Edit the settings of a custom exception.

You can modify the following settings categories of custom exceptions:
  • General Settings: The name and description of the exception
    Context menu exceptions do not have names
  • Targets: The location of the objects or events you want to exclude from detections
    For example, you can exclude objects on a specific endpoint using the endpointGUID field and the GUID value of the endpoint.
  • Event source: The types of events you want to exclude from detections
    Exception type allows you to select either Filter-based exception or Global exception. Filter-based exceptions apply only to events that match the filter specified in the exception. Global exceptions are applied to every event.
    If you change Exception type from Filter-based exception to Global exception and save your changes, you will not be able to revert this exception back to filter-based later.
  • Match criteria: The objects and events you want to exclude from detections
    For example, you can exclude a specific file attachment using the file_sha1 field type, the attachmentFileHash field, and the SHA-1 value of the file attachment.


  1. Go to XDR Threat InvestigationDetection Model Management and click the Exceptions tab.
  2. Click the edit icon edit-icon_001.png on the right side of the exception you want to modify.
  3. Edit the settings you want to modify.
  4. Click Save.
    Your changes might take a few minutes to take effect.