Adding an Exception

During alert investigation, you can add objects you want to exclude from detection as exceptions.

Adding an object to the exception list excludes the object value associated with the specified data field from being detected by the current filter.

  1. In the Workbench app, click the Alert View tab.
  2. Click the Workbench ID link of the alert you want to investigate.

    The alert details screen appears.

  3. In the Highlights panel, right-click an object you want to exclude from detection and choose Add to Exceptions.

    The Add to Exceptions screen appears, embedded with the current detection filter and the selected object value.

    Note:

    If the object value hits multiple detection filters, all the detection filters will display. By default, all the filters are selected. You can make changes if necessary.

  4. (Optional) Select Edit using wildcards if you want to replace certain parts of the object with wildcards.

    The object value supports the following elements:

    • .*: Multiple character substitute

    • \: Escape character

      If the object value contains any of the following characters, use the escape character "\" to indicate that they are ordinary characters that have no special meaning:

      \ { } ( ) [ ] . + * ? ^ $ |

    For example, if you want to match all .exe files in the C:\Users\Temp directory, type C:\\Users\\Temp\\.*\.exe; if you want to match all URLs starting with https://example.com/, type https://example\.com/.*.

  5. (Optional) Specify additional information in the Description text box.
  6. Click Add.

    The exception you added appears on the Exceptions screen of the Detection Model Management app.

    For more information, see Exceptions.

    Note:

    In general, you can add a maximum of 10,000 exceptions.

    To add exceptions for a single filter, be aware that:

    • If using wildcards, you can add a maximum of 10 object values associated with the same data field as exceptions.

    • If not using wildcards, you can add a maximum of 100 object values associated with the same data field as exceptions.