Security rule exception not working

Hi everyone,

We are using Elasticsearch and Kibana version 7.16.3.

We have defined a security rule and added some exceptions to this rule.

Some of the exceptions are working fine, filtering the events that match the exception and not generating any new alerts, but one of them is not. The field used for all the exceptions is the same, rule.name of type keyword.

This are two of the exceptions created for the rule, the one on top is working but the one marked as red is the one failing to filter the events:

As you can see, events matching this exception are still generating alerts:

Thanks in advance!

Regards.

3 Likes

@masuel I have not been able to reproduce this behavior on 7.16.3 using the messages above. When creating the exception, did you select the text from the dropdown, or did you enter it manually? Are you sure the text is matching exactly?

If you can provide the exact text used in the exception, along with an example alert JSON that was not filtered, I'd be happy to check those on my end.

Thanks for posting!
-Madi

Hi @madi thank you very much for your fast response.

I selected the text from the dropdown:

I copied the text from the exception and used it to filter, as it was shown on the screenshot in my first post, so it should match exaclty. The text is:

ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File

The JSON:

"_source": {
...
},
"rule": {
"name": "ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File",
"id": "2025705",
"category": "Potentially Bad Traffic"
}
..

Another question regarding the exceptions, is it planed to support partial match on the exception value? When creating an exception the only options available only allow to filter by the full value, in this case "ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File". It would be nice to allow the use of wildcards, for example "ET POLICY SMB2 NT Create AndX Request*".

Rergards!

1 Like

@masuel I'm still not able to reproduce this behavior on 7.16.3. Can you confirm that new alerts are still being generated AFTER adding the exception?

Unfortunately, we do not support wildcards in rule exceptions at this time. But there is a workaround below. This workaround should give you the same behavior that you'd expect from using exceptions above, but maybe you'll have better results:

Click on "Add filter" and "Edit as Query DSL":

Let me know if this helps!

@madi thank you for your support and suggestions!

The alerts were still being generated after the exception was added.
We removed the alert, recreated it and recreated all the exceptions, and now it seems to be working fine.

Just in case we find a similar issue in the future, is there some log or any way to debug the alerts/exception execution?

Regards!

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.