule. - -10. Click **Add rule exception**. - - -## Add {{elastic-endpoint}} exceptions [endpoint-rule-exceptions] - -You can add {{elastic-endpoint}} exceptions to [endpoint protection rules](../../../solutions/security/manage-elastic-defend/endpoint-protection-rules.md) or to rules that are associated with {{elastic-endpoint}} rule exceptions. To associate rules when creating or editing a rule, select the [**{{elastic-endpoint}} exceptions**](../../../solutions/security/detect-and-alert/create-detection-rule.md#rule-ui-advanced-params) option. - -Endpoint exceptions are added to the endpoint protection rules **and** the {{elastic-endpoint}} on your hosts. - -::::{important} -Exceptions added to the endpoint protection rules affect all alerts sent from {{elastic-endpoint}}. Be careful not to unintentionally prevent useful Endpoint alerts. - -Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one {{elastic-endpoint}} alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the [European Institute for Computer Anti-Virus Research (EICAR)](https://www.eicar.org/). - -:::: - - -::::{important} -[Binary fields](https://www.elastic.co/guide/en/elasticsearch/reference/current/binary.html) are not supported in detection rule exceptions. - -:::: - - -1. Do one of the following: - - * To add an Endpoint exception from the rule details page: - - 1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). - 2. In the Rules table, search for and select one of the [endpoint protection rules](../../../solutions/security/manage-elastic-defend/endpoint-protection-rules.md). - 3. Scroll down the rule details page, select the **Endpoint exceptions** tab, then click **Add endpoint exception**. - - * To add an Endpoint exception from the Alerts table: - - 1. Find **Alerts** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). - 2. Scroll down to the Alerts table, and from an {{elastic-endpoint}} alert, click the **More actions** menu (**…​**), then select **Add Endpoint exception**. - - * To add an Endpoint exception from Shared Exception Lists page: - - 1. Find the **Shared exception lists** page in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). - 2. Expand the Endpoint Security Exception List or click the list name to open the list’s details page. Next, click **Add endpoint exception**. - - ::::{note} - The Endpoint Security Exception List is automatically created. By default, it’s associated with endpoint protection rules and any rules with the [**{{elastic-endpoint}} exceptions**](../../../solutions/security/detect-and-alert/create-detection-rule.md#rule-ui-advanced-params) option selected. - :::: - - - The **Add Endpoint Exception** flyout opens. - - :::{image} ../../../images/security-endpoint-add-exp.png - :alt: endpoint add exp - :class: screenshot - ::: - -2. If required, modify the conditions. - - ::::{important} - Rule exceptions are case-sensitive, which means that any character that’s entered as an uppercase or lowercase letter will be treated as such. In the event you *don’t* want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. - :::: - - - ::::{note} - * Fields with conflicts are marked with a warning icon (![Field conflict warning icon](../../../images/security-field-warning-icon.png "")). Using these fields might cause unexpected exceptions behavior. For more information, refer to [Troubleshooting type conflicts and unmapped fields](../../../troubleshoot/security/detection-rules.md#rule-exceptions-field-conflicts). - * The `is one of` and `is not one of` operators support identical, case-sensitive values. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field. - - :::: - -3. (Optional) Add a comment to the exception. -4. You can select any of the following: - - * **Close this alert**: Closes the alert when the exception is added. This option is only available when adding exceptions from the Alerts table. - * **Close all alerts that match this exception and were generated by this rule**: Closes all alerts that match the exception’s conditions. - -5. Click **Add Endpoint Exception**. An exception is created for both the detection rule and the {{elastic-endpoint}}. - - ::::{note} - It might take longer for exceptions to be applied to hosts within larger deployments. - :::: - - - -## Exceptions with nested conditions [ex-nested-conditions] - -Some Endpoint objects contain nested fields, and the only way to ensure you are excluding the correct fields is with nested conditions. One example is the `process.Ext` object: - -```json -{ - "ancestry": [], - "code_signature": { - "trusted": true, - "subject_name": "LFC", - "exists": true, - "status": "trusted" - }, - "user": "WDAGUtilityAccount", - "token": { - "elevation": true, - "integrity_level_name": "high", - "domain": "27FB305D-3838-4", - "user": "WDAGUtilityAccount", - "elevation_type": "default", - "sid": "S-1-5-21-2047949552-857980807-821054962-504" - } -} -``` - -$$$nested-field-list$$$ -Only these objects require nested conditions to ensure the exception functions correctly: - -* `Endpoint.policy.applied.artifacts.global.identifiers` -* `Endpoint.policy.applied.artifacts.user.identifiers` -* `Target.dll.Ext.code_signature` -* `Target.process.Ext.code_signature` -* `Target.process.Ext.token.privileges` -* `Target.process.parent.Ext.code_signature` -* `Target.process.thread.Ext.token.privileges` -* `dll.Ext.code_signature` -* `file.Ext.code_signature` -* `file.Ext.macro.errors` -* `file.Ext.macro.stream` -* `process.Ext.code_signature` -* `process.Ext.token.privileges` -* `process.parent.Ext.code_signature` -* `process.thread.Ext.token.privileges` - - -### Nested condition example [_nested_condition_example] - -Creates an exception that excludes all LFC-signed trusted processes: - -:::{image} ../../../images/security-nested-exp.png -:alt: nested exp -:class: screenshot -::: - - -## View and manage exceptions [manage-exception] - -To view a rule’s exceptions: - -1. Open the rule’s details page. To do this, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), search for the rule that you want to examine, then click the rule’s name to open its details. -2. Scroll down and select the **Rule exceptions** or **Endpoint exceptions** tab. All exceptions that belong to the rule will display in a list. - - From the list, you can filter, edit, and delete exceptions. You can also toggle between **Active exceptions** and **Expired exceptions**. - - :::{image} ../../../images/security-manage-default-rule-list.png - :alt: A default rule list - :class: screenshot - ::: - - - -## Find rules using the same exceptions [rules-using-same-exception] - -To find out if an exception is used by other rules, select the **Rule exceptions** or **Endpoint exceptions** tab, navigate to an exception list item, then click **Affects *X* rules**. - -::::{note} -Changes that you make to the exception also apply to other rules that use the exception. -:::: - - -:::{image} ../../../images/security-exception-affects-multiple-rules.png -:alt: Exception that affects multiple rules -:class: screenshot -::: diff --git a/raw-migrated-files/security-docs/security/detections-ui-exceptions.md b/raw-migrated-files/security-docs/security/detections-ui-exceptions.md deleted file mode 100644 index 270e2318d..000000000 --- a/raw-migrated-files/security-docs/security/detections-ui-exceptions.md +++ /dev/null @@ -1,36 +0,0 @@ -# Rule exceptions [detections-ui-exceptions] - -You can associate rule exceptions with detection and endpoint rules to prevent trusted