search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.63k stars 8.22k forks source link

SIEM Detection rule exceptions should support 'is between' and 'is not between' operators #83531

Open buzzdeee opened 3 years ago

buzzdeee commented 3 years ago

Describe the feature:

After duplicating a detection rule, filters can be created, i.e. to include or exclude IP address ranges. For example Field: source.ip Operator: 'is not between', 192.168.1.5 -> 192.168.1.50

There it's possible to specify IP ranges. However, on rule updates, the duplicated rules don't get updated.

It doesn't seem to be possible to specify ranges "is between" or "is not between" when creating rule exceptions.

Describe a specific use case for the feature:

It would be nice when it's possible to specify IP ranges, and probably number ranges too, when creating exceptions, in the same way it's possible when creating rule filters.

I'm with Kibana 7.10.0

elasticmachine commented 3 years ago

Pinging @elastic/siem (Team:SIEM)

elasticmachine commented 3 years ago

Pinging @elastic/security-solution (Team: SecuritySolution)