- Elastic Security: other versions:
- Elastic Security overview
- What’s new
- Get started with Elastic Security
- Elastic Security UI
- Anomaly Detection with Machine Learning
- Detections and Alerts (beta)
- Creating detection rules
- Managing detection rules
- Monitoring and troubleshooting rule executions
- Rule exceptions and value lists
- About building-block rules
- Managing detection alerts
- Tuning prebuilt detection rules
- Prebuilt rule changes per release
- Prebuilt rule reference
- AWS Access Secret in Secrets Manager
- AWS CloudTrail Log Created
- AWS CloudTrail Log Deleted
- AWS CloudTrail Log Suspended
- AWS CloudTrail Log Updated
- AWS CloudWatch Alarm Deletion
- AWS CloudWatch Log Group Deletion
- AWS CloudWatch Log Stream Deletion
- AWS Config Service Tampering
- AWS Configuration Recorder Stopped
- AWS EC2 Encryption Disabled
- AWS EC2 Flow Log Deletion
- AWS EC2 Network Access Control List Creation
- AWS EC2 Network Access Control List Deletion
- AWS EC2 Snapshot Activity
- AWS Execution via System Manager
- AWS GuardDuty Detector Deletion
- AWS IAM Assume Role Policy Update
- AWS IAM Brute Force of Assume Role Policy
- AWS IAM Deactivation of MFA Device
- AWS IAM Group Creation
- AWS IAM Group Deletion
- AWS IAM Password Recovery Requested
- AWS IAM User Addition to Group
- AWS Management Console Root Login
- AWS RDS Cluster Creation
- AWS RDS Cluster Deletion
- AWS RDS Instance/Cluster Stoppage
- AWS Root Login Without MFA
- AWS S3 Bucket Configuration Deletion
- AWS WAF Access Control List Deletion
- AWS WAF Rule or Rule Group Deletion
- Adding Hidden File Attribute via Attrib
- Administrator Privileges Assigned to Okta Group
- Adobe Hijack Persistence
- Adversary Behavior - Detected - Elastic Endpoint Security
- Anomalous Process For a Linux Population
- Anomalous Process For a Windows Population
- Anomalous Windows Process Creation
- Attempt to Create Okta API Token
- Attempt to Deactivate MFA for Okta User Account
- Attempt to Deactivate Okta MFA Rule
- Attempt to Deactivate Okta Policy
- Attempt to Delete Okta Policy
- Attempt to Disable IPTables or Firewall
- Attempt to Disable Syslog Service
- Attempt to Modify Okta MFA Rule
- Attempt to Modify Okta Network Zone
- Attempt to Modify Okta Policy
- Attempt to Reset MFA Factors for Okta User Account
- Attempt to Revoke Okta API Token
- Attempted Bypass of Okta MFA
- Base16 or Base32 Encoding/Decoding Activity
- Base64 Encoding/Decoding Activity
- Bypass UAC via Event Viewer
- Clearing Windows Event Logs
- Command Prompt Network Connection
- Connection to External Network via Telnet
- Connection to Internal Network via Telnet
- Creation of Hidden Files and Directories
- Credential Dumping - Detected - Elastic Endpoint Security
- Credential Dumping - Prevented - Elastic Endpoint Security
- Credential Manipulation - Detected - Elastic Endpoint Security
- Credential Manipulation - Prevented - Elastic Endpoint Security
- DNS Activity to the Internet
- DNS Tunneling
- Delete Volume USN Journal with Fsutil
- Deleting Backup Catalogs with Wbadmin
- Deletion of Bash Command Line History
- Direct Outbound SMB Connection
- Disable Windows Firewall Rules via Netsh
- Elastic Endpoint Security
- Encoding or Decoding Files via CertUtil
- Enumeration of Kernel Modules
- Execution via Regsvcs/Regasm
- Exploit - Detected - Elastic Endpoint Security
- Exploit - Prevented - Elastic Endpoint Security
- External Alerts
- FTP (File Transfer Protocol) Activity to the Internet
- File Deletion via Shred
- File Permission Modification in Writable Directory
- Hex Encoding/Decoding Activity
- Hping Process Activity
- IPSEC NAT Traversal Port Activity
- IRC (Internet Relay Chat) Protocol Activity to the Internet
- Interactive Terminal Spawned via Perl
- Interactive Terminal Spawned via Python
- Kernel Module Removal
- Local Scheduled Task Commands
- Local Service Commands