processes and network activity from generating unnecessary alerts, therefore, reducing the number of false positives. - -When creating exceptions, you can assign them to [individual rules](../../../solutions/security/detect-and-alert/rule-exceptions.md#rule-exceptions-intro) or to [multiple rules](../../../solutions/security/detect-and-alert/rule-exceptions.md#shared-exception-list-intro). - - -## Exceptions for individual rules [rule-exceptions-intro] - -Exceptions, also referred to as *exception items*, contain the source event conditions that determine when alerts shouldn’t be generated. - -You can create exceptions that apply exclusively to a single rule. These types of exceptions can’t be used by other rules, and you must manage them from the rule’s details page. To learn more about creating and managing single-rule exceptions, refer to [Add and manage exceptions](../../../solutions/security/detect-and-alert/add-manage-exceptions.md). - -:::{image} ../../../images/security-exception-item-example.png -:alt: An exception item -:class: screenshot -::: - -::::{note} -You can also use [value lists](../../../solutions/security/detect-and-alert/create-manage-value-lists.md) to define exceptions for detection rules. Value lists allow you to match an exception against a list of possible values. -:::: - - - -## Exceptions shared among multiple rules [shared-exception-list-intro] - -If you want an exception to apply to multiple rules, you can add an exception to a shared exception list. Shared exception lists allow you to group exceptions together and then associate them with multiple rules. Refer to [Create and manage shared exception lists](../../../solutions/security/detect-and-alert/create-manage-shared-exception-lists.md) to learn more. - -:::{image} ../../../images/security-rule-exceptions-page.png -:alt: Shared Exception Lists page -:class: screenshot -::: - - - - diff --git a/raw-migrated-files/security-docs/security/shared-exception-lists.md b/raw-migrated-files/security-docs/security/shared-exception-lists.md deleted file mode 100644 index ff651f430..000000000 --- a/raw-migrated-files/security-docs/security/shared-exception-lists.md +++ /dev/null @@ -1,152 +0,0 @@ -# Create and manage shared exception lists [shared-exception-lists] - -Shared exception lists allow you to group exceptions together and then apply them to multiple rules. Use the Shared Exception Lists page to set up shared exception lists. - -::::{note} -Exception lists created in 8.5 and earlier become shared exception lists in 8.6 or later. You can access all shared exception lists from the Shared Exception Lists page. -:::: - - -:::{image} ../../../images/security-rule-exceptions-page.png -:alt: Shared Exception Lists page -:class: screenshot -::: - - -## Create shared exception lists [create-shared-exception-list] - -Set up shared exception lists to contain exception items: - -1. Find the **Shared exception lists** page in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -2. Click **Create shared exception list** → **Create shared list**. -3. Give the shared exception list a name. -4. (Optional) Provide a description. -5. Click **Create shared exception list**. - - -## Add exception items to shared exception lists [add-exception-items] - -Add exception items: - -1. Find the **Shared exception lists** page in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -2. Click **Create shared exception list** → **Create exception item**. - - ::::{tip} - You can add exceptions to an empty shared exception list by expanding the list, or viewing its details page and clicking **Create rule exception**. After creating an exception, you can associate the shared exception list with rules. Refer to [Associate shared exception lists with rules](../../../solutions/security/detect-and-alert/create-manage-shared-exception-lists.md#link-shared-exception-lists) to learn more. - :::: - -3. In the **Add rule exception** flyout, name the exception item and add conditions that define when the exception prevents alerts. When the exception’s query conditions are met (the query evaluates to `true`), rules do not generate alerts even when other rule criteria are met. - - 1. **Field**: Select a field to identify the event being filtered. - 2. **Operator**: Select an operator to define the condition: - - * `is` | `is not` — Must be an exact match of the defined value. - * `is one of` | `is not one of` — Matches any of the defined values. - * `exists` | `does not exist` — The field exists. - * `is in list` | `is not in list` — Matches values in a value list. - - ::::{note} - * An exception defined by a value list must use `is in list` or `is not in list` in all conditions. - * Wildcards are not supported in value lists. - * If a value list can’t be used due to [size or data type](../../../solutions/security/detect-and-alert/create-manage-value-lists.md#manage-value-lists), it’ll be unavailable in the **Value** menu. - - :::: - - * `matches` | `does not match` — Allows you to use wildcards in **Value**, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected **Field** data type must be [keyword](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#keyword-field-type), [text](https://www.elastic.co/guide/en/elasticsearch/reference/current/text.html#text-field-type), or [wildcard](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#wildcard-field-type). - - ::::{important} - Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching. - :::: - - 3. **Value**: Enter the value associated with the **Field**. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**. - -4. Click **AND** or **OR** to create multiple conditions and define their relationships. -5. Click **Add nested condition** to create conditions using nested fields. This is only required for [these nested fields](../../../solutions/security/detect-and-alert/add-manage-exceptions.md#nested-field-list). For all other fields, nested conditions should not be used. -6. Choose to add the exception to shared exception lists. - - ::::{note} - This option will be unavailable if a shared exception list doesn’t exist. In addition, you can’t add an endpoint exception item to the Endpoint Security Exception List from this UI. Refer to [Add {{elastic-endpoint}} exceptions](../../../solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) for instructions about creating endpoint exceptions. - :::: - -7. (Optional) Enter a comment describing the exception. -8. (Optional) Enter a future expiration date and time for the exception. -9. (Optional) **Close all alerts that match this exception and were generated by this rule**: Closes all alerts that match the exception’s conditions and were generated only by the current rule. -10. Click **Add rule exception**. - - -## Associate shared exception lists with rules [link-shared-exception-lists] - -Apply shared exception lists to rules: - -1. Find the **Shared exception lists** page in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -2. Do one of the following: - - * Select a shared exception list’s name to open its details page, then click **Link rules**. - * Find the shared exception list you want to assign to rules, then from the **More actions** menu (**…​**), select **Link rules**. - -3. Click the toggles in the **Link** column to select the rules you want to link to the exception list. - - ::::{tip} - If you know a rule’s name, you can enter it into the search bar. - :::: - -4. Click **Save**. -5. (Optional) To verify that the shared exception list was added to the rules you selected: - - 1. Open a rule’s details page (**Rules → Detection rules (SIEM) → *Rule name***). - 2. Scroll down the page, and then select the **Rule exceptions** tab. - 3. Navigate to the exception items that are included in the shared exception list. Click the **Affects shared list** link to view the associated shared exception lists. - - :::{image} ../../../images/security-associated-shared-exception-list.png - :alt: Associated shared exceptions - :class: screenshot - ::: - - - -## View and filter exception lists [view-shared-exception-lists] - -The Shared Exception Lists page displays each shared exception list on an individual row, with the most recently created list at the top. Each row contains these details about the shared exception list: - -* Shared exception list name -* Date the list was created -* Username of the user who created the list -* Number of exception items in the shared exception list -* Number of rules the shared exception list affects - -To view the details of an exception item within a shared exception list, expand a row. - -:::{image} ../../../images/security-view-filter-shared-exception.png -:alt: Associated shared exceptions -:class: screenshot -::: - -To filter exception lists by a specific value, enter a value in the search bar. You can search the following attributes: - -* `name` -* `list_id` -* `created_by` - -If no attribute is selected, the app searches the list name by default. - - -## Manage shared exception lists [manage-exception-lists] - -You can edit, export, import, duplicate, and delete shared exception lists from the Shared Exception Lists page. - -::::{note} -Exception lists created in 8.5 and earlier become shared exception lists in 8.6 or later. You can access all shared exception lists from the Shared Exception Lists page. -:::: - - -To export or delete an exception list, select the required action button on the appropriate list. Note the following: - -* Exception lists are exported to `.ndjson` files. -* Exception lists are also exported as part of any exported detection rules configured with exceptions. Refer to [Export and import rules](../../../solutions/security/detect-and-alert/manage-detection-rules.md#import-export-rules-ui). -* If an exception list is linked to any rules, you’ll get a warning asking you to confirm the deletion. -* If an exception list contains expired exceptions, you can choose whether to include them in the exported file. - -:::{image} ../../../images/security-actions-exception-list.png -:alt: Detail of Exception lists table with export and delete buttons highlighted -:class: screenshot -::: diff --git a/raw-migrated-files/security-docs/security/value-lists-exceptions.md b/raw-migrated-files/security-docs/security/value-lists-exceptions.md deleted file mode 100644 index 27ef3616c..000000000 --- a/raw-migrated-files/security-docs/security/value-lists-exceptions.md +++ /dev/null @@ -1,103 +0,0 @@ -# Create and manage value lists [value-lists-exceptions] - -Value lists hold multiple values of the same Elasticsearch data type, such as IP addresses, which are used to determine when an exception prevents an alert from being generated. You can use value lists to define exceptions for detection rules; however, you cannot use value lists to define endpoint rule exceptions. - -Value lists are lists of items with the same {{es}} [data type](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html). You can create value lists with these types: - -* `Keywords` (many [ECS fields](https://www.elastic.co/guide/en/ecs/{{ecs_version}}/ecs-field-reference.html) are keywords) -* `IP Addresses` -* `IP Ranges` -* `Text` - -After creating value lists, you can use `is in list` and `is not in list` operators to [define exceptions](../../../solutions/security/detect-and-alert/add-manage-exceptions.md). - -::::{tip} -You can also use a value list as the [indicator match index](../../../solutions/security/detect-and-alert/create-detection-rule.md#indicator-value-lists) when creating an indicator match rule. -:::: - - - -## Create value lists [create-value-lists] - -When you create a value list for a rule exception, be mindful of the list’s size and data type. All rule types support value list exceptions, but extremely large lists or certain data types have limitations. - -Custom query, machine learning, and indicator match rules support the following value list types and sizes: - -* **Keywords** or **IP addresses** list types with more than 65,536 values -* **IP ranges** list type with over 200 dash notation values (for example, `127.0.0.1-127.0.0.4` is one value) or more than 65,536 CIDR notation values - -To create a value list: - -1. Prepare a `txt` or `csv` file with all the values you want to use for determining exceptions from a single list. If you use a `txt` file, new lines act as delimiters. - - ::::{important} - * All values in the file must be of the same {{es}} type. - * Wildcards are not supported in value lists. Values must be literal values. - * The maximum accepted file size is 9 million bytes. - - :::: - -2. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -3. Click **Manage value lists**. The **Manage value lists** window opens. - - :::{image} ../../../images/security-upload-lists-ui.png - :alt: Manage value lists flyout - :class: screenshot - ::: - -4. Select the list type (**Keywords**, **IP addresses**, **IP ranges**, or **Text**) from the **Type of value list** drop-down. -5. Drag or select the `csv` or `txt` file that contains the values. -6. Click **Import value list**. - -::::{note} -If you import a file with a name that already exists, a new list is not created. The imported values are added to the existing list instead. -:::: - - - -## Manage value lists [manage-value-lists] - -You can edit, remove, or export existing value lists. - - -### Edit value lists [edit-value-lists] - -1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -2. Click **Manage value lists**. The **Manage value lists** window opens. -3. In the **Value lists** table, click the value list you want to edit. -4. Do any of the following: - - * **Filter items in the list**: Use the KQL search bar to find values in the list. Depending on your list’s type, you can filter by the `keyword`, `ip_range`, `ip`, or `text` fields. For example, to filter by Gmail addresses in a value list of the `keyword` type, enter `keyword:*gmail.com` into the search bar. - - You can also filter by the `updated_by` field (for example, `updated_by:testuser`), or the `updated at` field (for example, `updated_at < now`). - - * **Add individual items to the list**: Click **Create list item**, enter a value, then click **Add list item**. - * **Bulk upload list items**: Drag or select the `csv` or `txt` file that contains the values that you want to add, then click **Upload**. - * **Edit a value**: In the Value column, go to the value you want to edit and click the **Edit*** button (![Edit button from Manage value lists window](../../../images/security-edit-value-list-item.png "")). When you’re done editing, click the ***Save** button (![Save button from Manage value lists window](../../../images/security-save-value-list-item-changes.png "")) to save your changes. Click the **Cancel** button (![Cancel button from Manage value lists window](../../../images/security-cancel-value-list-item-changes.png "")) to revert your changes. - * **Remove a value**: Click the **Remove value** button (![Remove value