Views:

During alert investigation, you can exclude objects from future detections.

Adding an object to the exception list excludes the object from detection by the current filter. You can add exceptions using the context menu in Workbench or Observed Attack Techniques. This task uses an object in Workbench to illustrate how to add an exception using the context menu.
Note
Note
New exceptions might require a few minutes before taking effect.
You can add a maximum of 10,000 exceptions. To add exceptions for a single filter, be aware that:
  • If using wildcards, you can add a maximum of three object values associated with the same data field as exceptions.
  • If not using wildcards, you can add a maximum of 100 object values associated with the same data field as exceptions.
For more information, see Exceptions.

Procedure

  1. In Workbench, go to All Alerts.
  2. Click the Workbench ID for the alert you want to investigate.
  3. In the Highlights panel, examine the objects involved in each event and choose an object to add as an exception.
    An event has two types of objects:
    • Highlighted objects that triggered the current filter
      You can only add highlighted objects to exceptions.
    • Entities included in the impact scope
      Because impact scope entities are not the alert trigger criteria, you cannot add them as exceptions.
  4. Right-click an object to exclude from detection then select Add to Exceptions.
    Add to Exceptions shows the current detection filter and the selected object value.
  5. To use regex in criteria values, select Allow regex in criteria values.
    Standard regex syntax is supported:
    • .*: Match zero or more characters
    • .+: Match one or more characters
    • ^: Start of string
    • $: End of string
    • \: Escape characters
      Use a backslash (\) if the value contains any of the following characters and you want to match the characters exactly: \ { } ( ) [ ] . + * ? ^ $ |
    Example 1: To match all .exe files in C:\Users\Temp, type C:\\Users\\Temp\\.*\.exe.
    Example 2: To match all URLs starting with https://example.com/, type https://example\.com/.*.
  6. Type any additional information in the Description.
  7. Click Add.
Comments (0)