Open ghost opened 2 years ago
SHolzhauer
commented
1 year ago This is something my team has also been missing (or wants to have). Currently we are indeed looking into automating the maintenance of exception lists.
Having this option, we can use transforms to populate indices and have this type of query use those etc. Opening up new ways of detecting.
dagansapir
commented
1 year ago hello do you have any timeline for this feature? we have several use cases that we need to exclude indicators (not include)
elasticmachine
commented
11 months ago Pinging @elastic/security-solution (Team: SecuritySolution)
Is your feature request related to a problem? Please describe. I would like to create Indicator of Normality type of rule. For example: I have index with my allowed process.name list. I would like to create rule like Indicator Threat, that will alert if there is a process that is not on a my allowed list.
Describe the solution you'd like Just add an option in Indicator Rules - let me select if indicators have to MATCH or NOT MATCH.
Describe alternatives you've considered Creating large exception list, but if it changes constantly it isn't really easy to maintain.
Additional context It could be presented just like here:
More about Indicators of Normality: https://www.x33fcon.com/slides/x33fcon22_-_Tomasz_Bukowski_-_We_Need_a_Major_Step_in_Maturating_Security_BlueTeam_Advice_from_RedTeamer.pdf