is there a way/what is the preferred way to exclude Elastic Agents/hosts under maintenance (the client system themselves) from security alerts?
Basically: do an exception to one or more hosts under maintenance.
Kibana has a technical preview feature called "Maintenance windows".
I then used "Filters" / "Filter alerts".
Then "Select the categories this should affect" -> "Security rules"
For example, a normal EQL query like host.name: "parser-001.env1" or host.name: parser-00*.env1 doesn't work here for me.
Furthermore, even filtering out rules via their rule names hasn't worked. kibana.alert.rule.name: "Connection to Internal Network via Telnet" or kibana.alert.rule.name: "Connection to External Network via Telnet".
The host names and rule names are correct and even shown as suggested values.
Using the maintenance windows without a filter works perfectly, but this is too much filtering for just updating some hosts.
My current version of the Elastic cluster is still 8.16.1. But there seem to be no relevant changelogs on this topic.
Another way may be a "rule exception". However, it would be quite tedious to add and later remove 10 hostnames from every of the "top 10" spammy rules. Rare alerts could still be triggered as well. So excluding the hosts from a central point instead makes sense.
Some rules produce a lot of false positives (when a client system is updated), but should not be deactivated entirely or for the whole environment.
The documentation has no details about this topic.
These git issues seem relevant, however it is not my exact use case.
Okay, I think it is solved. There is the slightly hidden "Shared Exception Lists" Feature.
By defining host.name as an exception and selecting all the spammy rules (while system Maintenance is done) there are no longer alerts appearing.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
