Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Expiration Option for Security Detection Rule Exceptions #159215

Closed
MakoWish opened this issue Jun 7, 2023 · 8 comments
Closed

[Security Solution] Expiration Option for Security Detection Rule Exceptions #159215

MakoWish opened this issue Jun 7, 2023 · 8 comments
Labels
Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@MakoWish
Copy link

MakoWish commented Jun 7, 2023
edited
Loading

Describe the feature:

Create an option for exceptions on detection rules to expire at a specified date/time.

Describe a specific use case for the feature:

In our environment, documented exceptions to any of our security policies have a maximum validity of one year; no exceptions are permanent. For this reason, I would love to see a feature in Kibana to set an expiration on exceptions to detection rules. This would save a lot of time with cleaning up detection rule exceptions once our internal exceptions to security policies expire.

Let's say a team member requested permission to SSH into a service on the internet for a project that will last 30 days. A Security Policy Exception Request (internal document) was drafted, routed for approvals, and was ultimately approved. I then add an exception for user.name: "janedoe" and destination.ip: "1.2.3.4" to the detection rule SSH (Secure Shell) to the Internet. Once that 30 days has elapsed, we would want to know if Jane is still performing these SSH connections without having to remember to remove the exception from the rule. If we could have set an expiration date on the exception, it would automate the removal of these temporary exceptions.
@MakoWish MakoWish changed the title Expiration Option for Security Detection Rule Exceptions [Security Solution] Expiration Option for Security Detection Rule Exceptions Jun 7, 2023
@botelastic botelastic bot added the needs-team Issues missing a team label label Jun 7, 2023
@nreese nreese added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Jun 12, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Jun 12, 2023
@nreese
Copy link
Contributor

nreese commented Jun 12, 2023

@MakoWish please add Team: labels to avoid issues with needs-team label. Otherwise, this adds additional work for kibana maintainers who have to manually go through issues and clean up issues without team tags.

@MakoWish
Copy link
Author

Hi @nreese,

How is that done?

@nreese
Copy link
Contributor

nreese commented Jun 12, 2023
edited
Loading

How is that done?

Under labels, select Team: label. For example Team: SecuritySolution

Screen Shot 2023-06-12 at 5 00 04 PM

@MadameSheema
Copy link
Member

Hi @MakoWish!! Hope you are doing great!! Lots of thanks for the suggestion :)

On 8.7.0 version we added the capability to allow users to set expiration dates for rule exceptions and choose whether to include expired exceptions when exporting shared exception lists.

Hope that helps with your described scenario.

cc @peluja1012

@MadameSheema MadameSheema added Team:Detections and Resp Security Detection Response Team Team:Detection Engine Security Solution Detection Engine Area labels Jun 13, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@MakoWish
Copy link
Author

How is that done?

Under labels, select Team: label. For example Team: SecuritySolution

Screen Shot 2023-06-12 at 5 00 04 PM

I don't have that option. I do not work for Elastic, FYI.

@MakoWish
Copy link
Author

Hi @MakoWish!! Hope you are doing great!! Lots of thanks for the suggestion :)

On 8.7.0 version we added the capability to allow users to set expiration dates for rule exceptions and choose whether to include expired exceptions when exporting shared exception lists.

Hope that helps with your described scenario.

cc @peluja1012

That is exactly what I was looking for! Thank you, and I guess we can close this one!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nreese @elasticmachine @MadameSheema @MakoWish