When creating multiple Rules in Elastic Security we have started to notice an issue where exception list items created for one specific rule will also affect other rules. In our case the issue affects 2 specific rules that gather data from the same external detection software, but through two different integrations (one legacy and one based on a new API). There is no overlap between the created exceptions and they are very much rule specific.
This is an unwanted feature that I have been unable to figure out how to actually disable. I am unable to unlink the two rules and I am also unsure how they are combined. The most plausible answer is that they use the same Index Pattern, or the names e.g. Company Name - Rule 1 (Data Lake) and Company Name - Rule 2 (Legacy)
Over time I see how this may impact performance as exceptions are run on rules unnecessarily and the list will just keep expanding as exceptions are added to Rule 1 and Rule 2. It also becomes harder to actually maintain the lists individually, as all exceptions are combined for both rules.
Hey, we are currently using Elastic Stack version 8.5.1. From the changelog it seems that some of the issues are having may very well be solved by upgrading to 8.6.
In terms of rule exceptions we are using just the regular ones, that exist on the rule itself. We are not using shared exceptions at all.
Yes, we essentially want to have that structure with:
Rule 1 - Exception 1
Rule 2 - Exception 2
, but are instead getting the following structure:
Rule 1 - Exception 1, Exception 2
Rule 2 - Exception 2, Exception 1
The exceptions themselves are Rule specific, so Exception 2 from Rule 2 will not prevent creation of alerts on Rule 1. It does however make the list of exceptions longer than they need to be per rule, harder to maintain, and there may be a use case in the future that negatively impacts creation of alerts.
This appears on Rule 1 and Rule 2 for every exception that is added to either one of them: It is not possible to modify the exceptions to specify which rules they should affect. I have checked both the shared exception lists page that is available on 8.5.1 and under Rule exceptions.
This happened both when i tried Rule 2 as a duplicate version of 1 and created it manually. Both cases lead to the same result.
Yes, removal of any exception on either Rule 1 or Rule 2 will remove it from both rules.
All new exceptions on either rule will be added to the other.
Another interesting related case: today I created 4 different Rules, where the only difference is the event.severity field that triggers the alert and the default severity placed on the rule. The rules were created based on duplicates from each other. I expected that this would allow me to create exception rules that would affect all 4 rules, but this is not the case. A rule exception will only be added to the specific rule I create it on. I believe that I at least will have better customization options in 8.6 to properly manage this use case.
In 8.6 we introduced some changes to exception logic, which can really help you.
Before 8.6 if a rule has some exceptions and you duplicate it, the new rule will have the same "container" for exceptions, and when you add an exception in a new or original rule it will appear in another one.
At 8.6 when you duplicate the rule, it will create a new separate exception and attach it to a new rule, so it will not have any relation with the original rule.
Also, you can create a shared list with some exceptions, and it can be attached to multiple rules.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.