[FR] Indicator Match Rule - Indicators of Normality

[ghost]

Is your feature request related to a problem? Please describe.
I would like to create Indicator of Normality type of rule. For example: I have index with my allowed process.name list. I would like to create rule like Indicator Threat, that will alert if there is a process that is not on a my allowed list.

Describe the solution you'd like
Just add an option in Indicator Rules - let me select if indicators have to MATCH or NOT MATCH.

Describe alternatives you've considered
Creating large exception list, but if it changes constantly it isn't really easy to maintain.

Additional context
It could be presented just like here:

More about Indicators of Normality: https://www.x33fcon.com/slides/x33fcon22_-_Tomasz_Bukowski_-_We_Need_a_Major_Step_in_Maturating_Security_BlueTeam_Advice_from_RedTeamer.pdf

[SHolzhauer]

This is something my team has also been missing (or wants to have). Currently we are indeed looking into automating the maintenance of exception lists.

Having this option, we can use transforms to populate indices and have this type of query use those etc. Opening up new ways of detecting.

[dagansapir]

hello
do you have any timeline for this feature?
we have several use cases that we need to exclude indicators (not include)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)