Endpoint exceptions are distinct from rule exceptions in that they run on the Endpoint itself. Rule exceptions run exclusively in the Stack. You can read more about this here.
Exceptions are currently shared across endpoints, but you can add conditions to narrow down the machines on which they will run, such as host.name IS abcd
or agent.id IS 1234
.
When a malware alert comes in, event.code: malicious_file
. The autocomplete suggests are based on values found within your Elasticsearch database. If no malware alerts have been generated, then autocomplete won't be aware of the value. Here's what autocomplete for "m" looks like in my local lab stack:
For every path I added the system made up a new dedicated exception with the same name. Is this how it should work?
You are free to name the exception however you want. I suggest giving each one a distinct name to make it easier to distinguish them.
The workflow I described here is for creating wildcard exclusions before any alerts come in. The typical exception creation workflow is in response to alerts. When a malware alert comes in, the "Add Endpoint exception" button will automatically populate an exception for you as a starting point. You are then free to customize the exception before adding it.
For every path I added the system made up a new dedicated exception with the same name. Is this how it should work?
You control the name of the exception. The "Add Endpoint Exception" button is grayed out until you enter one.