- Malware - Detected - Elastic Endpoint Security
- Malware - Prevented - Elastic Endpoint Security
- Microsoft Build Engine Loading Windows Credential Libraries
- Microsoft Build Engine Started an Unusual Process
- Microsoft Build Engine Started by a Script Process
- Microsoft Build Engine Started by a System Process
- Microsoft Build Engine Started by an Office Application
- Microsoft Build Engine Using an Alternate Name
- Mknod Process Activity
- Modification of Boot Configuration
- Modification or Removal of an Okta Application Sign-On Policy
- MsBuild Making Network Connections
- Net command via SYSTEM account
- Netcat Network Activity
- Network Connection via Certutil
- Network Connection via Compiled HTML File
- Network Connection via MsXsl
- Network Connection via Mshta
- Network Connection via Regsvr
- Network Connection via Signed Binary
- Network Sniffing via Tcpdump
- Nmap Process Activity
- Nping Process Activity
- Okta Brute Force or Password Spraying Attack
- PPTP (Point to Point Tunneling Protocol) Activity
- Permission Theft - Detected - Elastic Endpoint Security
- Permission Theft - Prevented - Elastic Endpoint Security
- Persistence via Kernel Module Modification
- Possible Okta DoS Attack
- Potential Application Shimming via Sdbinst
- Potential DNS Tunneling via Iodine
- Potential Disabling of SELinux
- Potential Evasion via Filter Manager
- Potential Modification of Accessibility Binaries
- Potential Shell via Web Server
- PowerShell spawning Cmd
- Process Activity via Compiled HTML File
- Process Discovery via Tasklist
- Process Injection - Detected - Elastic Endpoint Security
- Process Injection - Prevented - Elastic Endpoint Security
- Process Injection by the Microsoft Build Engine
- Proxy Port Activity to the Internet
- PsExec Network Connection
- RDP (Remote Desktop Protocol) from the Internet
- RDP (Remote Desktop Protocol) to the Internet
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- Ransomware - Detected - Elastic Endpoint Security
- Ransomware - Prevented - Elastic Endpoint Security
- Rare AWS Error Code
- SMB (Windows File Sharing) Activity to the Internet
- SMTP on Port 26/TCP
- SMTP to the Internet
- SQL Traffic to the Internet
- SSH (Secure Shell) from the Internet
- SSH (Secure Shell) to the Internet
- Setgid Bit Set via chmod
- Setuid Bit Set via chmod
- Socat Process Activity
- Spike in AWS Error Messages
- Strace Process Activity
- Sudoers File Modification
- Suspicious Activity Reported by Okta User
- Suspicious MS Office Child Process
- Suspicious MS Outlook Child Process
- Suspicious PDF Reader Child Process
- Suspicious Powershell Script
- Svchost spawning Cmd
- System Shells via Services
- TCP Port 8000 Activity to the Internet
- Telnet Port Activity
- Threat Detected by Okta ThreatInsight
- Tor Activity to the Internet
- Trusted Developer Application Usage
- Unusual AWS Command for a User
- Unusual City For an AWS Command
- Unusual Country For an AWS Command
- Unusual DNS Activity
- Unusual Linux Network Activity
- Unusual Linux Network Port Activity
- Unusual Linux Network Service
- Unusual Linux Username
- Unusual Linux Web Activity
- Unusual Login Activity
- Unusual Network Connection via RunDLL32
- Unusual Network Destination Domain Name
- Unusual Parent-Child Relationship
- Unusual Process Execution - Temp
- Unusual Process For a Linux Host
- Unusual Process For a Windows Host
- Unusual Process Network Connection
- Unusual Web Request
- Unusual Web User Agent
- Unusual Windows Network Activity
- Unusual Windows Path Activity
- Unusual Windows Remote User
- Unusual Windows Service
- Unusual Windows User Privilege Elevation Activity
- Unusual Windows Username
- User Account Creation
- User Discovery via Whoami
- VNC (Virtual Network Computing) from the Internet
- VNC (Virtual Network Computing) to the Internet
- Virtual Machine Fingerprinting
- Volume Shadow Copy Deletion via VssAdmin
- Volume Shadow Copy Deletion via WMIC
- Web Application Suspicious Activity: No User Agent
- Web Application Suspicious Activity: POST Request Declined
- Web Application Suspicious Activity: Unauthorized Method
- Web Application Suspicious Activity: sqlmap User Agent
- Whoami Process Activity
- Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)
- Windows Script Executing PowerShell
- Investigate events
- Cases (beta)
- Elastic Security APIs
- Detections API
- Exceptions API
- Lists API
- Timeline API
- Cases API
- Create case
- Add comment
- Update case
- Update comment
- Find cases
- Get case
- Get all case comments
- Get comment
- Get all case activity
- Get tags
- Get reporters
- Get status
- Delete comment
- Delete all comments
- Delete case
- Set default Elastic Security UI connector
- Update case configurations
- Get current connector
- Find connectors
- Add external details to case
- Actions API (for pushing cases to external systems)
- Elastic Security fields and object schemas
- Enable process analyzer after upgrade
- Release Notes
Rule exceptions and value lists
editRule exceptions and value lists
editTo prevent the creation of unwanted alerts, you can add exceptions to detection rules. Exceptions contain the source event conditions that determine when alerts are not generated. They provide a convenient way of allowing trusted processes and network activity to function without producing unnecessary noise.
You can add multiple exceptions to one rule.
In addition to defining exception queries for source event values, rule exceptions can be used with value lists. Value lists are lists of items with the same Elasticsearch data type. You can create value lists with these types:
-
keyword(many ECS fields are keywords) -
ip -
ip_range -
text
After creating value lists, you can use is in list and is not in list
operators to define exceptions.
Manage value lists
editTo create a value list for use with exceptions:
-
Prepare a
txtorcsvfile with all the values you want to use for determining exceptions from a single list. If you use atxtfile, newlines act as value delimiters.All values in the file must be of the same Elasticsearch type.
- Go to Security → Detections → Manage detection rules.
-
Click Upload value lists.
The Upload value lists window opens.
-
Select the list type (
Keywords,IP addresses,IP ranges, orText) -
Drag or select the
csvortxtfile that contains the values. - Click Upload list.
When the name of the file you are uploading already exists, the values in the new file are appended to the previously uploaded values.
To view, delete, or export existing lists:
- Go to Security → Detections → Manage detection rules.
- In the Value lists pane, click the required action icon.
Add detection exceptions to a rule
editYou can add exceptions to a rule via the Rule details page or the Alerts table. When you add an exception, you can also close all alerts that meet the exception’s criteria.
When you select to close all alerts that meet the exception’s criteria, all matching alerts are closed, including alerts generated by other rules.
To ensure an exception is successfully applied, make sure that the fields you’ve defined for the exception query are correctly and consistently mapped in their respective indices. Refer to ECS to learn more about supported mappings.
-
To add an exception via the Rule details page:
- Go to the Rule details page of the rule to which you want to add the exception (Security → Detections → Manage detection rules → <rule name>).
- Scroll down to the Trend histogram and select the Exceptions tab.
- Click Add new exception.
-
To add an exception via the Alerts table:
- Go to Detections (Security → Detections).
-
Scroll down to the Alerts table and click the more actions icon, and then select Add exception.
The Add Exception window opens (via Alerts table).
-
Add conditions that define when the exception prevents alerts. You can define multiple conditions with
ORandANDrelationships. In the example above, the exception prevents the rule from generating alerts when themaintenance.exeprocess runs onwin-server-1,win-server-2, orwin-server-3.You can use nested conditions. However, this is only required for these fields. For all other fields, nested conditions should not be used.
If you have created value lists, you can use them to exclude or include all values in a list with
is in listandis not in listoperators:
When using a list, all exception statements must use is in list and
is not in list operators.
-
You can select any of the following:
- Close this alert: Closes the alert when the exception is added. This option is only available when adding exceptions via the Alerts table.
- Close all alerts that match this exception, including alerts generated by other rules: Closes all alerts that match the exception’s conditions.
- Click Add Exception.
Add Elastic Endpoint Security exceptions
editLike detection rule exceptions, you can add Endpoint agent exceptions via both the Elastic Endpoint Security rule and its generated alerts. Alerts generated from the Elastic Endpoint Security rule have the following fields:
-
signal.original_event.module determined:endpoint -
signal.original_event.kind:alert
Additionally, you can add Endpoint exceptions via rules that are associated with Elastic endpoint rule exceptions. To associate rules, when creating or editing a rule select the Elastic endpoint exceptions option.
When you add an exception to the Elastic Endpoint Security rule, you can select to add the exception to the endpoint. When selected, the exception is added to both the detection rule and the Elastic Endpoint agent on your hosts.
Binary fields are not supported in detection rule exceptions.
Exceptions added to the Elastic Endpoint Security rule affect all alerts sent from the Endpoint agent. Be careful not to unintentionally prevent some Endpoint alerts.
-
To add an Endpoint exception via the Rule details page:
- Go to the Rule details page and select the Elastic Security Endpoint rule (Security → Detections → Manage detection rules → Elastic Endpoint Security).
- Scroll down to the Trend histogram and select the Exceptions tab.
- Click Add Endpoint exception.
-
To add an exception via the Alerts table:
- Go to Detections (Security → Detections).
-
Scroll down to the Alerts table and, from an Elastic Security Endpoint alert, click the more actions icon, and then select Add Endpoint exception.
The Add Endpoint Exception window opens (via Alerts table).
-
If required, modify the conditions.
Exceptions with nested conditions describes when nested conditions are required.
-
You can select any of the following:
- Close this alert: Closes the alert when the exception is added. This option is only available when adding exceptions via the Alerts table.
- Close all alerts that match this exception, including alerts generated by other rules: Closes all alerts that match the exception’s conditions.
-
Click Add Exception.
An exception is created for both the detection rule and the Elastic Endpoint agent.
Exceptions with nested conditions
editSome Endpoint objects contain nested fields, and the only way to ensure you are
excluding the correct fields is with nested conditions. One example is the
process.Ext object:
{ "ancestry": [], "code_signature": { "trusted": true, "subject_name": "LFC", "exists": true, "status": "trusted" }, "user": "WDAGUtilityAccount", "token": { "elevation": true, "integrity_level_name": "high", "domain": "27FB305D-3838-4", "user": "WDAGUtilityAccount", "elevation_type": "default", "sid": "S-1-5-21-2047949552-857980807-821054962-504" } }
code_signature.subject_name refers to the process signature not the
process name.
Only these objects require nested conditions to ensure the exception functions correctly:
-
Endpoint.policy.applied.artifacts.global.identifiers -
Endpoint.policy.applied.artifacts.user.identifiers -
Target.dll.Ext.code_signature -
Target.process.Ext.code_signature -
Target.process.Ext.token.privileges -
Target.process.parent.Ext.code_signature -
Target.process.thread.Ext.token.privileges -
dll.Ext.code_signature -
file.Ext.code_signature -
file.Ext.macro.errors -
file.Ext.macro.stream -
process.Ext.code_signature -
process.Ext.token.privileges -
process.parent.Ext.code_signature -
process.thread.Ext.token.privileges
Nested condition example
editCreates an exception that excludes all LFC-signed trusted processes:
On this page