Is your feature request related to a problem?
Currently, OpenSearch Alerting and Security Analytics do not provide a centralized exception management mechanism.
When users need to exclude specific IPs, users, hosts, or service accounts from triggering alerts, they must manually hardcode exclusions inside each rule query (e.g., must_not, AND NOT). This creates operational overhead, duplication across rules, and makes exception updates difficult to manage at scale.
What solution would you like?
Introduce a native Exception List framework with:
Centralized management of reusable exception lists
Ability to attach one or multiple exception lists to rules/monitors
Automatic propagation of updates to all linked rules
UI and API support for managing exceptions
Optional support for expiration and tagging
This would improve maintainability, reduce false positives, and simplify detection rule management in large environments.
What alternatives have you considered?
Current alternatives include:
Hardcoding exclusions directly in rule queries
Maintaining external lookup indices
Filtering data at ingestion time
These approaches increase complexity and do not provide centralized governance or scalability.
Do you have any additional context?
This feature would significantly enhance rule lifecycle management, reduce operational burden in SOC environments, and improve overall detection maintainability.
Is your feature request related to a problem?
Currently, OpenSearch Alerting and Security Analytics do not provide a centralized exception management mechanism.
When users need to exclude specific IPs, users, hosts, or service accounts from triggering alerts, they must manually hardcode exclusions inside each rule query (e.g., must_not, AND NOT). This creates operational overhead, duplication across rules, and makes exception updates difficult to manage at scale.
What solution would you like?
Introduce a native Exception List framework with:
Centralized management of reusable exception lists
Ability to attach one or multiple exception lists to rules/monitors
Automatic propagation of updates to all linked rules
UI and API support for managing exceptions
Optional support for expiration and tagging
This would improve maintainability, reduce false positives, and simplify detection rule management in large environments.
What alternatives have you considered?
Current alternatives include:
Hardcoding exclusions directly in rule queries
Maintaining external lookup indices
Filtering data at ingestion time
These approaches increase complexity and do not provide centralized governance or scalability.
Do you have any additional context?
This feature would significantly enhance rule lifecycle management, reduce operational burden in SOC environments, and improve overall detection maintainability.