Add and manage exceptionsedit

You can add exceptions to a rule from the rule details page, the Alerts table, or the Shared Exception Lists page. When you add an exception, you can also close all alerts that meet the exception’s criteria.

  • To ensure an exception is successfully applied, ensure that the fields you’ve defined for its query are correctly and consistently mapped in their respective indices. Refer to ECS to learn more about supported mappings.
  • Be careful when adding exceptions to event correlation rules. Exceptions are evaluated against every event in the sequence, and when the exception matches all event(s) in the sequence, alerts are not generated. If the exception only matches some of the events in the sequence, alerts are generated.

    To exclude values from a specific event in the sequence, update the rule’s EQL statement. For example:

    `sequence
      [file where file.extension == "exe"
      and file.name != "app-name.exe"]
      [process where true
      and process.name != "process-name.exe"]`

Add exceptions to a ruleedit

  1. Do one of the following:

    • To add an exception from the rule details page:

      1. Go to the rule details page of the rule to which you want to add an exception (ManageRulesRule name).
      2. Scroll down the rule details page, select the Rule exceptions tab, then click Add rule exception.

        Detail of rule exceptions tab
    • To add an exception from the Alerts table:

      1. Go to Alerts.
      2. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the More Actions menu (…​), then select Add rule exception.
    • To add an exception from the Shared Exception Lists page:

      1. Go to ManageShared Exception Lists.
      2. Click Create shared exception listCreate exception item.
  2. In the Add rule exception flyout, name the exception and add conditions that define when the exception prevents alerts. When the exception’s query conditions are met (the query evaluates to true), rules do not generate alerts even when other rule criteria are met.

    In the example below, the exception was created from the Rules page and prevents the rule from generating alerts when the svchost.exe process runs on hostname siem-kibana.

    add exception ui

    Add conditions that define when the exception prevents alerts:

    1. Field: Select a field to identify the event being filtered.
    2. Operator: Select an operator to define the condition:

      • is | is not — Must be an exact match of the defined value.
      • is one of | is not one of — Matches any of the defined values.
      • exists | does not exist — The field exists.
      • is in list | is not in list — Matches values in a value list.

        • An exception defined by a value list must use is in list or is not in list in all conditions.
        • Wildcards are not supported in value lists.
        • If a value list can’t be used due to size or data type, it’ll be unavailable in the Value menu.
      • matches | does not match — Allows you to use wildcards in Value, such as C:\path\*\app.exe. Available wildcards are ? (match one character) and * (match zero or more characters). The selected Field data type must be keyword, text, or wildcard.

        Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using process.name or file.name can help limit the scope of wildcard matching.

    3. Value: Enter the value associated with the Field. To enter multiple values (when using is one of or is not one of), enter each value, then press Return.
  3. Click AND or OR to create multiple conditions and define their relationships.
  4. Click Add nested condition to create conditions using nested fields. This is only required for these nested fields. For all other fields, nested conditions should not be used.
  5. Choose to add the exception to a rule or a shared exception list.

    If you are creating an exception from the Shared Exception Lists page, you can add the exception to multiple rules.

    If a shared exception list doesn’t exist, you can create one from the Shared Exception Lists page.

  6. (Optional) Enter a comment describing the exception.
  7. Select one of the following alert actions:

    • Close this alert: Closes the alert when the exception is added. This option is only available when adding exceptions from the Alerts table.
    • Close all alerts that match this exception and were generated by this rule: Closes all alerts that match the exception’s conditions and were generated only by the current rule.
  8. Click Add rule exception.

Add Elastic Endpoint exceptionsedit

Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the Endpoint Security rule or by adding them as actions on alerts generated by the Endpoint Security rule. Elastic Endpoint alerts have the following fields:

  • kibana.alert.original_event.module determined:endpoint
  • kibana.alert.original_event.kind:alert

You can also add Endpoint exceptions to rules that are associated with Elastic Endpoint rule exceptions. To associate rules when creating or editing a rule, select the Elastic Endpoint exceptions option.

