[Security Solution][Exceptions] Notify users of outdated exceptions #96469
Assignees
Labels
Feature:Detection Alerts
Security Solution Detection Alerts Feature
Feature:Detection Rules
Anything related to Security Solution's Detection Rules
Feature:Rule Exceptions
Security Solution Rule Exceptions feature
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
UX
Comments
yctercero
added
Feature:Detection Rules
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Note: Recent case of user running into this issue. Initially thought it was a bug with exceptions, but was a mapping issue described above. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature:
When a user creates an exception that uses large value lists, we check that the field selected matches the type of the list. So only large value lists of type keyword appear for keyword fields, large value lists of type ip for ip fields, etc...
If a user update their mapping from
keyword/textto justkeywordwhen they revisit their exceptions it would appear as if though their lists are no longer there (because of the type mismatch that now exists).Describe a specific use case for the feature:
Alerting the user with a badge that warns them of this on exceptions where we see there is now a mismatch would be extremely helpful. Unless a user checks their exceptions, they may not realize that the exception is no longer valid.
The text was updated successfully, but these errors were encountered: