[Security Solution] Document the procedure for creating detection rule exceptions based on runtime fields

[andrew-goldstein]

[Security Solution] Document the procedure for creating detection rule exceptions based on runtime fields

A user described a scenario where they want to add a detection rule exception, which is case sensitive, that matches any variation in casing for the file.path ECS field.

If runtime fields are a reasonable way to (for example) normalize the value of the file.path to an all-lowercase value for the purpose of creating exceptions that match it, consider:

• Providing documentation that describes how to create a runtime field for the scenario above
  • Documenting the procedure for adding a detection rule exception that will match the normalized values provided by the runtime field
  • Documenting the performance considerations of using a runtime field for the scenario above

Kibana/Elasticsearch Stack version:

8.3.0

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[yctercero]

@dhurley14 assigned to you since I know you're touching this flow as part of the data views work you're doing.

Maybe digging further into this can be a post MVP followup?

cc @peluja1012

[nastasha-solomon]

@andrew-goldstein if this content should be added as an example or tutorial to the runtime field docs, I can transfer this issue to our security-docs repo.
cc: @elastic/security-docs

[hatl3n]

Personally I have an issue with the case sensitive part. I'm trying to add some rule exceptions, but sometimes the folder is WINDOWS, other times it's Windows. Trying to match on multiple AND'ed fields then is quite a hassle. Even more so when I try to add the two case variants as part of "is one of" it denies me because it says it's already added.....

[yctercero]

@hatl3n thank you for the feedback here. While this current issue is not prioritized at the moment, we did put in a fix to enable "is one of" to allow multiple values like WINDOWS and Windows without complaining that the value has already been added. PR that added this change for reference - elastic/kibana#167208

[yctercero]

Hey @nastasha-solomon ! Going through the backlog. I think we should move this over to security-docs and can work on these improvements together.