Good time of day. I have a rule that creates an alert and I need to add an exception to it. Within the request, describing this exception will be problematic, as it will inflate the size of the request. So I decided to use Rule exceptions. But when creating an exception, I ran into the problem that the field I need is not used in ECS. I would like to take data that relates to the winlog.event_data.TaskName field, which contains the path to storing the task, for example \Microsoft\Windows\UpdateOrchestrator\somename. Did I understand correctly that I am limited in exceptions by ECS fields? is there any way I can solve this problem?
Hey @Ruslan_Hafizov
Exceptions can be used with non-ECS fields. As long as selected field mapped in your source index, there should not be any issues.
However, when alert created, non-ECS field can’t be used to filter your alerts results.
This can be mitigated by creating custom runtime field: Create runtime fields in Elastic Security | Elastic Docs
Hope, this helps
Thanks for the reply, I will try to check as soon as possible. I saw the limitations related to ECS filtering in the UI.
UPD: Unfortunately, the field created in timelines could not be used to exclude it from the rule
Unfortunately, the field created in timelines could not be used to exclude it from the rule
Can you give more details about this? Does it refer to highlighted Alerts actions section?
If so:
Yes, this is one of the limitations when non-ECS field in exception can not be used to close other alerts.
As an alternative, you can add this field as runtime. Go to alerts table, filter alerts using newly created runtime field and close them or take any other action.
