Hi @The1WhoPrtNocks, thank for the great question!
As you've discovered, since Elastic Security/SIEM is built upon the Elastic Stack, a very flexible search and analytics engine, there are often more than one way to accomplish a given task.
In your case, tuning detections rules can indeed be accomplished several ways, including:
- modifying the rule detection logic (e.g., rule query)
- adding filters to the rule query (similar to above)
- adding exceptions to the rule
From a design philosophy point of view, if the modification affects the logic or theory of operation of the detection rule, it might fit best as a modification to the rule query or a filter. However if the modification does not change the logic of the rule, but is simply adding an environment-specific condition where you choose not to apply the rule, then an exception will likely be the best fit.
From a practical point of view, rule exceptions are more flexible - they support lists, which can be centrally maintained, and in the future, may be able to be shared across multiple rules. So our general advice is to use exceptions for tuning rules.
We've provided some specific tuning guidance in this doc section:
Hope this helps!