Create a custom exception to exclude specified objects or events from future detections.

Detection model exceptions can result in false negatives, which can allow security threats to go undetected.
New exceptions might require a few minutes before taking effect.
Custom exceptions contain the following settings:
  • Targets: The location of the objects or events you want to exclude from detections
    For example, you can exclude objects on a specific endpoint using the endpointGUID field and the GUID value of the endpoint.
  • Event source: The types of events you want to exclude from detections
    For example, you can exclude file creation events on endpoints using the ENDPOINT_ACTIVITY event type, the TELEMETRY_FILE event ID, and the TELEMETRY_FILE_CREATE event sub-ID.
  • Match criteria: The objects and events you want to exclude from detections
    For example, you can exclude a specific file attachment using the file_sha1 field type, the attachmentFileHash field, and the SHA-1 value of the file attachment.


  1. Go to XDR Threat InvestigationDetection Model Management and click the Exceptions tab.
  2. Click + Add.
  3. Specify the General Settings that will display in the table on the Exceptions tab.
    1. Specify a name for the exception.
    2. Provide a description to help your team identify the exception and the reason it was added.
  4. Define up to 10 Targets.
    1. Select a target type from the Field drop-down menu.
    2. Specify the targets in the Values field.
      • You can specify up to 50 targets.
      • Each value cannot exceed 128 characters.
      • The values provided must match the specified field. For example, if the field is endpointGUID, then the values provided must be GUIDs.
    3. Click +Add Target to define another target.
  5. Define the Event Source.
    1. Select an Event type from the drop-down menu.
      Each event type is associated one type of activity data collected by a specific set of data sources. For example, the ENDPOINT_ACTIVITY_DATA event type is associated with endpoint activity data collected by endpoint sensors.
      To learn more about activity data and data sources, see Search method data sources.
    2. Select an Event ID from the drop-down menu.
    3. Select an Event sub-ID from the drop-down menu.
  6. Define up to 10 Match Criteria.
    1. Select a Field type.
    2. Select a Field.
    3. Specify up to 20 Values. Each value cannot exceed 2048 characters.
    4. (Optional) Select Edit using wildcards if you want to replace certain parts of the object with wildcards.
      The object value supports the following elements:
      • .*: Multiple character substitute
      • \: Escape character
      • If the object value contains any of the following characters, use the escape character \ to indicate that they are ordinary characters that have no special meaning:
        \ { } ( ) [ ] . + * ? ^ $ |
    5. Click +Add Criteria to add another match criteria.
  7. Click Add.