You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
.. Scroll down below the rule details and select the *Exceptions* tab.
105
+
.. Scroll down the rule details page, select the *Rule exceptions* tab, then click *Add rule exception*.
106
106
+
107
107
[role="screenshot"]
108
-
image::images/exception-histogram.png[Detail of Exceptions tab, 75%]
109
-
.. Click *Add new exception* -> *Add rule exception*.
108
+
image::images/rule-exception-tab.png[Detail of rule exceptions tab]
110
109
111
110
* To add an exception from the Alerts table:
112
111
.. Go to *Alerts*.
@@ -166,16 +165,9 @@ Like detection rule exceptions, you can add Endpoint agent exceptions either by
166
165
167
166
You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules, when creating or editing a rule, select the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option.
168
167
169
-
[IMPORTANT]
170
-
=====
171
-
When you add an exception to the
172
-
<<endpoint-rule-exceptions, Elastic Endpoint Security>> rule, you can select to
173
-
add the exception to the endpoint. When selected, the exception is added to
168
+
Endpoint exceptions are added to
174
169
both the detection rule *and* the {elastic-endpoint} agent on your hosts.
175
170
176
-
{ref}/binary.html[Binary fields] are not supported in detection rule exceptions.
177
-
=====
178
-
179
171
[IMPORTANT]
180
172
=============
181
173
Exceptions added to the Elastic Endpoint Security rule affect all alerts sent
@@ -185,13 +177,17 @@ alerts.
185
177
Additionally, to add an Endpoint exception to the Elastic Endpoint Security rule, there must be at least one Endpoint Security alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)].
186
178
=============
187
179
180
+
[IMPORTANT]
181
+
=====
182
+
{ref}/binary.html[Binary fields] are not supported in detection rule exceptions.
183
+
=====
184
+
188
185
. Do one of the following:
189
186
+
190
187
--
191
188
* To add an Endpoint exception from the rule details page:
192
189
.. Go to the rule details page (*Manage* -> *Rules*), and then search for and select the Elastic *Endpoint Security* rule.
193
-
.. Scroll down to the *Trend* histogram and select the *Exceptions* tab.
194
-
.. Click *Add new exception* -> *Add Endpoint exception*.
190
+
.. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*.
195
191
* To add an Endpoint exception from the Alerts table:
196
192
.. Go to *Alerts*.
197
193
.. Scroll down to the Alerts table, and from an {elastic-endpoint}
@@ -278,6 +274,14 @@ Creates an exception that excludes all LFC-signed trusted processes:
278
274
[role="screenshot"]
279
275
image::images/nested-exp.png[]
280
276
277
+
[float]
278
+
[[rules-using-same-exception]]
279
+
=== Find rules using the same exception
280
+
To find out if an exception is used by other rules, select the *Rule exceptions* or *Endpoint exceptions* tab, navigate to an exception list item, then click *Affects _X_ rules*.
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?v=4&size=40){kind=avatar}
0 commit comments