Skip to main content

STEP 3: Rule Exceptions


Procedures​

If the initial triage assessment attributed the alert to CPT, native system, or benign activity – then create Rule Exception(s), to close out all past alerts and prevent future alerts involving the specific benign attributes:

Tuning Suricata Alerts

Suricata alerts are a unique case when applying rule exceptions as they all actually trigger from a single Elastic Detection Rule that renames the alert to the specific Suricata rule. As an additional step, you MUST add the specific Suricata rule SID (rule.id) to the exception logic so that you don't apply the exception to ALL Suricata rules (unless that’s the effect you want).

  1. Click on the Alerts button in the left-hand menu of the Security app

  2. Find the alert rule that you want to create an exception for

  3. After finding an alert with the name of your targeted rule under the Rule column (it doesn’t have to be specific to your benign event), click on the three dots and click Add rule exception

  4. Exception name: Give the exception a short, but descriptive title

  5. Conditions: Add the exception condition logic that you want future alerts to not trigger on

    tip

    Kibana will pre-populate exceptions with ECS fields that it believes are relevant to the alert - you can use these as a starting point and delete all of the irrelavent rows, or delete them all and start from scratch.

    note
    • The Field selector will only allow you to apply ECS schema fields – otherwise the Add Rule Exception button will remain grayed out
    • Exception conditions are applied in almost the same manner as search filters with Field – Operator – Value, except they can have AND/OR operator logic applied between them as well as nested groupings
    • Prior to creating an exception, be sure to experiment with the filter logic you plan to apply with search filters in the (Security) Alerts page
  6. (Optional) Add to rule or lists: If this exception is only meant to be added to the specific rule that triggered the alert, leave this set to the default Add to this rule, otherwise if you want to apply it to an existing Shared Exception List, set it to Add to exeption lists and toggle the Shared Exception List(s) you want to add it to

    NOTE: The [262COS] Global Exception List will only apply to all 262COS/DOK developed rules

  7. Add Comments: Provide an informational comment describing why this exception is being made and what it is intended to filter out

  8. (Optional) Exception Expiration: If this a time-period based exception, set a date/time for when the exception will no long be in effect

  9. Alert Actions: Check the following options to close out benign alerts

    • Close this alert
    • Close all alerts that match this exception and were generated by this rule
  10. Click Add Rule Exception to apply the exception - at this point the alert will be closed and no case/ticket needs to be created


Tips​

Shared Exception Lists​

Shared Exception Lists

Adding Shared Exception Lists are useful in scenarios where you want to exclude CPT activity – you would group up exceptions to whitelist CPT user accounts, CPT deployed tool file-paths, CPT IP addresses, etc. and then apply the list to alerts that become noisy vs. individually creating exceptions for each rule as they come up.

  • Exception Items are the exceptions themselves, which can either be added to a Shared Exception List or individually applied to multiple rules
  • Shared Exception Lists are containers that group one or more Exception Items and be applied to multiple rules

  1. Click on the Rules button under the Security app

  2. Click the Shared exception lists option from the Rules section

  3. Click on Create shared exception list -> Create shared list

    1. Shared exception list name: Enter a name for the list

    2. Description: Optionally enter a description for the list

    3. Click on Create shared exception list to create the list

  4. Once the list has been created, click on Add rule exception to list

    1. Conditions: Add the exception condition logic that you want future alerts to not trigger on
    note
    • The Field selector will only allow you to apply ECS schema fields – otherwise the Add Rule Exception button will remain grayed out
    • Exception conditions are applied in almost the same manner as search filters with Field – Operator – Value, except they can have AND/OR operator logic applied between them as well as nested groupings
    • Prior to creating an exception, be sure to experiment with the filter logic you plan to apply with search filters in the (Security) Alerts page
  1. Add Comments: Provide an informational comment describing why this exception is being made and what it is intended to filter out

  2. (Optional) Exception Expiration: If this a time-period based exception, set a date/time for when the exception will no long be in effect

  3. Click Add rule exception to apply the exception

  4. Repeat step 4 for each exception that you want to add

  5. You now have the option to Link rules to the Shared Exception List (one-by-one, unfortunately) by clicking the Link rules button in the top-right corner :::