Views:

During alert investigation, you can add objects you want to exclude from future detections.

Adding an object to the exception list excludes the object from being detected by the current filter. You can add exceptions using the context menu in Workbench or Observed Attack Techniques. This task uses an object in Workbench as an example to illustrate how to add an exception using the context menu.
Note
Note
New exceptions might require a few minutes before taking effect.

Procedure

  1. In the Workbench app, go to All Alerts.
  2. Click the Workbench ID link of the alert you want to investigate.
    The alert details screen appears.
  3. In the Highlights panel, check the objects involved in each event and choose an object to add as an exception.
    Note
    Note
    There are two types of objects involved in an event:
    • Highlighted objects that triggered the current filter
    • Entities included in the impact scope
    You can only add highlighted objects to exceptions. Since impact scope entities are not the alert trigger criteria, they cannot be added as exceptions.
  4. Right-click an object you want to exclude from detection and choose Add to Exceptions.
    The Add to Exceptions screen appears, embedded with the current detection filter and the selected object value.
    Note
    Note
    If the object value hits multiple detection filters, all the detection filters will display. By default, all the filters are selected. You can make changes if necessary.
  5. (Optional) Select Edit using wildcards if you want to replace certain parts of the object with wildcards.
    The object value supports the following elements:
    • .*: Multiple character substitute
    • \: Escape character
      If the object value contains any of the following characters, use the escape character \ to indicate that they are ordinary characters that have no special meaning:
      \ { } ( ) [ ] . + * ? ^ $ |
    For example, if you want to match all .exe files in the C:\Users\Temp directory, type C:\\Users\\Temp\\.*\.exe; if you want to match all URLs starting with https://example.com/, type https://example\.com/.*.
  6. (Optional) Specify additional information in the Description text box.
  7. Click Add.
    The exception you added appears on the Exceptions screen of the Detection Model Management app.
    For more information, see Exceptions.
    Note
    Note
    In general, you can add a maximum of 10,000 exceptions.
    To add exceptions for a single filter, be aware that:
    • If using wildcards, you can add a maximum of 3 object values associated with the same data field as exceptions.
    • If not using wildcards, you can add a maximum of 100 object values associated with the same data field as exceptions.