Elastic Security Rule Exceptions vs Endpoint Exceptions

Good day,

I was wondering is anyone could point me to documentation that details the difference between Rule Exceptions and Endpoint Exceptions in Elastic Security, including when to use which type of exception.

I think this documentation is the page you're looking for.

But to answer your question more directly, rule exceptions prevent alerts from being triggered by Detection Engine rules in Kibana. Endpoint exceptions prevent Endpoint (Elastic Defend) from detecting/preventing the activity on the host being protected. In other words, rule exceptions run in Kibana and Endpoint exceptions run on the host.

Usually when adding an exception for an Endpoint alert you want to add an Endpoint exception. If you add a rule exception Endpoint will still detect/prevent the activity on the host but Kibana will hide the corresponding alert.

I hope that helps.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.