Description

A user provided the following feedback about Create and Manage Value Lists documentation.

I’m searching Elastic documentation regarding value lists: https://www.elastic.co/guide/en/security/8.9/value-lists-exceptions.html, specifically. I can’t seem to tell how these lists should be constructed, is there any more documentation around this or somewhere with examples? We are trying to implement value lists of dynamic IP ranges to look for in alerts, but we are unsure whether the value lists accept CIDR ranges or just dashed lists (10.0.0.0/8 or 10.0.0.0-10.255.255.255, which is right?)

Support confirmed that CIDR notation values as well as ip ranges are accepted - user responded on that and provided a feedback suggesting to improve the doc with more examples of accepted IP addresses formats:

I only see one mention of CIDR in this line on the documentation, which seems to relate to custom query, machine learning, and indicators: “IP range lists with more than 200 dash notation values (for example, 127.0.0.1-127.0.0.4 is one value) or more than 65,536 CIDR notation values”. That doesn’t seem to indicate that they accept CIDR notation explicitly, so I was not sure on this. I think reaching out to the documentation team on this would be helpful: value lists seem like a very powerful tool in the platform but we have not used them yet nor even knew about their existence. Knowing about these from the get-go could have helped us build IoC trackers or assist in whitelisting trusted vendor IP ranges.

Priority: Low