Exceptions exclude specified objects and events from detection models, helping to eliminate false positives and reduce alert fatigue.
There are two types of exceptions:
Custom exceptions are created in the Detection Model Management app and use target, event source, and match criteria to define the objects and events to be excluded from detections.
Click +Add to create a custom exception.
Context menu exceptions are created from the context menu in Workbench and Observed Attack Techniques and use the detection model filter and match criteria to define the objects and events to be excluded from detections.
Exceptions are not supported for custom models. Objects excluded from normal detection models may still trigger alerts for custom models.
The following table outlines the information available on the Exceptions tab.
Column |
Description |
---|---|
Exception ID |
The unique identifier of the exception |
Name |
The user-defined name of the exception Note:
Context menu exceptions do not have names. |
Targets |
The locations of the objects or events excluded from detections |
Event source / Filter |
|
Match criteria |
The objects or events excluded from detections |
Description |
The user-defined information about the exception |
Last updated |
The date and time the exception was last updated |
Created/Updated by |
The user who created or last updated the exception |