[FR] Manage Exceptions in an as-code way

[operatorequals]

related to #3405

Is your feature request related to a problem? Please describe.
We have created a CD pipeline for rules using the CLI tool.
We manage rules as TOML files and deploy them to the SIEM in every git push.
It would be great if we could do the same with the exceptions

Describe the solution you'd like
I would like extra functionality that also manages the Exceptions and Exception List from the CLI kibana subcommand.
Or any documentation on the matter (if this already exists).
I have seen them the TOML [[rule.exceptions_list]] directive is somehow working but I do not know in what extend. Does it support the Exception comment and conditions as well? I tried something like:

[rule]
...
[[rule.exceptions_list]]
id = "<uuid>"
namespace_type = "single"
type = "detection"
list_id = "<another uuid>"

  [[rule.exception_list.comments]]
  comment = "This IP is hosted by... and should excepted "
  created_by = "<me>"

  [[rule.exception_list.entries]]
  field = "agent.hostname"
  operator = "included"
  type = "match_any"
  value = [ "host1", "host2", "host3" ]

  [[rule.exception_list.entries]]
  field = "destination.ip"
  operator = "included"
  type = "match_any"
  value = [ "<ip1", "<ip2>" ]

and didn't work

Describe alternatives you've considered
I have tried adding them as raw Kibana Objects. This didn't work for me.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[operatorequals]

I created a Terraform Provider for Elastic Rules and Exceptions
https://github.com/operatorequals/terraform-provider-elastic-siem#why

[ar3diu]

Interested in this as well.
It would be very helpful to use the same detection_rules tool to create and link exceptions to Elastic prebuilt rules.

[Mikaayenson]

Adding a little more context, this method is preferred as it can add exceptions in a structured way vs editing the query. I think to do this correctly, we'd have to do a few things.

• [FR] preserver rule_id in kibana_upload #612
• Create the dataclasses and validation for the exception_list schema and replace the current exception_list field
• Potentially add a CLI command to modify exceptions (add/remove)

Anything else?

[brokensound77]

Parts of this were completed in #3407 - however, since it remains in a feature branch during testing, we can leave the issue open until merged to main (or deemed as not viable)

In the meantime you should check out #3298 for how to use the updates and provide feedback

[slawomirbabicz]

Managing this and rule actions creates complexity.
I guess any reasonable company want to manage it using github / gitlab and CICD release process after approval.

Codifications of those exception lists in a nice streamlined way would be fantastic to have.

[tsigouris007]

Managing this and rule actions creates complexity. I guess any reasonable company want to manage it using github / gitlab and CICD release process after approval.

Codifications of those exception lists in a nice streamlined way would be fantastic to have.

Hi @slawomirbabicz ,
based on @operatorequals inspiration I created a native go tf provider that can do this trick for you.
Check it here: https://github.com/tsigouris007/terraform-provider-elastic-siem-detection

[eric-forte-elastic]

With this new feature #3889, exceptions and exceptions lists can now be managed via our CLI for both local and kibana API usage. These commands can also be easily wrapped in the Terraform providers above. If you run into any issues with managing exceptions lists, please re-open the issue or create a new one. Thanks!