How do I create an Endpoint Exception that only apply to one specfic host? I have alot of servers in one Fleet policy and would like to excluse w3wp.exe. This however a dangerous blindspot so of course i want to limit that exception.
is it enough to add "host.name IS specifichostname" as a condition into a policy- (Got Premium) or global exception?
Hey there @slash24 
So as far as I recall Endpoint Exceptions remain global (no way to separate by policy at this time), but adding a host.name qualifier AND'ed to the w3wp.exe exclusion exception will ensure that it's isolated to that host. It is slight overhead for the remaining hosts, but I'm not aware of any other way to accomplish this at this time.
You could of course add this as a Rule Exception instead, that way the underlying endpoint event still gets generated, but the rule just won't create an alert for it.
Hope this helps!
Cheers!
Garrett
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.