Skip to content

Commit

Permalink
[DOCS] Exception lists - 7.11 (#467) (#501)
Browse files Browse the repository at this point in the history
  • Loading branch information
jmikell821 committed Feb 9, 2021
1 parent b021041 commit 0ed2456
Show file tree
Hide file tree
Showing 8 changed files with 45 additions and 20 deletions.
45 changes: 34 additions & 11 deletions docs/detections/detections-ui-exceptions.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@
[role="xpack"]
== Rule exceptions and value lists

To prevent the creation of unwanted alerts, you can add exceptions to these
detection rule types:
To prevent the creation of unwanted alerts, you can add exceptions to the following rule types:

* Custom query
* Event Correlation
* Indicator match
* Machine learning

Exceptions contain the source event conditions that determine when
alerts are not generated. They provide a convenient way of allowing trusted
Expand All @@ -34,12 +34,13 @@ After creating value lists, you can use `is in list` and `is not in list`
operators to define exceptions.

[float]
=== Manage value lists
[[manage-value-lists]]
=== Create and manage value lists

To create a value list for use with exceptions:
To create a value list to use with exceptions:

. Prepare a `txt` or `csv` file with all the values you want to use for
determining exceptions from a single list. If you use a `txt` file, newlines
determining exceptions from a single list. If you use a `txt` file, new lines
act as value delimiters.
+
NOTE: All values in the file must be of the same {es} type.
Expand All @@ -50,18 +51,20 @@ NOTE: All values in the file must be of the same {es} type.
[role="screenshot"]
image::images/upload-lists-ui.png[]

. Select the list type (`Keywords`, `IP addresses`, `IP ranges`, or
`Text`)
. Select the list type (`Keywords`, `IP addresses`, `IP ranges`, or `Text`) from the *Type of value list* drop-down.
. Drag or select the `csv` or `txt` file that contains the values.
. Click *Upload list*.

NOTE: When the name of the file you are uploading already exists, the values in
the new file are appended to the previously uploaded values.

To view, delete, or export existing lists:
To view, delete, or export existing value lists:

. Go to *Security* -> *Detections* -> *Manage detection rules*.
. In the *Value lists* pane, click the required action icon.
. In the *Value lists* pane, click the required action button.

[role="screenshot"]
image::images/manage-value-list.png[]

[float]
[[detection-rule-exceptions]]
Expand Down Expand Up @@ -99,7 +102,7 @@ image::images/exception-histogram.png[]
.. Click *Add new exception*.
. To add an exception via the Alerts table:
.. Go to Detections (*Security* -> *Detections*).
.. Scroll down to the Alerts table and click the *More Actions* button, then select *Add rule exception*.
.. Scroll down to the Alerts table and click the *More Actions* button (*...*), then select *Add rule exception*.
+
[role="screenshot"]
image::images/more-action-button.png[]
Expand Down Expand Up @@ -169,7 +172,7 @@ alerts.
. To add an exception via the Alerts table:
.. Go to Detections (*Security* -> *Detections*).
.. Scroll down to the Alerts table and, from an Elastic Security Endpoint
alert, click the more actions icon, and then select *Add Endpoint exception*.
alert, click the *More actions* button (*...*), then select *Add Endpoint exception*.
+
The *Add Endpoint Exception* window opens (via Alerts table).
+
Expand Down Expand Up @@ -253,3 +256,23 @@ Creates an exception that excludes all LFC-signed trusted processes:

[role="screenshot"]
image::images/nested-exp.png[]

[float]
[[manage-exceptions]]
=== View and manage Exception lists

The Exception lists table enables you to view and manage all exceptions that have been assigned to rules. To view the Exception lists table, go to *Detections* -> *Manage detection rules*, then select the *Exception Lists* tab.

[role="screenshot"]
image::images/exception-list.png[]

The table displays each Exception list on an individual row, with the most recently created list at the top. Each row contains information such as the number and name of rule(s) the Exception list is assigned to, the name of the rule(s) assigned to the Exception list, the date the list was created, last edited, and options to export or delete the it.

TIP: To view details of the rule the Exception list is assigned to, click the link in the `Rules assigned to` column.

To export or delete an Exception list, select the required action button on the appropriate list. Exception lists are exported to `.ndjson` format.

[role="screenshot"]
image::images/actions-exception-list.png[]

NOTE: If a list is linked to any rules, you'll see a warning appear that asks you to confirm the deletion. If no rules are linked to a list, it is deleted without confirmation.
Binary file added docs/detections/images/actions-exception-list.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/detections/images/delete-list.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/detections/images/exception-list.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/detections/images/export-list.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/detections/images/manage-value-list.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/detections/images/monitor-table.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
20 changes: 11 additions & 9 deletions docs/detections/rules-ui-monitor.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -3,28 +3,30 @@
== Monitoring and troubleshooting rule executions

To view a summary of all rule executions, such as failures and last execution
times, click the Monitoring tab in the *All rules* table (*Security* ->
times, select the *Rule Monitoring* tab in the *All rules* table (*Security* ->
*Detections* -> *Manage detection rules*).

[role="screenshot"]
image::images/monitor-table.png[]

For detailed information on a rule, its generated alerts and errors, click on
a rule name in the *All rules* table.

[float]
[[troubleshoot-signals]]
=== Troubleshoot missing alerts

When a rule fails to run close to its scheduled time, some alerts may be
missing. There are a number of steps you can perform to try and resolve this
When a rule fails to run close to its scheduled time, some alerts may be
missing. There are a number of steps you can perform to try and resolve this
issue.

If you see `Gaps` in the All rules table or on the Rule details page
for a small number of rules, you can increase those rules'
`Additional look-back time` (*Detection rules* page -> the rule's
actions icon -> *Edit rule settings* -> *Schedule* -> _Additional look-back time_).
`Additional look-back time` (*Detection rules* page -> the rule's *All actions* button (*...*) -> *Edit rule settings* -> *Schedule* -> _Additional look-back time_).

If you see gaps for a lot of rules:
If you see gaps for numerous rules:

* If you restarted {kib} when many rules were activated, try deactivating them
and then reactivating them in small batches at staggered intervals. This
* If you restarted {kib} when many rules were activated, try deactivating them
and then reactivating them in small batches at staggered intervals. This
ensures {kib} does not attempt to run all the rules at the same time.
* Consider adding another {kib} instance to your environment.
* Consider adding another {kib} instance to your environment.

0 comments on commit 0ed2456

Please sign in to comment.