list button from Manage value lists window](../../../images/security-remove-value-list-item.png "")) to delete a value from the list. - - -:::{image} ../../../images/security-edit-value-lists.png -:alt: Manage items in a value lists -:class: screenshot -::: - -::::{tip} -You can also edit value lists while creating and managing exceptions that use value lists. -:::: - - - -### Export or remove value lists [export-remove-value-lists] - -1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -2. Click **Manage value lists**. The **Manage value lists** window opens. -3. From the **Value lists** table, you can: - - 1. Click the **Export value list** button (![Export button from Manage value lists window](../../../images/security-export-value-list.png "")) to export the value list. - 2. Click the **Remove value list** button (![Remove button from Manage value lists window](../../../images/security-remove-value-list.png "")) to delete the value list. - - :::{image} ../../../images/security-manage-value-list.png - :alt: Import value list flyout with action buttons highlighted - :class: screenshot - ::: diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 869b24002..9f3d4bff7 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -398,7 +398,6 @@ toc: - file: docs-content/serverless/project-settings-content.md - file: docs-content/serverless/quickstart-monitor-hosts-with-otel.md - file: docs-content/serverless/security-about-rules.md - - file: docs-content/serverless/security-add-exceptions.md - file: docs-content/serverless/security-add-manage-notes.md - file: docs-content/serverless/security-advanced-settings.md - file: docs-content/serverless/security-agent-tamper-protection.md @@ -497,7 +496,6 @@ toc: - file: docs-content/serverless/security-response-actions-config.md - file: docs-content/serverless/security-response-actions-history.md - file: docs-content/serverless/security-response-actions.md - - file: docs-content/serverless/security-rule-exceptions.md - file: docs-content/serverless/security-rule-monitoring-dashboard.md - file: docs-content/serverless/security-rules-coverage.md - file: docs-content/serverless/security-rules-create.md @@ -505,7 +503,6 @@ toc: - file: docs-content/serverless/security-runtime-fields.md - file: docs-content/serverless/security-self-healing-rollback.md - file: docs-content/serverless/security-session-view.md - - file: docs-content/serverless/security-shared-exception-lists.md - file: docs-content/serverless/security-signals-to-cases.md - file: docs-content/serverless/security-third-party-actions.md - file: docs-content/serverless/security-timeline-templates-ui.md @@ -517,7 +514,6 @@ toc: - file: docs-content/serverless/security-ui.md - file: docs-content/serverless/security-uninstall-agent.md - file: docs-content/serverless/security-users-page.md - - file: docs-content/serverless/security-value-lists-exceptions.md - file: docs-content/serverless/security-view-alert-details.md - file: docs-content/serverless/security-visual-event-analyzer.md - file: docs-content/serverless/security-visualize-alerts.md @@ -775,7 +771,6 @@ toc: - file: security-docs/security/index.md children: - file: security-docs/security/about-rules.md - - file: security-docs/security/add-exceptions.md - file: security-docs/security/add-manage-notes.md - file: security-docs/security/admin-page-ov.md - file: security-docs/security/advanced-settings.md @@ -832,7 +827,6 @@ toc: - file: security-docs/security/detection-response-dashboard.md - file: security-docs/security/detections-logsdb-index-mode-impact.md - file: security-docs/security/detections-permissions-section.md - - file: security-docs/security/detections-ui-exceptions.md - file: security-docs/security/elastic-endpoint-deploy-reqs.md - file: security-docs/security/endpoint-artifacts.md - file: security-docs/security/endpoint-data-volume.md @@ -892,7 +886,6 @@ toc: - file: security-docs/security/security-posture-management.md - file: security-docs/security/self-healing-rollback.md - file: security-docs/security/session-view.md - - file: security-docs/security/shared-exception-lists.md - file: security-docs/security/signals-to-cases.md - file: security-docs/security/third-party-actions.md - file: security-docs/security/timeline-templates-ui.md @@ -903,7 +896,6 @@ toc: - file: security-docs/security/uninstall-agent.md - file: security-docs/security/use-osquery.md - file: security-docs/security/users-page.md - - file: security-docs/security/value-lists-exceptions.md - file: security-docs/security/view-alert-details.md - file: security-docs/security/view-osquery-results.md - file: security-docs/security/visual-event-analyzer.md diff --git a/solutions/security/detect-and-alert/add-manage-exceptions.md b/solutions/security/detect-and-alert/add-manage-exceptions.md index 530e85a91..1bd89d397 100644 --- a/solutions/security/detect-and-alert/add-manage-exceptions.md +++ b/solutions/security/detect-and-alert/add-manage-exceptions.md @@ -4,19 +4,302 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-add-exceptions.html --- -# Add and manage exceptions +# Add and manage exceptions [add-exceptions] -% What needs to be done: Lift-and-shift +You can add exceptions to a rule from the rule details page, the Alerts table, the alert details flyout, or the Shared Exception Lists page. When you add an exception, you can also close all alerts that meet the exception’s criteria. -% Use migrated content from existing pages that map to this page: +::::{important} +* To ensure an exception is successfully applied, ensure that the fields you’ve defined for its query are correctly and consistently mapped in their respective indices. Refer to [ECS](https://www.elastic.co/guide/en/ecs/{{ecs_version}}) to learn more about supported mappings. +* Be careful when adding exceptions to [event correlation](create-detection-rule.md#create-eql-rule) rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created. -% - [ ] ./raw-migrated-files/security-docs/security/add-exceptions.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-add-exceptions.md + To exclude values from a specific event in the sequence, update the rule’s EQL statement. For example: -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): + ```eql + `sequence + [file where file.extension == "exe" + and file.name != "app-name.exe"] + [process where true + and process.name != "process-name.exe"]` + ``` -$$$endpoint-rule-exceptions$$$ +* Be careful when adding exceptions to [indicator match](create-detection-rule.md#create-indicator-rule) rules. Exceptions are evaluated against source and indicator indices, so if the exception matches events in *either* index, alerts are not generated. -$$$ex-nested-conditions$$$ +:::: -$$$nested-field-list$$$ \ No newline at end of file + + +## Add exceptions to a rule [detection-rule-exceptions] + +1. Do one of the following: + + * To add an exception from the rule details page: + + 1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). + 2. In the Rules table, search for the rule that you want to add an exception to, then click its name to open the rule details. + 3. Scroll down the rule details page, select the **Rule exceptions** tab, then click **Add rule exception**. + + :::{image} ../../../images/security-rule-exception-tab.png + :alt: Detail of rule exceptions tab + :class: screenshot + ::: + + * To add an exception from the Alerts table: + + 1. Find **Alerts** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). + 2. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the **More Actions** menu (**…​**), then select **Add rule exception**. + + * To add an exception from the alert details flyout: + + 1. Find **Alerts** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). + 2. Click the **View details** button from the Alerts table. + 3. In the alert details flyout, click **Take action → Add rule exception**. + + * To add an exception from the Shared Exception Lists page: + + 1. Find the **Shared exception lists** page in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). + 2. Click **Create shared exception list** → **Create exception item**. + +2. In the **Add rule exception** flyout, name the exception. +3. Add conditions that define the exception. When the exception’s query evaluates to `true`, rules don’t generate alerts even when their criteria are met. + + ::::{important} + Rule exceptions are case-sensitive, which means that any character that’s entered as an uppercase or lowercase letter will be treated as such. In the event you *don’t* want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. + :::: + + + ::::{note} + When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. Data from custom highlighted fields is listed first. A comment that describes the auto-generated exception conditions is also added to the **Add comments** section. + :::: + + + 1. **Field**: Select a field to identify the event being filtered. + + ::::{note} + A warning displays for fields with conflicts. Using these fields might cause unexpected exceptions behavior. Refer to [Troubleshooting type conflicts and unmapped fields](../../../troubleshoot/security/detection-rules.md#rule-exceptions-field-conflicts) for more information. + + :::: + + 2. **Operator**: Select an operator to define the condition: + + * `is` | `is not` — Must be an exact match of the defined value. + * `is one of` | `is not one of` — Matches any of the defined values. + * `exists` | `does not exist` — The field exists. + * `is in list` | `is not in list` — Matches values in a value list. + + ::::{note} + * An exception defined by a value list must use `is in list` or `is not in list` in all conditions. + * Wildcards are not supported in value lists. + * If a value list can’t be used due to [size or data type](create-manage-value-lists.md#manage-value-lists), it’ll be unavailable in the **Value** menu. + + :::: + + * `matches` | `does not match` — Allows you to use wildcards in **Value**, such as `C:\\path\\*\\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected **Field** data type must be [keyword](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#keyword-field-type), [text](https://www.elastic.co/guide/en/elasticsearch/reference/current/text.html#text-field-type), or [wildcard](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#wildcard-field-type). + + ::::{note} + Some characters must be escaped with a backslash, such as `\\` for a literal backslash, `\*` for an asterisk, and `\?` for a question mark. Windows paths must be divided with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider. + :::: + + + ::::{important} + Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching. + :::: + + 3. **Value**: Enter the value associated with the **Field**. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**. + + ::::{note} + The `is one of` and `is not one of` operators support identical, case-sensitive values. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field. + :::: + + + In the following example, the exception was created from the Rules page and prevents the rule from generating alerts when the `svchost.exe` process runs on hostname `siem-kibana`. + + :::{image} ../../../images/security-add-exception-ui.png + :alt: add exception ui + :class: screenshot + ::: + +4. Click **AND** or **OR** to create multiple conditions and define their relationships. +5. Click **Add nested condition** to create conditions using nested fields. This is only required for [these nested fields](#nested-field-list). For all other fields, nested conditions should not be used. +6. Choose to add the exception to a rule or a shared exception list. + + ::::{note} + If you are creating an exception from the Shared Exception Lists page, you can add the exception to multiple rules. + :::: + + + ::::{tip} + If a shared exception list doesn’t exist, you can [create one](create-manage-shared-exception-lists.md) from the Shared Exception Lists page. + :::: + +7. (Optional) Enter a comment describing the exception. +8. (Optional) Enter a future expiration date and time for the exception. +9. Select one of the following alert actions: + + * **Close this alert**: Closes the alert when the exception is added. This option is only available when adding exceptions from the Alerts table. + * **Close all alerts that match this exception and were generated by this rule**: Closes all alerts that match the exception’s conditions and were generated only by the current rule. + +10. Click **Add rule exception**. + + +## Add {{elastic-endpoint}} exceptions [endpoint-rule-exceptions] + +You can add {{elastic-endpoint}} exceptions to [endpoint protection rules](../manage-elastic-defend/endpoint-protection-rules.md) or to rules that are associated with {{elastic-endpoint}} rule exceptions. To associate rules when creating or editing a rule, select the [**{{elastic-endpoint}} exceptions**](create-detection-rule.md#rule-ui-advanced-params) option. + +Endpoint exceptions are added to the endpoint protection rules **and** the {{elastic-endpoint}} on your hosts. + +::::{important} +Exceptions added to the endpoint protection rules affect all alerts sent from {{elastic-endpoint}}. Be careful not to unintentionally prevent useful Endpoint alerts. + +Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one {{elastic-endpoint}} alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the [European Institute for Computer Anti-Virus Research (EICAR)](https://www.eicar.org/). + +:::: + + +::::{important} +[Binary fields](https://www.elastic.co/guide/en/elasticsearch/reference/current/binary.html) are not supported in detection rule exceptions. + +:::: + + +1. Do one of the following: + + * To add an Endpoint exception from the rule details page: + + 1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). + 2. In the Rules table, search for and select one of the [endpoint protection rules](../manage-elastic-defend/endpoint-protection-rules.md). + 3. Scroll down the rule details page, select the **Endpoint exceptions** tab, then click **Add endpoint exception**. + + * To add an Endpoint exception from the Alerts table: + + 1. Find **Alerts** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). + 2. Scroll down to the Alerts table, and from an {{elastic-endpoint}} alert, click the **More actions** menu (**…​**), then select **Add Endpoint exception**. + + * To add an Endpoint exception from Shared Exception Lists page: + + 1. Find the **Shared exception lists** page in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). + 2. Expand the Endpoint Security Exception List or click the list name to open the list’s details page. Next, click **Add endpoint exception**. + + ::::{note} + The Endpoint Security Exception List is automatically created. By default, it’s associated with endpoint protection rules and any rules with the [**{{elastic-endpoint}} exceptions**](create-detection-rule.md#rule-ui-advanced-params) option selected. + :::: + + + The **Add Endpoint Exception** flyout opens. + + :::{image} ../../../images/security-endpoint-add-exp.png + :alt: endpoint add exp + :class: screenshot + ::: + +2. If required, modify the conditions. + + ::::{important} + Rule exceptions are case-sensitive, which means that any character that’s entered as an uppercase or lowercase letter will be treated as such. In the event you *don’t* want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. + :::: + + + ::::{note} + * Fields with conflicts are marked with a warning icon (![Field conflict warning icon](../../../images/security-field-warning-icon.png "")). Using these fields might cause unexpected exceptions behavior. For more information, refer to [Troubleshooting type conflicts and unmapped fields](../../../troubleshoot/security/detection-rules.md#rule-exceptions-field-conflicts). + * The `is one of` and `is not one of` operators support identical, case-sensitive values. