Create exclusion

This topic covers both the rule exclusion and script exclusion creation process.

 

note

Note

If the create exclusion button was used for the selected rule(s), for example on Detection rules page or Detections, some data specific to rule(s) are prefilled.

Create rule exclusion

Process is divided into three parts:

Basics

oExclusion name—name the exclusion for future identification

oComment—optional more in-depth description of the exclusion

Criteria

You can create the criteria in Advanced Editor by clicking Admin_Advanced_Editor_Buttonbutton and using the Rule syntax or by using these predefined criteria:

oCurrent process—criteria created for the currently selected process

oParent process—criteria created for the parent process of actual selected

oAny ancestor process—criteria created for any ancestor process

oProcess name is one of—you can write down more than one process that you want the exclusion to work for

oProcess path starts with—the path to the specified process(es) (C:\Windows or %SYSTEM% can be used)

oCmd. line contains—type in the parameters of the process which want to exclude

oSigner is one of—name of the signer for exclusion

oSignature type is—choose comparison operators, is, is not, greater than or equal, less or equal and then the type of signer can be Trusted, Valid, None, Invalid, Unknown. It is a mandatory field when Signer is selected

oSHA-1 is one of—type the SHAs of the processes you want to exclude if known

oComputer is one of—type the names of all computers that you want the exclusion to work for

oGroup is one of—type the names of the groups of computers that you want the exclusion to work for. Includes all computers and subgroups of selected group (All -> Subgroup 1 -> Subgroup 2 -> PC 1 / Selecting Subgroup 1 will include all PC in the group 1 also in subgroup 2)

oUser is one of—type the names of all users you want the exclusion to work for

Exclusion preview field shows summary of all selected criteria.

Rules

Select rules that you want to exclude.

oADD FILTER

Rule Name—filter a rule by its name (whether equal or unequal)

oAuto-resolving—when selected, all detections (already detected in the past) fulfilling the exclusion criteria will be marked as resolved. They will not appear in the default view in detections views.

 

Create an exclusion for a specified script

Basics

oExclusion name—name the exclusion for future identification

oComment—optional, more in-depth description of the exclusion

Criteria

You can create the criteria in Advanced Editor by clicking Admin_Advanced_Editor_Buttonbutton and using the Rule syntax or by using these predefined criteria:

oProcess name is one of—you can write down more than one process that you want the exclusion to work for

oCmd. line contains—write in parameters of the process if you want to exclude it by parameters

oComputer is one of—write down the names of all computers that you want the exclusion to work for

oGroup is one of—type the names of the groups of computers that you want the exclusion to work for. Includes all computers and subgroups of selected group (All -> Subgroup 1 -> Subgroup 2 -> PC 1 / Selecting Subgroup 1 will include all PC in the group 1 also in subgroup 2)

oUser is one of—write down the names of all users you want the exclusion to work for

Exclusion preview field shows summary of all selected criteria.

After creating the exclusion, you are redirected to the Exclusions sub-tab from the Admin tab.

 

Create event storage filter

Basics

oExclusion name—name the exclusion for future identification

oComment—optional, more in-depth description of the exclusion

Criteria

You can create the criteria in Advanced Editor by clicking Admin_Advanced_Editor_Buttonbutton and using the Rule syntax or by using these predefined criteria:

oProcess name is one of—you can write down more than one process that you want the exclusion to work for

oProcess path starts with—the path to the specified process(es) (C:\Windows or %SYSTEM% can be used)

oCmd. line contains—type in the parameters of the process which want to exclude

oSigner Name is one of—name of the signer for exclusion

oSignature type is—choose comparison operators, is, is not, greater than or equal, less or equal and then the type of signer can be Trusted, Valid, None, Invalid, Unknown. It is a mandatory field when Signer is selected

oSHA-1 is one of—type the SHAs of the processes you want to exclude if known

oComputer is one of—type the names of all computers that you want the exclusion to work for

oGroup is one of—type the names of the groups of computers that you want the exclusion to work for. Includes all computers and subgroups of selected group (All -> Subgroup 1 -> Subgroup 2 -> PC 1 / Selecting Subgroup 1 will include all PC in the group 1 also in subgroup 2)

oUser is one of—type the names of all users you want the exclusion to work for

Exclusion preview field shows summary of all selected criteria.

Event types

oFile system events

oTCP events

oRegistry events

oHTTP events

oDNS events

After creating the exclusion, you are redirected to the Event filters sub-tab from the Admin tab.

Some of the filters have a funnel Executables_Funnelnext to it with two or four possible predefined options:

Unknown—the value in the filtered column is not available (probably not known value at the time of occurrence)

Known—the value is available

None—value is an empty string

Any—the value is not empty. Negation of None filter

note

Note

All filters can be combined with one another.