Threat intel rule stopped working when added exceptions

The threat intel rule stopped working when added some exceptions.

any solution?

Hi @theacodes,

Could you please provide some additional information that would allow us to diagnose and remedy your issue?

  1. What version of Kibana are you running?
  2. Is the rule in question the prebuilt Threat Intel rules, or is it custom? If custom, what is its definition (JSON can be exported on the Rules page)?
  3. Was the rule previously generating alerts? Can you provide a sample of such an alert?
  4. What exceptions were added to the rule? Did they all work up to a certain point?
  5. How is the rule not working? Is it encountering an error, or simply failing to generate new alerts? If the latter, what are the events (and indicators) that you expect to be generating alerts?

elk on v 8.8.1
prebuilt rule
rule running successfully no errors it just stopped generating alerts when I added some exceptions like source IP is one of 1st IP 2nd IP etc

Sorry @theacodes , I need more information to be able to help.

Since the point of exceptions is to prevent alerts from being generated, in the broadest terms what you're describing sounds like the expected behavior.

If you believe you're experiencing a false negative, providing an example of the documents (both events and indicators) that you expect to have generated alerts (as requested above in #5) would be necessary in troubleshooting further.

Agreed. I added 5 IPs together in an exception so now those 5 IPs should not be coming in alerts right but other IPs should still be coming and generating alerts because we in general receive a good amount of alerts. but after the exception, No alerts.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.