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field. + + :::: + +3. (Optional) Add a comment to the exception. +4. You can select any of the following: + + * **Close this alert**: Closes the alert when the exception is added. This option is only available when adding exceptions from the Alerts table. + * **Close all alerts that match this exception and were generated by this rule**: Closes all alerts that match the exception’s conditions. + +5. Click **Add Endpoint Exception**. An exception is created for both the detection rule and the {{elastic-endpoint}}. + + ::::{note} + It might take longer for exceptions to be applied to hosts within larger deployments. + :::: + + + +## Exceptions with nested conditions [ex-nested-conditions] + +Some Endpoint objects contain nested fields, and the only way to ensure you are excluding the correct fields is with nested conditions. One example is the `process.Ext` object: + +```json +{ + "ancestry": [], + "code_signature": { + "trusted": true, + "subject_name": "LFC", + "exists": true, + "status": "trusted" + }, + "user": "WDAGUtilityAccount", + "token": { + "elevation": true, + "integrity_level_name": "high", + "domain": "27FB305D-3838-4", + "user": "WDAGUtilityAccount", + "elevation_type": "default", + "sid": "S-1-5-21-2047949552-857980807-821054962-504" + } +} +``` + +### Nested fields [nested-field-list] + +Only these objects require nested conditions to ensure the exception functions correctly: + +* `Endpoint.policy.applied.artifacts.global.identifiers` +* `Endpoint.policy.applied.artifacts.user.identifiers` +* `Target.dll.Ext.code_signature` +* `Target.process.Ext.code_signature` +* `Target.process.Ext.token.privileges` +* `Target.process.parent.Ext.code_signature` +* `Target.process.thread.Ext.token.privileges` +* `dll.Ext.code_signature` +* `file.Ext.code_signature` +* `file.Ext.macro.errors` +* `file.Ext.macro.stream` +* `process.Ext.code_signature` +* `process.Ext.token.privileges` +* `process.parent.Ext.code_signature` +* `process.thread.Ext.token.privileges` + + +### Nested condition example [_nested_condition_example] + +Creates an exception that excludes all LFC-signed trusted processes: + +:::{image} ../../../images/security-nested-exp.png +:alt: nested exp +:class: screenshot +::: + + +## View and manage exceptions [manage-exception] + +To view a rule’s exceptions: + +1. Open the rule’s details page. To do this, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), search for the rule that you want to examine, then click the rule’s name to open its details. +2. Scroll down and select the **Rule exceptions** or **Endpoint exceptions** tab. All exceptions that belong to the rule will display in a list. + + From the list, you can filter, edit, and delete exceptions. You can also toggle between **Active exceptions** and **Expired exceptions**. + + :::{image} ../../../images/security-manage-default-rule-list.png + :alt: A default rule list + :class: screenshot + ::: + + + +## Find rules using the same exceptions [rules-using-same-exception] + +To find out if an exception is used by other rules, select the **Rule exceptions** or **Endpoint exceptions** tab, navigate to an exception list item, then click **Affects *X* rules**. + +::::{note} +Changes that you make to the exception also apply to other rules that use the exception. +:::: + + +:::{image} ../../../images/security-exception-affects-multiple-rules.png +:alt: Exception that affects multiple rules +:class: screenshot +::: diff --git a/solutions/security/detect-and-alert/create-manage-shared-exception-lists.md b/solutions/security/detect-and-alert/create-manage-shared-exception-lists.md index 5132f5548..0d8611db1 100644 --- a/solutions/security/detect-and-alert/create-manage-shared-exception-lists.md +++ b/solutions/security/detect-and-alert/create-manage-shared-exception-lists.md @@ -4,15 +4,159 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-shared-exception-lists.html --- -# Create and manage shared exception lists +# Create and manage shared exception lists [shared-exception-lists] -% What needs to be done: Align serverless/stateful +Shared exception lists allow you to group exceptions together and then apply them to multiple rules. Use the Shared Exception Lists page to set up shared exception lists. -% Use migrated content from existing pages that map to this page: +% The following note is only applicable to ESS and is only relevant for users who are upgrading from 8.5 -> 8.6 or later. Might need to add this to the [8.6.x upgrade docs](https://www.elastic.co/guide/en/security/8.6/upgrade-intro.html) later. -% - [ ] ./raw-migrated-files/security-docs/security/shared-exception-lists.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-shared-exception-lists.md +% ::::{note} +% Exception lists created in 8.5 and earlier become shared exception lists in 8.6 or later. You can access all shared exception % lists from the Shared Exception Lists page. +% :::: -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): -$$$link-shared-exception-lists$$$ \ No newline at end of file +:::{image} ../../../images/security-rule-exceptions-page.png +:alt: Shared Exception Lists page +:class: screenshot +::: + + +## Create shared exception lists [create-shared-exception-list] + +Set up shared exception lists to contain exception items: + +1. Find the **Shared exception lists** page in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Click **Create shared exception list** → **Create shared list**. +3. Give the shared exception list a name. +4. (Optional) Provide a description. +5. Click **Create shared exception list**. + + +## Add exception items to shared exception lists [add-exception-items] + +Add exception items: + +1. Find the **Shared exception lists** page in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Click **Create shared exception list** → **Create exception item**. + + ::::{tip} + You can add exceptions to an empty shared exception list by expanding the list, or viewing its details page and clicking **Create rule exception**. After creating an exception, you can associate the shared exception list with rules. Refer to [Associate shared exception lists with rules](#link-shared-exception-lists) to learn more. + :::: + +3. In the **Add rule exception** flyout, name the exception item and add conditions that define when the exception prevents alerts. When the exception’s query conditions are met (the query evaluates to `true`), rules do not generate alerts even when other rule criteria are met. + + 1. **Field**: Select a field to identify the event being filtered. + 