Hi everyone, I’m not sure if this is a bug or expected behavior, but when I try to create a rule exception and use a value list on one field, I can’t use the regular “is” operator on another field — it only lets me choose “is in list.” This seems extremely odd and not very functional. Could someone please tell me if I’m doing something wrong, or if it’s supposed to work this way? Thanks!
Hi, I noticed this too some time ago… Not ideal..
Hi @Marek_Galbavy !
Apologies for the late response here. This is the intended behavior due to limitations we had when we first implemented this feature that we were unable to combine value lists and non value list exceptions during rule execution. There has since been progress and we are aligned that this is an issue we want to enhance and remove the restriction, however, there is no timeline I can share on it at the moment.
Please feel free to share your pain points on this existing ticket which calls out the behavior you ran into here - [Security Solution] Once you have selected a value list you just can use value list operators · Issue #86261 · elastic/kibana · GitHub
Best,
Yara
2 Likes