[Security Solution][Detections] Apply wildcards in value lists to exceptions #86560
Labels
enhancement
New value added to drive a business result
Feature:Detection Rules
Anything related to Security Solution's Detection Rules
Feature:Rule Exceptions
Security Solution Rule Exceptions feature
Feature:Rule Value Lists
Security Solution Detection Rule Value Lists
sdh-linked
Team:Detection Engine
Security Solution Detection Engine Area
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Theme: alert_triage
Security Solution Alert Triage Theme
Theme: correlation
Security Solution Advanced Correlation Theme
Detection engine does not expand wildcards, for example
*.googleapis.com
in value lists when processing exceptions.For example, a
Keyword
value list containing the following entry:when applied as an exception to a rule with the following query:
will today, as of version
7.10
, not prevent alerts from being generated for the example rule above, even if a sample event contained the following value for thedns.question.name
field:Kibana/Elasticsearch Stack version:
7.10
Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Detection Rules
Steps to reproduce:
Keyword
value list containing the following value:per the screenshot below:
as shown in the screenshot below:
Current behavior:
Alerts are still generated for events where the value of the
dns.question.name
field, for example:would be covered by the expanded wildcard in the exception:
as shown in the screenshot below:
Expected behavior:
An alert is not generated, because the wildcard in the exception's value list expands to match the value of the field in the source document.
The text was updated successfully, but these errors were encountered: