Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Exceptions in Threshold rules #76631

Closed
Bananenbrei opened this issue Sep 3, 2020 · 8 comments
Closed

Add support for Exceptions in Threshold rules #76631

Bananenbrei opened this issue Sep 3, 2020 · 8 comments
Assignees
@madirey
Labels
enhancement New value added to drive a business result Feature:Detection Rules Security Solution rules and Detection Engine Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM triage_needed v7.11.0

Comments

@Bananenbrei
Copy link

Describe the feature:
Threshold rules currently do not seem to support Exceptions

Describe a specific use case for the feature:
I want to alert after a total of 10/20/50 unique ports have been queried but not if the IP Address belongs to a vulnerability scanner.

I want to alert after a total of 5 failed logon events happened but not for some specific users
@lukeelmers lukeelmers added enhancement New value added to drive a business result Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) triage_needed labels Sep 4, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@pmuellr
Copy link
Member

pmuellr commented Sep 8, 2020
edited
Loading

@lukeelmers - do we know which threshold alert this is for? Log threshold perhaps? I'd like to direct this issue to the owner of the alert. Alerting services currently only maintains the index threshold alert, but I'm assuming this is a solution-specific alert - security or o11y

woops - I thought Luke had created this issue, so directed the question at him, re-posted the question back to the creator.

@pmuellr
Copy link
Member

pmuellr commented Sep 8, 2020

@Bananenbrei - which alert was this for? We now have many alerts available, I'm guessing this was the log threshold alert, or perhaps as part of the security solution.

@Bananenbrei
Copy link
Author

@pmuellr - this was in regards to the newly added Threshold rules in the Security Application (Security -> Detection). Exceptions (lists) are supported for the custom query rules but not for the threshold ones.

@mikecote mikecote added Team:SIEM and removed Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Sep 9, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@spong spong added the Feature:Detection Rules Security Solution rules and Detection Engine label Sep 16, 2020
@SHolzhauer
Copy link

This would be a great addition.
The ability to except events from a total based on field=value.

@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
@misc-heading
Copy link

This is indeed something that is missing in the current version.

@madirey madirey mentioned this issue Dec 7, 2020
Merged
2 tasks
@peluja1012
Copy link
Contributor

This PR adds exceptions support to Threshold rules #85103.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@madirey madirey

Labels
enhancement New value added to drive a business result Feature:Detection Rules Security Solution rules and Detection Engine Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM triage_needed v7.11.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests