Rule exceptions can expire

[nastasha-solomon]

Description

In 8.7, users will be able to set an expiration date for regular exceptions. Active and expired exceptions are kept within the exception details and can be viewed from the Rule exceptions tab of the rule details page or the details page of a shared exception list.

After you create the exception, the expiration date and time is provided in the exception details. Active exceptions are displayed by default. To view expired exceptions in addition to active exceptions, click the Expired exceptions button.

Related issues/PRs

• https://github.com/elastic/security-team/issues/3023
• [Security Solution][Exceptions] Rule exceptions TTL - Expiration kibana#145180

Doc updates

• Add exceptions to a rule: Add an optional step after Step 6 for selecting an expiration date.
• Add exception items to shared lists: Add optional step after Step 7 for selecting expiration date.
• View and manage exceptions: Note that users can view active or expired exceptions. Mention default view (is the Active exceptions tab/view) and briefly describe how to display one or both.
• Create exception item API docs: Add the new expire_time parameter. This is an optional parameter that accepts a date in ISO format. The default setting is undefined (the parameter is not included in the request).
• Update exception item API docs: Add the new expire_time parameter.
  • Include note about unsetting optional parameters in this API. Will also release-note it.
• Manage shared exception lists: Add a bullet to the list about exporting expired exceptions. Also refresh screenshot.
• Mandatory screenshot refreshes:
  • add-exception-ui.png
  • rule-exception-tab.png
  • exception-affects-multiple-rules.png
  • manage-default-rule-list.png
  • actions-exception-list.png (to account for button renaming in Manage rules button renamed to Link Rules  #3010)
  • default-rule-list.png
  • upload-lists-ui.png and manage-value-list.png (to account for Value list button renamed #3027)

Questions

• Q: Is it mandatory for users to set an expiration date?
  • A: Looks like users won't be blocked from creating an exception if they leave the Exception Expiration field blank.
• Q: Can users bulk apply the same expiration date/time to a set of exception items in a default rule list or shared exception list?
  • A: No
• Can users set and retrieve expiration date/time details via the exceptions API?
  -A: Yes, they will need to set the expire_time parameter. This is an optional field that's can take a date (string) in ISO format.

Notes

• Changes in [Security Solution] Exceptions TTL Follow-up kibana#151952 affect the Update exception item and Create exception item APIs. Essentially, if users want to unset an optional field (e.g., the expire_time field, they'll need to omit (remove) the field from the request. This should be release-noted as an enhancement.
• In 8.7, this feature is only available for regular exceptions, not Endpoint exceptions.
• Times are offered in 30 min increments but users can edit the time directly by making changes to the Exception Expiration field.

• Can view active and expired exceptions from the default rule list.
• When setting an expiration date, the selected date and time must be in the future.
• Active and expired exceptions are exported/imported with exported/imported rules.
  • When you export a rule, the active and expired exceptions are included in the export file. Note that there's no notification that you're exporting/importing the deadlines during the import/export process.
• When you export a shared exception list that has expired exception items, you're prompted to verify that you want to export the expired exceptions.

• Duplicate rules with active or expired exceptions (the duplicated rule with have both as long as you select the option to duplicate the rule with its exceptions).
• After you save the exception, it shows up on the Active exceptions tab in the Rule exceptions tab/page.
• Notes about the Active exceptions and Expired exception tabs:
  • Can't toggle between the Active exceptions and Expired exception tabs. If only want to see one page, will need to click on the tab that you don't want to see to de-select it.
  • After an exception expires, the expiration date shows 00:00:00.00 but you have to refresh the page for the exception to be moved over to the Expired exception tab. It doesn't automatically happen if you're just sitting on the page.

• The shared exception list details page does not have either tabs. Expiration details are only stored in the exception item details.