List all Rules Exceptions

Elastic Security SIEM
1

Hello to everyone.

I'm exploring Elastic Defend in a self-hosted cluster with Basic license.

I have a question: if i add a Rule Exception (without using Shared Exceptions Lists), is there a way to list all exceptions created or to list all rules that have exceptions configured?

I'm asking this because if i want to check all exceptions that i created after some time, i can't remember all rules name in which i added these exceptions, and therefore it's impossible to retrieve them.

Thanks in advance

2

Hi @aptfinf , it is not possible at the moment, but it is something we plan to address. Thanks for the question.

1 Like
3

Thank you for your answer.

As a workaround, is there maybe a query that i can execute directly on Elasticsearch, that allow me to see all exclusions?

4

hey @aptfinf

You can use this API to find all exception containers
Results would have shared lists and exception container applied to a single rule.

To filter out exceptions applied to a single rule use filter in query

exception_lists/_find?filter=(exception-list.attributes.type%3Arule_default)

It will return exception container that has link to a rule id in description

...
description: "Exception list containing exceptions for rule with id: 5232af22-beb8-437d-852e-38784e075644"
...

If you need to look values of exceptions of any container, use exception_item API

Hope, that would help to resolve the question

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.