[DOCS] Rule Exceptions and Endpoint Exceptions

[dontcallmesherryli]

Description

Meta issue: https://github.com/elastic/endpoint-app-team/issues/377
Mock link: https://www.figma.com/file/jcCKnGXvOlFxMOpUjlTMMz/All-Exceptions?node-id=347%3A24834

As a user, I need the ability to add exceptions to alerts in the Elastic Security App so that I can tune out the false positive alerts and allow end users performance of their jobs on their computers.

Acceptance Test Criteria

Documentation is needed when user adds an exception to Endpoint, adds an exception to rule, creates an exception list, view exception items created, and edits an exception item.

Add an exception to Endpoint

1. User can add an exception to Endpoint by clicking on action overflow menu on the Detection Alert list.
2. User sees a modal they must complete. They can add desired fields and nested conditions for Endpoint exception (originally known as whitelisting). User can add comment to the exception and select to close alerts with matching attributes.
3. User clicks "Add Exception" when they complete the modal. The attributes they entered are added to the Endpoint Promotion Rule, as well as added to the package sent to all endpoints so the sensors on the endpoints will no longer alert and allow matching attributes to happen on the endpoint.

• Use case example - SOC analyst wants to allow for a file that is not malicious (False Positive). Analyst can "whitelist" the file by adding the hash and the path of the file as an endpoint exception item.

Add an exception to rule

1. User can add an except to a rule by clicking on action overflow menu on the Detection Alert list.
2. User sees a modal they must complete. They can add desired fields, operators, nested conditions, and exception lists for the rule exception. User can add comment to the exception entry and select to close alerts with matching attributes.
3. User clicks "Add Exception" when they complete the modal. The fields, operators, nested conditions, and exception lists from the exception entry will be applied to the detection rule.

• Use case example - SOC analyst doesn't want to see detection alerts on a group of hosts, they can add exception of these hosts to a detection rule

Create an exception list

1. User can add an value list to be used for exceptions on Rules Management page.
2. User click on "upload value list" button on top, and is prompted with a modal that has an upload section and a section that shows all uploaded value lists. User chooses from computer file to upload a list.
3. User can Export and Remove existing value lists.

• Use case example - SOC analyst needs to add a list of trusted hashes that should be ignored by detection rule.

View exception items created

1. User can view all exception items created in the Detection Rule page.
2. Endpoint Exceptions created are in the Endpoint Rule details page under the Exceptions tab, while exceptions applied to detection rules are found within individual detection rules details page under the Exceptions tab.

Edit an exception item

1. User can edit and remove exception items by going into Rules Details page under the Exceptions tab.
2. Clicking on Edit, user gets a modal that is similar to the "Add exceptions" modal and can edit all attributes there. User can also add more comments to the exception entry.

Notes

• Add the "Team:Docs" label to new issues.
• Be sure to add any necessary screenshots for clarity.
• Include any conditions or caveats that may affect customers.

[benskelker]

API PR: #35
Related to: #41

UI PR: #73

[dontcallmesherryli]

Per speaking with @mark-dufresne, we should document a guideline for users to help them identify fields for creating exceptions for each of the prebuilt rules, so that users are not shooting themselves in the foot and unknowingly hide critical alerts that the prebuilt rules are meant to detect.

@benskelker @jmikell821 looking for your advice on best place to put that information.

[benskelker]

I think here: https://www.elastic.co/guide/en/security/master/tuning-detection-signals.html, either by expanding this section or creating a new section at the same level.

@mark-dufresne - we can work on this however you prefer: you can open a PR to the https://github.com/elastic/security-docs repo or share a gdoc with the guidelines, or we can arrange a meeting to get this started. If you open a PR, this folder contains all the Detections stuff: https://github.com/elastic/security-docs/tree/master/docs/siem/detections.

[jmikell821]

@mark-dufresne -echoing what @benskelker said. If you have a doc to share with us, we can get started. In the meantime, I've created #68 where we can track progress there.