How do you handle lists in rules

m-logs · February 15, 2023, 8:25am

Hello everyone,

Imagine the following szenario: You have a bigger infrastructure and you have different systems in that environment. Let's say you have different rule approaches to several subsets of systems (identified by IP addresses). And you like to manage this sets of systems in one place.

=> The problem for me currently is: List are not allowed in rules, which means when I have multiple rules that target a specific subset of systems I have to change each rule. Is it possible to centralize such system identifiers?

The current options that I figured out so far are the following:

Maybe use building blocks and check for triggers
Use the pipeline in order to tag systems

How do you do this for yourself?

willemdh · February 16, 2023, 9:11am

We are having similar issues. Lists should be reusable somehow. For example a list of user names of developers who are triggering alerts on several rules.

system · March 16, 2023, 9:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issues with Exception lists automatically combining rules Elastic Security	6	519	February 16, 2023
Elastic SIEM Rules/Exceptions/Lists in Terraform Elastic Security elastic-stack-security	1	591	May 16, 2022
Is it Possible to have a Hierarchy of Rules Elastic Security detection-rules	3	464	May 22, 2023
Can't use exception lists Elastic Security	5	558	April 19, 2022
SIEM rules advice Elastic Security	5	402	December 31, 2021

How do you handle lists in rules

Related topics