I'm curious if there are any future enhancement plans for the Exceptions feature. Our SOC folks are finding a few limitations in managing them through the Kibana UI.
Here are few examples of actions that can only be performed via the API:
- Assign the same exception container to multiple rules
- Remove an exception container from a specific detection rule (i.e. removing an exception container from rule A but not rules B and C). Note: Removing an exception from a specific rule does NOT remove the exception container from said rule. Instead, it deletes the exception item from the exception container and therefore affects all other rules using this exception container.
- The “Exception Lists” section that was added in 7.11 is nice but it does not allow you to manage/modify the Exceptions. It also does not display the Exception Items associated with the containers.
- On the other hand, when opening the “Exceptions” tab inside a specific rule, you can see the exception items but there’s not information regarding the associated Exception Containers.