Editing a Custom Exception

Edit the settings of a custom exception.

You can modify the following settings categories of custom exceptions:
  • General Settings: The name and description of the exception

    Note: Context menu exceptions do not have names
  • Targets: The location of the objects or events you want to exclude from detections

    For example, you can exclude objects on a specific endpoint using the endpointGUID field and the GUID value of the endpoint.

  • Event source: The types of events you want to exclude from detections

    Exception type allows you to select either Filter-based exception or Global exception. Filter-based exceptions apply only to events that match the filter specified in the exception. Global exceptions are applied to every event.

    Warning: If you change Exception type from Filter-based exception to Global exception and save your changes, you will not be able to revert this exception back to filter-based later.
  • Match criteria: The objects and events you want to exclude from detections

    For example, you can exclude a specific file attachment using the file_sha1 field type, the attachmentFileHash field, and the SHA-1 value of the file attachment.

  1. Go to XDR Threat Investigation > Detection Model Management and click the Exceptions tab.
  2. Click the edit icon on the right side of the exception you want to modify.
  3. Edit the settings you want to modify.
  4. Click Save.
    Note: Your changes might take a few minutes to take effect.