Description
related to #3405
Is your feature request related to a problem? Please describe.
We have created a CD pipeline for rules using the CLI tool.
We manage rules as TOML files and deploy them to the SIEM in every git push.
It would be great if we could do the same with the exceptions
Describe the solution you'd like
I would like extra functionality that also manages the Exceptions and Exception List from the CLI kibana subcommand.
Or any documentation on the matter (if this already exists).
I have seen them the TOML [[rule.exceptions_list]] directive is somehow working but I do not know in what extend. Does it support the Exception comment and conditions as well? I tried something like:
[rule]
...
[[rule.exceptions_list]]
id = "<uuid>"
namespace_type = "single"
type = "detection"
list_id = "<another uuid>"
[[rule.exception_list.comments]]
comment = "This IP is hosted by... and should excepted "
created_by = "<me>"
[[rule.exception_list.entries]]
field = "agent.hostname"
operator = "included"
type = "match_any"
value = [ "host1", "host2", "host3" ]
[[rule.exception_list.entries]]
field = "destination.ip"
operator = "included"
type = "match_any"
value = [ "<ip1", "<ip2>" ]and didn't work
Describe alternatives you've considered
I have tried adding them as raw Kibana Objects. This didn't work for me.