[Security Solution] Document the procedure for creating detection rule exceptions based on runtime fields

elastic / security-docs

Elastic Security Documentation

Other

69 stars 183 forks source link

[Security Solution] Document the procedure for creating detection rule exceptions based on runtime fields #5868

Open andrew-goldstein opened 2 years ago

andrew-goldstein commented 2 years ago

[Security Solution] Document the procedure for creating detection rule exceptions based on runtime fields

A user described a scenario where they want to add a detection rule exception, which is case sensitive, that matches any variation in casing for the file.path ECS field.

If runtime fields are a reasonable way to (for example) normalize the value of the file.path to an all-lowercase value for the purpose of creating exceptions that match it, consider:

Providing documentation that describes how to create a runtime field for the scenario above
- Documenting the procedure for adding a detection rule exception that will match the normalized values provided by the runtime field
- Documenting the performance considerations of using a runtime field for the scenario above

Kibana/Elasticsearch Stack version:

8.3.0

elasticmachine commented 2 years ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

elasticmachine commented 2 years ago

Pinging @elastic/security-solution (Team: SecuritySolution)

yctercero commented 2 years ago

@dhurley14 assigned to you since I know you're touching this flow as part of the data views work you're doing.

Maybe digging further into this can be a post MVP followup?

cc @peluja1012

nastasha-solomon commented 2 years ago

@andrew-goldstein if this content should be added as an example or tutorial to the runtime field docs, I can transfer this issue to our security-docs repo. cc: @elastic/security-docs

hatl3n commented 10 months ago

Personally I have an issue with the case sensitive part. I'm trying to add some rule exceptions, but sometimes the folder is WINDOWS, other times it's Windows. Trying to match on multiple AND'ed fields then is quite a hassle. Even more so when I try to add the two case variants as part of "is one of" it denies me because it says it's already added.....

yctercero commented 10 months ago

@hatl3n thank you for the feedback here. While this current issue is not prioritized at the moment, we did put in a fix to enable "is one of" to allow multiple values like WINDOWS and Windows without complaining that the value has already been added. PR that added this change for reference - https://github.com/elastic/kibana/pull/167208

yctercero commented 5 months ago

Hey @nastasha-solomon ! Going through the backlog. I think we should move this over to security-docs and can work on these improvements together.