How to manage Rule exemptions in Elastic SIEM, We have 1000+ alerts in elastic and we would like to understand how do we manage the whitelisting on each detections. Ex- we make some exemption on any rule, how do we maintain this information ? Without manual efforts like an excel
You have a couple of options and locations where you can manage exceptions. I believe the team behind it is aware that improvements could be made so this is likely to change in the future.
- Shared exceptions lists
- Value lists
- Rule exceptions
All three can be done through the API and/or manually.
It then comes down to preference and internal processes. Some things we have come to learn:
- exception management for temp exceptions (e.g noisy changes) can be done manually with an enddate on a specific detection rule.
- exceptions for multiple rules are better off in shared exception lists.
- value lists are great to use with some form of automation to keep them up to date (e.g team members).
If you could share what processes/features you would like to see maybe the team can take them into account.
p.s. I am just a community member.
@The_BlueishSky Here you can read more about the options available in UI:
Let us know if there is a specific use case you are trying to address.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.