Skip to content

[Rule Tuning] Remove Exception List from Endpoint Promotion Rules Post 9.3 #5320

New issue
New issue
Open
Open
[Rule Tuning] Remove Exception List from Endpoint Promotion Rules Post 9.3#5320
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADE
@Mikaayenson

Description

@Mikaayenson
Mikaayenson
opened on Nov 17, 2025

Link to Rule

No response

Rule Tuning Type

Data Quality - Ensuring integrity and quality of data used by detection rules.

Description

In 9.3 exception lists will be moved from the SIEM to the endpoint policy per https://github.com/elastic/security-team/issues/14573 . For our endpoint promotion rules, we need to remove the exception lists.

[[rule.exceptions_list]]
id = "endpoint_list"
list_id = "endpoint_list"
namespace_type = "agnostic"
type = "endpoint"

As they will not by evaluated by the SIEM after 9.3.

Example Data

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Rule: Tuningtweaking or tuning an existing ruleTeam: TRADE

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions