Views:

Add highlighted objects as exceptions to enabled detection models/filters using the context menu in Workbench or Observed Attack Techniques.

This task uses a highlighted object in a Workbench alert to illustrate how to add an exception via the context menu.
Important
Important
  • New exceptions might require a few minutes before taking effect.
  • You can add a maximum of 10,000 exceptions.
  • To add exceptions for a single filter using wildcards, you can add a maximum of three object values associated with the same data field as exceptions. If not using wildcards, you can add a maximum of 100 object values associated with the same data field as exceptions.
  • For more information, see Exceptions to detection models/filters and Add custom exceptions.

Procedure

  1. Go to Agentic SIEM and XDRWorkbench.
  2. Click the Workbench ID for the alert you want to investigate.
  3. In the Highlights panel, right-click a highlighted object and select Add to Exceptions.
    Note
    Note
    An event contains two types of objects: highlighted objects that triggered the current filter, and impact scope entities that are not alert triggers. You can only add highlighted objects as exceptions via the context menu.
  4. To use regex in criteria values, select Allow regex in criteria values.
    Note
    Note
    Standard regex syntax is supported:
    • .*: Match zero or more characters
    • .+: Match one or more characters
    • ^: Start of string
    • $: End of string
    • \: Escape characters
      Use a backslash (\) if the value contains any of the following characters and you want to match the characters exactly: \ { } ( ) [ ] . + * ? ^ $ |
    Example 1: To match all .exe files in C:\Users\Temp, type C:\\Users\\Temp\\.*\.exe.
    Example 2: To match all URLs starting with https://example.com/, type https://example\.com/.*.
  5. Type any additional information in the Description.
  6. Click Add.