Endpoint exceptions are added to the detection rule and the Elastic Endpoint on your hosts.

Exceptions added to the Endpoint Security rule affect all alerts sent from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint alerts.

Additionally, to add an Endpoint exception to the Endpoint Security rule, there must be at least one Endpoint Security alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the European Institute for Computer Anti-Virus Research (EICAR).

Binary fields are not supported in detection rule exceptions.

  1. Do one of the following:

    • To add an Endpoint exception from the rule details page:

      1. Go to the rule details page (ManageRules), and then search for and select the Elastic Endpoint Security rule.
      2. Scroll down the rule details page, select the Endpoint exceptions tab, then click Add endpoint exception.
    • To add an Endpoint exception from the Alerts table:

      1. Go to Alerts.
      2. Scroll down to the Alerts table, and from an Elastic Endpoint alert, click the More actions menu (…​), then select Add Endpoint exception.
    • To add an Endpoint exception from Shared Exception Lists page:

      1. Go to ManageShared Exception Lists.
      2. Expand the Endpoint Security Exception List or click the list name to open the list’s details page. Next, click Add endpoint exception.

        The Endpoint Security Exception List is automatically created. By default, it’s associated with the Endpoint Security rule and any rules with the Elastic Endpoint exceptions option selected.

    The Add Endpoint Exception flyout opens.

    endpoint add exp
  2. If required, modify the conditions.

    Refer to Exceptions with nested conditions for more information on when nested conditions are required.

  3. You can select any of the following:

    • Close this alert: Closes the alert when the exception is added. This option is only available when adding exceptions from the Alerts table.
    • Close all alerts that match this exception and were generated by this rule: Closes all alerts that match the exception’s conditions.
  4. Click Add Endpoint Exception. An exception is created for both the detection rule and the Elastic Endpoint.

Exceptions with nested conditionsedit

Some Endpoint objects contain nested fields, and the only way to ensure you are excluding the correct fields is with nested conditions. One example is the process.Ext object:

{
  "ancestry": [],
  "code_signature": {
    "trusted": true,
    "subject_name": "LFC",
    "exists": true,
    "status": "trusted"
  },
  "user": "WDAGUtilityAccount",
  "token": {
    "elevation": true,
    "integrity_level_name": "high",
    "domain": "27FB305D-3838-4",
    "user": "WDAGUtilityAccount",
    "elevation_type": "default",
    "sid": "S-1-5-21-2047949552-857980807-821054962-504"
  }
}

Only these objects require nested conditions to ensure the exception functions correctly:

  • Endpoint.policy.applied.artifacts.global.identifiers
  • Endpoint.policy.applied.artifacts.user.identifiers
  • Target.dll.Ext.code_signature
  • Target.process.Ext.code_signature
  • Target.process.Ext.token.privileges
  • Target.process.parent.Ext.code_signature
  • Target.process.thread.Ext.token.privileges
  • dll.Ext.code_signature
  • file.Ext.code_signature
  • file.Ext.macro.errors
  • file.Ext.macro.stream
  • process.Ext.code_signature
  • process.Ext.token.privileges
  • process.parent.Ext.code_signature
  • process.thread.Ext.token.privileges
Nested condition exampleedit

Creates an exception that excludes all LFC-signed trusted processes:

nested exp

View and manage exceptionsedit

To view a rule’s exceptions, open the rule’s details page (ManageRulesRule name), then scroll down and select the Rule exceptions or Endpoint exceptions tab. The default rule list displays all the exceptions that belong to the rule. From the default rule list, you can filter, edit, and delete exceptions.

A default rule list

Find rules using the same exceptionsedit

To find out if an exception is used by other rules, select the Rule exceptions or Endpoint exceptions tab, navigate to an exception list item, then click Affects X rules.

Exception that affects multiple rules