[Security Solution][Exceptions] Notify users of outdated exceptions #96469
Labels
Feature:Detection Alerts
Security Solution Detection Alerts Feature
Feature:Detection Rules
Anything related to Security Solution's Detection Rules
Feature:Rule Exceptions
Security Solution Rule Exceptions feature
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
UX
Describe the feature:
When a user creates an exception that uses large value lists, we check that the field selected matches the type of the list. So only large value lists of type keyword appear for keyword fields, large value lists of type ip for ip fields, etc...
If a user update their mapping from
keyword/text
to justkeyword
when they revisit their exceptions it would appear as if though their lists are no longer there (because of the type mismatch that now exists).Describe a specific use case for the feature:
Alerting the user with a badge that warns them of this on exceptions where we see there is now a mismatch would be extremely helpful. Unless a user checks their exceptions, they may not realize that the exception is no longer valid.
The text was updated successfully, but these errors were encountered: