Issues with Exception lists automatically combining rules

When creating multiple Rules in Elastic Security we have started to notice an issue where exception list items created for one specific rule will also affect other rules. In our case the issue affects 2 specific rules that gather data from the same external detection software, but through two different integrations (one legacy and one based on a new API). There is no overlap between the created exceptions and they are very much rule specific.

This is an unwanted feature that I have been unable to figure out how to actually disable. I am unable to unlink the two rules and I am also unsure how they are combined. The most plausible answer is that they use the same Index Pattern, or the names e.g. Company Name - Rule 1 (Data Lake) and Company Name - Rule 2 (Legacy)

Over time I see how this may impact performance as exceptions are run on rules unnecessarily and the list will just keep expanding as exceptions are added to Rule 1 and Rule 2. It also becomes harder to actually maintain the lists individually, as all exceptions are combined for both rules.

Hey @aforfot

What Kibana version do you use?

For rule exception, do you use shared exceptios or just regular one for rules?

In other words, if you open exceptions section in your rules details page what you see? Only specific exceptions for rules or all exceptions?

Hey, we are currently using Elastic Stack version 8.5.1. From the changelog it seems that some of the issues are having may very well be solved by upgrading to 8.6.

In terms of rule exceptions we are using just the regular ones, that exist on the rule itself. We are not using shared exceptions at all.

It's quite interesting behaviour, especially if on the rule page you don't see specific exceptions.

As I understand you have this structure:

  • Rule 1 - Exception 1
  • Rule 2 - Exception 2

And looks like Exception 2 affects Rule 1 and doesn't allow creating alerts. Does it correct?

I have several questions:

  1. Did you duplicate Rule 2 from Rule 1

  2. If you for example remove Exception 2 from Rule 2, will it affect Rule 1?
    The same question is for Exception 1 and Rule 2.

  3. Will the bug still be there if you recreate those Exceptions?

  4. If the bug is still there, I would try to export Rule 2 and remove it, and check if it affects Rule 1. Then you can import it back.

Yes, we essentially want to have that structure with:

  • Rule 1 - Exception 1
  • Rule 2 - Exception 2

, but are instead getting the following structure:

  • Rule 1 - Exception 1, Exception 2
  • Rule 2 - Exception 2, Exception 1

The exceptions themselves are Rule specific, so Exception 2 from Rule 2 will not prevent creation of alerts on Rule 1. It does however make the list of exceptions longer than they need to be per rule, harder to maintain, and there may be a use case in the future that negatively impacts creation of alerts.

This appears on Rule 1 and Rule 2 for every exception that is added to either one of them:image It is not possible to modify the exceptions to specify which rules they should affect. I have checked both the shared exception lists page that is available on 8.5.1 and under Rule exceptions.

  1. This happened both when i tried Rule 2 as a duplicate version of 1 and created it manually. Both cases lead to the same result.
  2. Yes, removal of any exception on either Rule 1 or Rule 2 will remove it from both rules.
  3. All new exceptions on either rule will be added to the other.

Another interesting related case: today I created 4 different Rules, where the only difference is the event.severity field that triggers the alert and the default severity placed on the rule. The rules were created based on duplicates from each other. I expected that this would allow me to create exception rules that would affect all 4 rules, but this is not the case. A rule exception will only be added to the specific rule I create it on. I believe that I at least will have better customization options in 8.6 to properly manage this use case.

In 8.6 we introduced some changes to exception logic, which can really help you.

Before 8.6 if a rule has some exceptions and you duplicate it, the new rule will have the same "container" for exceptions, and when you add an exception in a new or original rule it will appear in another one.

At 8.6 when you duplicate the rule, it will create a new separate exception and attach it to a new rule, so it will not have any relation with the original rule.

Also, you can create a shared list with some exceptions, and it can be attached to multiple rules.

docs

If you can't update the version yet, maybe you recreate the rule manually, or export rule, remove exceptions-related info and import the rule back.