Endpoint 7.9.x Process/Folder exemptions with ingest manager?

This may seem like a really simple question... For some reason the obvious answers are escaping me at the moment.

For Endpoint how do you set an exemption for a folder and process? This is not for an entire fleet of machines only select ones as white listing for everything really isn't a good idea.

By exemption do you mean a process/folder Endpoint would not monitor entirely or processes/folders that Endpoint will not alert on?

If the former, that's a coming feature we have roadmapped for the near term. We understand how important it is.

If the later, you can do that via the exceptions workflow in the Security app. Go to the Detections tab, click "Manage Detection rules", click on "Elastic Endpoint Security" rule, then the "Exceptions" tab in the middle of the page. Click the drop down for "Add new exception" button and select "Add Endpoint exception" to create an exception that will be sent down to the Endpoint rather than applied after Endpoint generates an alert. If you want to apply the rule to just a small number of machines you can add machine specific fields from the alert, like hostname, into the exception criteria.

So I did run into that part and it seems like the logical location for it with how Elastic is designed. The how-to " https://www.elastic.co/guide/en/security/master/detections-ui-exceptions.html " lead me over to it as well.

The issue comes down to the drop down even after entering process.name for example all variables always say doesn't match any option. Even the well known agent.hostname is not present. The option to add is grayed out no matter what I enter. For example the primary ones I see causing issues currently is MsMPEng "windows defender" and TiWorker. When these kick off filebeat will be shortly behind causing memory starvation.

Sorry to be a pain I know I've posted a fair bit on the forums about endpoint I don't use Github very often. I do follow some of the progress so some of the post are just visibility for other people that come here first to know they are not alone.

The issue comes down to the drop down even after entering process.name for example all variables always say doesn't match any option.

Hi @PublicName! Are you seeing this behavior when you click "Add Endpoint exception" or "Add rule exception here?

If you see this behavior when you select "Add Endpoint exception", could you try entering process.name.text instead of process.name? This will, I believe, give you the functionality you're looking for, as process.name.text will perform a case insensitive match when applying the exception. The difference between the process.name and process.name.text fields is case sensitivity.

Grayed out. Which tends to be a problem... This happens no matter what operator I enter.

@PublicName Thanks for the info. Are the security events you want to add an exception for coming from Elastic Endpoint or from another data source? If you're using Elastic Endpoint as a data source, I believe the problem may be that the Elastic Endpoint integration is not installed or configured through Elastic Agent. Could you please let me know if you have followed these steps to install the Elastic Endpoint integration? https://www.elastic.co/guide/en/security/master/install-endpoint.html. Also, do you see any machines running Elastic Endpoint under Security -> Administration? (https://www.elastic.co/guide/en/security/master/admin-page-ov.html)

If you're using a data source other than Elastic Endpoint, you should be able to add an exception by navigating to the Rule details page for the rule that you expect will generate detection alerts and then selecting "Add exception" under the "Exceptions" tab:

Yes it is installed but I do see an issue that could be causing several more issues.
https://www.elastic.co/guide/en/security/master/install-endpoint.html Step 4.

Every time I go back to the Administration it keeps coming up with the select and configure an agent settings. Hitting save does nothing as it always comes back to the same screen. What is listed in the documentation is not what I'm seeing for Administration... Any clues as to why it would be stuck on this part?

Just to confirm, when you click on the "Save Integration" button (from step 4, picture below)

do you get redirected to the "Next step: Enroll an agent..." page under Security -> Administration (picture below)?

Did I ever read that wrong. Its been a busy day.
Ignore that. I have several dozen agents registered on several test clusters already. They check in mostly fine after the 7.9.1 update. Check the bottom of this long post to clear it up. Basically it looks like there is a problem with the SIEM object missing as the clients are unable to pull the list down "even empty one" and I can not browse to it directly.

Which makes sense as to why I can't save the object as it doesn't actually exist. It was present in 7.9.0 but it's missing in 7.9.1. This is on several clusters. I'm honestly not sure how to even recreate it to be able to set the exemptions.

I recommend that we solve the Elastic Endpoint connection issue in Endpoint 7.9 "Degraded and dashboards" and get your Endpoints in a good state. Once you are able to see Detection alerts coming from your Elastic Endpoints, you can add exceptions directly from the Detection Alerts page as well https://www.elastic.co/guide/en/security/current/alerts-ui-manage.html#add-exception-from-alerts.

I fully agree... This is the fun part and confusing the endpoints are 95% fine until they check in and pull the exemption list which we were able to track down with the 404 error. The missing malware detection could be related to another unknown it might not be pulling any malware hash listings at install time?

This was a pure luck that I ran into issues with exemptions and how it effect the agents. How do I recreate the page so it is not giving me a 404 which would allow the agent to be in a success state? By recreating the very thing I can't save it would allow me to add exemptions.

EDIT: 7.9.2 was just released so will need to test to see if the issue is resolved.
Update: 7.9.2 well it's better at the output log out for sure on the client device.
Example: {"level":"error","origin":{"file":{"line":629,"name":"SyncKernelMessageManager.cpp"}}},"message":"SyncKernelMessageManager.cpp:629 Process ID 576: [C:\Windows\system32\wbem\wmiprvse.exe] is allowed due to message processing failure, error code -205","process":{"pid":1028,"thread":{"id":2292}}}"

Kibana 7.9.2 Failed to start with ":["info","savedobjects-service"],"pid":6331,"message":"Detected mapping change in "properties.application_usage_daily""} endlessly so I'm unable to test if the exemptions can be saved now. I did retry with 7.9.1 and still failed unable to save.