Detection Rule Exceptions "is one of", comma in value

Elastic Security SIEM
1

Hi All,

I'm trying to add an exception to a detection rule. This exception is intended to be an is one of rule, that excludes a number of ISPs. However, I am running into an issue some of the ISP names contain a comma, but everytime I try to add it, it is split into two values as commas for is one of are handled as a list. Example ISP: Google, LLC

Is there a way to actually add the value with a comma to an is one of exception? I wasn't able to find any existing issues/docs regarding this.

I tried:

  • Escaping the comma Google\, LLC
  • Double quoting the string "Google, LLC"

All tests didn't work and ended with the same result.

I can sometimes work around this as occasionally the exception area will recommend the correct value with the comma and add it, but this doesn't always work, and requires a few attempts when it does. Resulting in a lot of time in order to add the value.

Note: I know that I can add this as a separate exception that is just an is, but would prefer to have everything in a singular exception.

2

You would be best of using Adding Known IP Ranges for google TheWatchList/google.txt at main · SCS-Labs/TheWatchList (github.com) for a example and then add it as a list to that specific exception.

3

Google was just an example, the issue is there are a quite a few ISPs which can have a comma in their names, and I think trying to track at the IP level is generally more cumbersome instead of just excluding the name, you would need to keep track of and exclude many different subnets. (If you're aware of a good way to do this though, I would be interested in investigating further).

This also doesn't really solve the problem for other cases where you have a value with a comma in it that you want to exclude in a is one of clause.

4

Or you can use a wildcard

Google* LLC

or just like this

Google*
5

Hey @BenB196 !

Thanks so much for bringing this to our attention. I have gone ahead and opened up a bug ticket for this that you can follow here.

Have you tried using large value lists for this use case? You can find some information on it in the docs, but this could be useful in this case where you may be continually adding values. Using a large value list you can then easily share this list of values across rules.

Best,
Yara

6

@BenB196

Here is example of how I use value list.

Upload Value List Pop Up

777×697 26.7 KB

Exception

image
image1422×600 22.2 KB

7

@austinsonger @yctercero thanks, completely forgot that exception lists were a thing in the UI. I'll look into using them for the larger lists.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.