Views:

Create a custom exception to exclude specified objects or events from future detections.

WARNING
WARNING
  • Detection model exceptions can cause false negatives, which might let threats to go undetected.
  • New exceptions might require a few minutes before taking effect.

Procedure

  1. Go to Agentic SIEM & XDRDetection Model ManagementExceptions+ Add.
  2. Specify the general settings for the new exception.
  3. Define up to 10 targets.
    1. Specify the target settings:
      • Field
      • Values
        • You can specify up to 50 values. Each value cannot exceed 128 characters.
        • The values must match the format of the selected field. For example, if the field is endpointGUID, you must specify a GUID.
    2. If you need to define multiple targets, click +Add Target to define another target.
  4. Define the event source.
    • Event type
      Each event type is associated with one type of activity data that specific data sources collect. For example, the ENDPOINT_ACTIVITY_DATA event type is associated with endpoint activity data that endpoint sensors collect.
      To learn more about activity data and data sources, see Data sources.
    • Event ID
    • Event sub-ID
  5. Define up to 10 match criteria.
    1. Specify the match criteria:
      • Field type
      • Field
      • Values
        You can specify up to 20 values. Each value cannot exceed 2048 characters.
    2. To use regex in criteria values, select Allow regex in criteria values.
      Standard regex syntax is supported:
      • .*: Match zero or more characters
      • .+: Match one or more characters
      • ^: Start of string
      • $: End of string
      • \: Escape characters
      • Use a backslash (\) if the value contains any of the following characters and you want to match the characters exactly: \ { } ( ) [ ] . + * ? ^ $ |
    3. If you need to add multiple criteria, click Add criteria.
  6. Click Add.
Comments (0)