2. **Operator**: Select an operator to define the condition: + + * `is` | `is not` — Must be an exact match of the defined value. + * `is one of` | `is not one of` — Matches any of the defined values. + * `exists` | `does not exist` — The field exists. + * `is in list` | `is not in list` — Matches values in a value list. + + ::::{note} + * An exception defined by a value list must use `is in list` or `is not in list` in all conditions. + * Wildcards are not supported in value lists. + * If a value list can’t be used due to [size or data type](create-manage-value-lists.md#manage-value-lists), it’ll be unavailable in the **Value** menu. + + :::: + + * `matches` | `does not match` — Allows you to use wildcards in **Value**, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected **Field** data type must be [keyword](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#keyword-field-type), [text](https://www.elastic.co/guide/en/elasticsearch/reference/current/text.html#text-field-type), or [wildcard](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#wildcard-field-type). + + ::::{important} + Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching. + :::: + + 3. **Value**: Enter the value associated with the **Field**. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**. + +4. Click **AND** or **OR** to create multiple conditions and define their relationships. +5. Click **Add nested condition** to create conditions using nested fields. This is only required for [these nested fields](add-manage-exceptions.md#nested-field-list). For all other fields, nested conditions should not be used. +6. Choose to add the exception to shared exception lists. + + ::::{note} + This option will be unavailable if a shared exception list doesn’t exist. In addition, you can’t add an endpoint exception item to the Endpoint Security Exception List from this UI. Refer to [Add {{elastic-endpoint}} exceptions](add-manage-exceptions.md#endpoint-rule-exceptions) for instructions about creating endpoint exceptions. + :::: + +7. (Optional) Enter a comment describing the exception. +8. (Optional) Enter a future expiration date and time for the exception. +9. (Optional) **Close all alerts that match this exception and were generated by this rule**: Closes all alerts that match the exception’s conditions and were generated only by the current rule. +10. Click **Add rule exception**. + + +## Associate shared exception lists with rules [link-shared-exception-lists] + +Apply shared exception lists to rules: + +1. Find the **Shared exception lists** page in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Do one of the following: + + * Select a shared exception list’s name to open its details page, then click **Link rules**. + * Find the shared exception list you want to assign to rules, then from the **More actions** menu (**…​**), select **Link rules**. + +3. Click the toggles in the **Link** column to select the rules you want to link to the exception list. + + ::::{tip} + If you know a rule’s name, you can enter it into the search bar. + :::: + +4. Click **Save**. +5. (Optional) To verify that the shared exception list was added to the rules you selected: + + 1. Open a rule’s details page (**Rules → Detection rules (SIEM) → *Rule name***). + 2. Scroll down the page, and then select the **Rule exceptions** tab. + 3. Navigate to the exception items that are included in the shared exception list. Click the **Affects shared list** link to view the associated shared exception lists. + + :::{image} ../../../images/security-associated-shared-exception-list.png + :alt: Associated shared exceptions + :class: screenshot + ::: + + + +## View and filter exception lists [view-shared-exception-lists] + +The Shared Exception Lists page displays each shared exception list on an individual row, with the most recently created list at the top. Each row contains these details about the shared exception list: + +* Shared exception list name +* Date the list was created +* Username of the user who created the list +* Number of exception items in the shared exception list +* Number of rules the shared exception list affects + +To view the details of an exception item within a shared exception list, expand a row. + +:::{image} ../../../images/security-view-filter-shared-exception.png +:alt: Associated shared exceptions +:class: screenshot +::: + +To filter exception lists by a specific value, enter a value in the search bar. You can search the following attributes: + +* `name` +* `list_id` +* `created_by` + +If no attribute is selected, the app searches the list name by default. + + +## Manage shared exception lists [manage-exception-lists] + +You can edit, export, import, duplicate, and delete shared exception lists from the Shared Exception Lists page. + +% The following note is only applicable to ESS and is only relevant for users who are upgrading from 8.5 -> 8.6 or later. Might need to add this to the [8.6.x upgrade docs](https://www.elastic.co/guide/en/security/8.6/upgrade-intro.html) later. + +% ::::{note} +% Exception lists created in 8.5 and earlier become shared exception lists in 8.6 or later. You can access all shared exception lists from the Shared Exception Lists page. +% :::: + + +To export or delete an exception list, select the required action button on the appropriate list. Note the following: + +* Exception lists are exported to `.ndjson` files. +* Exception lists are also exported as part of any exported detection rules configured with exceptions. Refer to [Export and import rules](manage-detection-rules.md#import-export-rules-ui). +* If an exception list is linked to any rules, you’ll get a warning asking you to confirm the deletion. +* If an exception list contains expired exceptions, you can choose whether to include them in the exported file. + +:::{image} ../../../images/security-actions-exception-list.png +:alt: Detail of Exception lists table with export and delete buttons highlighted +:class: screenshot +::: diff --git a/solutions/security/detect-and-alert/create-manage-value-lists.md b/solutions/security/detect-and-alert/create-manage-value-lists.md index f79bdb561..6bc2cbb84 100644 --- a/solutions/security/detect-and-alert/create-manage-value-lists.md +++ b/solutions/security/detect-and-alert/create-manage-value-lists.md @@ -4,19 +4,99 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-value-lists-exceptions.html --- -# Create and manage value lists +# Create and manage value lists [value-lists-exceptions] -% What needs to be done: Lift-and-shift +Value lists hold multiple values of the same Elasticsearch data type, such as IP addresses, which are used to determine when an exception prevents an alert from being generated. You can use value lists to define exceptions for detection rules; however, you cannot use value lists to define endpoint rule exceptions. -% Use migrated content from existing pages that map to this page: +Value lists are lists of items with the same {{es}} [data type](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html). You can create value lists with these types: -% - [ ] ./raw-migrated-files/security-docs/security/value-lists-exceptions.