The threat intel rule stopped working when added some exceptions.
Could you please provide some additional information that would allow us to diagnose and remedy your issue?
elk on v 8.8.1
rule running successfully no errors it just stopped generating alerts when I added some exceptions like source IP is one of 1st IP 2nd IP etc
Sorry @theacodes , I need more information to be able to help.
Since the point of exceptions is to prevent alerts from being generated, in the broadest terms what you're describing sounds like the expected behavior.
If you believe you're experiencing a false negative, providing an example of the documents (both events and indicators) that you expect to have generated alerts (as requested above in #5) would be necessary in troubleshooting further.
Agreed. I added 5 IPs together in an exception so now those 5 IPs should not be coming in alerts right but other IPs should still be coming and generating alerts because we in general receive a good amount of alerts. but after the exception, No alerts.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.