Elastic SIEM Detections

How to manage Rule exemptions in Elastic SIEM, We have 1000+ alerts in elastic and we would like to understand how do we manage the whitelisting on each detections. Ex- we make some exemption on any rule, how do we maintain this information ? Without manual efforts like an excel

You have a couple of options and locations where you can manage exceptions. I believe the team behind it is aware that improvements could be made so this is likely to change in the future.

  1. Shared exceptions lists
  2. Value lists
  3. Rule exceptions

All three can be done through the API and/or manually.

It then comes down to preference and internal processes. Some things we have come to learn:

  • exception management for temp exceptions (e.g noisy changes) can be done manually with an enddate on a specific detection rule.
  • exceptions for multiple rules are better off in shared exception lists.
  • value lists are great to use with some form of automation to keep them up to date (e.g team members).

If you could share what processes/features you would like to see maybe the team can take them into account.

p.s. I am just a community member.

@The_BlueishSky Here you can read more about the options available in UI:

Let us know if there is a specific use case you are trying to address.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.