We like the new feature to add rule exceptions.
In our opinion it would be very helpful to prefill the value fields with known data of Signals when you click the three dots ("Add rule exception").
For example prefill the value for souce.ip, destination.ip or host.name.
Hi Ulrich, welcome to our community!
We are glad that you like the new rule exception features. Many of our users are finding this to be a useful addition to the detection engine.
In our opinion it would be very helpful to prefill the value fields with known data of Signals when you click the three dots ("Add rule exception").
For example prefill the value for souce.ip, destination.ip or host.name.
We think this is a great idea, and we are tracking this as a future enhancement request.
Thank you for the suggestion, and please keep the feedback coming!
Hi Mike,
thank you for adding this as an enhancement request. Another improvement for the rule exceptions would be a time based option.
For example add the exception until date x or for the next x hours and then deactivate it automatically. This would be helpful in case of known events like penetration test.
Hi Ulrich,
Another improvement for the rule exceptions would be a time based option.
For example add the exception until date x or for the next x hours and then deactivate it automatically. This would be helpful in case of known events like penetration test.
Yes, that is another enhancement we are tracking for a future release. We've nicknamed it "Exception TTL" (for Time To Live).
Thanks again!