Exceptions

Exceptions exclude specified objects and events from detection models, helping to eliminate false positives and reduce alert fatigue.

There are two types of exceptions:

  • Custom exceptions are created in the Detection Model Management app and use target, event source, and match criteria to define the objects and events to be excluded from detections.

    Click +Add to create a custom exception.

  • Context menu exceptions are created from the context menu in Workbench and Observed Attack Techniques and use the detection model filter and match criteria to define the objects and events to be excluded from detections.

Note:

Exceptions are not supported for custom models. Objects excluded from normal detection models may still trigger alerts for custom models.

The following table outlines the information available on the Exceptions tab.

Column

Description

Exception ID

The unique identifier of the exception

Name

The user-defined name of the exception

Note:

Context menu exceptions do not have names.

Targets

The locations of the objects or events excluded from detections

Event source / Filter

  • Event source: The types of events excluded from detections (custom exceptions)

  • Filter: The detection model filter that identified the object as a threat indicator (context menu exceptions)

Match criteria

The objects or events excluded from detections

Description

The user-defined information about the exception

Last updated

The date and time the exception was last updated

Created/Updated by

The user who created or last updated the exception