Manage Endpoint exceptions by group of enpoints

Hi,

We are evaluating to deploy Elastic Defend EDR (8.19) in our environement with +10000 endpoints.
And I've a question about exceptions/exclusions management in such a large environment.

How do you manage exclusions by groups of agents, for example, RH are not using same software than IT department or marketing, so exceptions will not be the same.

How do I maintain Endpoint exceptions by groups of endpoints easilly and automatically without manually specifying agents one by one in each excpetions list?
Hope my question is clear enough.
Thanks for your help

Hi @sebem

We’re actively working to move Endpoint exceptions so that it is possible to create exceptions per-Endpoint policy in a future 9.x release. Creating exceptions by policy would most directly address your need. (Here are some example PRs, though it’ll take more to complete the work).

However, since you are using 8.19 and also because that feature isn’t available yet, an approach that might work for you is to include some other field in the exceptions. For instance, if you have a consistent host naming scheme in your environment, adding host.name MATCHES dev-* would apply the exception to just machines on the development network. Similarly, adding something like Endpoint.policy.applied.name IS example-policy would effectively make the exception per-policy.

I hope that helps.

1 Like

Hi @ferullo ,

Thanks for the feedback, I’ll take look at your suggested approches.

:+1: