Skip to content

Commit

Permalink
Auto fill exceptions from alert data (#3544)
Browse files Browse the repository at this point in the history 
Co-authored-by: Joe Peeples <[email protected]>
(cherry picked from commit 1b50370)
  • Loading branch information
@nastasha-solomon @mergify
nastasha-solomon authored and mergify[bot] committed Jul 17, 2023
1 parent 5b579e8 commit db4f39d
Showing 1 changed file with 11 additions and 8 deletions.
19 changes: 11 additions & 8 deletions docs/detections/add-exceptions.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,15 +53,10 @@ image::images/rule-exception-tab.png[Detail of rule exceptions tab]
.. Click *Create shared exception list* -> *Create exception item*.
--

. In the *Add rule exception* flyout, name the exception and add conditions that define the exception. When the exception's query conditions are met (the query evaluates to `true`), rules do not generate alerts even when other rule criteria are met.
+
In the example below, the exception was created from the Rules page and prevents the rule from generating alerts when the `svchost.exe` process runs on hostname `siem-kibana`.
. In the *Add rule exception* flyout, name the exception.
. Add conditions that define the exception. When the exception's query evaluates to `true`, rules don't generate alerts even when their criteria are met.
+
[role="screenshot"]
image::images/add-exception-ui.png[]

+
Add conditions that define when the exception prevents alerts:
NOTE: When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. A comment describing this action is also automatically added to the **Add comments** section.

.. *Field*: Select a field to identify the event being filtered.
+
Expand Down Expand Up @@ -90,6 +85,14 @@ IMPORTANT: Using wildcards can impact performance. To create a more efficient ex

.. *Value*: Enter the value associated with the *Field*. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**.

+
+
In the example below, the exception was created from the Rules page and prevents the rule from generating alerts when the `svchost.exe` process runs on hostname `siem-kibana`.
+
+
[role="screenshot"]
image::images/add-exception-ui.png[]

. Click *AND* or *OR* to create multiple conditions and define their relationships.

. Click *Add nested condition* to create conditions using nested fields. This is only required for
Expand Down

0 comments on commit db4f39d

Please sign in to comment.