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-value-lists-exceptions.md +* `Keywords` (many [ECS fields](https://www.elastic.co/guide/en/ecs/{{ecs_version}}/ecs-field-reference.html) are keywords) +* `IP Addresses` +* `IP Ranges` +* `Text` -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): +After creating value lists, you can use `is in list` and `is not in list` operators to [define exceptions](add-manage-exceptions.md). -$$$create-value-lists$$$ +::::{tip} +You can also use a value list as the [indicator match index](create-detection-rule.md#indicator-value-lists) when creating an indicator match rule. +:::: -$$$edit-value-lists$$$ +## Create value lists [create-value-lists] -$$$manage-value-lists$$$ \ No newline at end of file +When you create a value list for a rule exception, be mindful of the list’s size and data type. All rule types support value list exceptions, but extremely large lists or certain data types have limitations. + +Custom query, machine learning, and indicator match rules support the following value list types and sizes: + +* **Keywords** or **IP addresses** list types with more than 65,536 values +* **IP ranges** list type with over 200 dash notation values (for example, `127.0.0.1-127.0.0.4` is one value) or more than 65,536 CIDR notation values + +To create a value list: + +1. Prepare a `txt` or `csv` file with all the values you want to use for determining exceptions from a single list. If you use a `txt` file, new lines act as delimiters. + + ::::{important} + * All values in the file must be of the same {{es}} type. + * Wildcards are not supported in value lists. Values must be literal values. + * The maximum accepted file size is 9 million bytes. + + :::: + +2. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +3. Click **Manage value lists**. The **Manage value lists** window opens. + + :::{image} ../../../images/security-upload-lists-ui.png + :alt: Manage value lists flyout + :class: screenshot + ::: + +4. Select the list type (**Keywords**, **IP addresses**, **IP ranges**, or **Text**) from the **Type of value list** drop-down. +5. Drag or select the `csv` or `txt` file that contains the values. +6. Click **Import value list**. + +::::{note} +If you import a file with a name that already exists, a new list is not created. The imported values are added to the existing list instead. +:::: + +## Manage value lists [manage-value-lists] + +You can edit, remove, or export existing value lists. + +### Edit value lists [edit-value-lists] + +1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Click **Manage value lists**. The **Manage value lists** window opens. +3. In the **Value lists** table, click the value list you want to edit. +4. Do any of the following: + + * **Filter items in the list**: Use the KQL search bar to find values in the list. Depending on your list’s type, you can filter by the `keyword`, `ip_range`, `ip`, or `text` fields. For example, to filter by Gmail addresses in a value list of the `keyword` type, enter `keyword:*gmail.com` into the search bar. + + You can also filter by the `updated_by` field (for example, `updated_by:testuser`), or the `updated at` field (for example, `updated_at < now`). + + * **Add individual items to the list**: Click **Create list item**, enter a value, then click **Add list item**. + * **Bulk upload list items**: Drag or select the `csv` or `txt` file that contains the values that you want to add, then click **Upload**. + * **Edit a value**: In the Value column, go to the value you want to edit and click the **Edit** button (![Edit button from Manage value lists window](../../../images/security-edit-value-list-item.png "title =20x20")). When you’re done editing, click the **Save** button (![Save button from Manage value lists window](../../../images/security-save-value-list-item-changes.png "title =30x30")) to save your changes. Click the **Cancel** button (![Cancel button from Manage value lists window](../../../images/security-cancel-value-list-item-changes.png "title =30x30")) to revert your changes. + * **Remove a value**: Click the **Remove value** button (![Remove value list button from Manage value lists window](../../../images/security-remove-value-list-item.png "title =20x20")) to delete a value from the list. + + +:::{image} ../../../images/security-edit-value-lists.png +:alt: Manage items in a value lists +:class: screenshot +::: + +::::{tip} +You can also edit value lists while creating and managing exceptions that use value lists. +:::: + +### Export or remove value lists [export-remove-value-lists] + +1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Click **Manage value lists**. The **Manage value lists** window opens. +3. From the **Value lists** table, you can: + + 1. Click the **Export value list** button (![Export button from Manage value lists window](../../../images/security-export-value-list.png "")) to export the value list. + 2. Click the **Remove value list** button (![Remove button from Manage value lists window](../../../images/security-remove-value-list.png "")) to delete the value list. + + :::{image} ../../../images/security-manage-value-list.png + :alt: Import value list flyout with action buttons highlighted + :class: screenshot + ::: diff --git a/solutions/security/detect-and-alert/rule-exceptions.md b/solutions/security/detect-and-alert/rule-exceptions.md index 5dce6a839..027d126ff 100644 --- a/solutions/security/detect-and-alert/rule-exceptions.md +++ b/solutions/security/detect-and-alert/rule-exceptions.md @@ -4,17 +4,39 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-rule-exceptions.html --- -# Rule exceptions +# Rule exceptions [detections-ui-exceptions] -% What needs to be done: Lift-and-shift +You can associate rule exceptions with detection and endpoint rules to prevent trusted processes and network activity from generating unnecessary alerts, therefore, reducing the number of false positives. -% Use migrated content from existing pages that map to this page: +When creating exceptions, you can assign them to [individual rules](#rule-exceptions-intro) or to [multiple rules](#shared-exception-list-intro). + + +## Exceptions for individual rules [rule-exceptions-intro] + +Exceptions, also referred to as *exception items*, contain the source event conditions that determine when alerts shouldn’t be generated. + +You can create exceptions that apply exclusively to a single rule. These types of exceptions can’t be used by other rules, and you must manage them from the rule’s details page. To learn more about creating and managing single-rule exceptions, refer to [Add and manage exceptions](add-manage-exceptions.md). + +:::{image} ../../../images/security-exception-item-example.png +:alt: An exception item +:class: screenshot +::: + +::::{note} +You can also use [value lists](create-manage-value-lists.md) to define exceptions for detection rules. Value lists allow you to match an exception against a list of possible values. +:::: + + + +## Exceptions shared among multiple rules [shared-exception-list-intro] + +If you want an exception to apply to multiple rules, you can add an exception to a shared exception list. Shared exception lists allow you to group exceptions together and then associate them with multiple rules. Refer to [Create and manage shared exception lists](create-manage-shared-exception-lists.md) to learn more. + +:::{image} ../../../images/security-rule-exceptions-page.png +:alt: Shared Exception Lists page +:class: screenshot +::: -% - [ ] ./raw-migrated-files/security-docs/security/detections-ui-exceptions.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-rule-exceptions.md -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): -$$$rule-exceptions-intro$$$ -$$$shared-exception-list-intro$$$ \ No newline at end of file