Create exclusion
This topic covers both the rule exclusion and script exclusion creation process.
If the create exclusion button was used for the selected rule(s), for example on Detection rules page or Detections, some data specific to rule(s) are prefilled. |
To create a new exclusion, click Exclusion > New exclusion.
In the Basics section, type basic information about the exclusion, such as an Exclusion name and Note (optional), for an in-depth description.
Criteria
Click Continue to configure the exclusion settings. Exclude processes is divided into three parts:
•Current process—Criteria created for the currently selected process.
•Parent process—Criteria created for the parent process of actual selection.
•Any ancestor process—Criteria created for any ancestor process.
You can use pre-defined criteria:
•Process name is one of—Type the process names you want to apply to the exclusion.
•Process path starts with—The path to the specified process (C:\Windows or %SYSTEM% can be used).
•Cmd. line contains—Type the process parameters if you want to exclude by parameter.
•Signer is one of—Type the signer for exclusion names.
•Signature type is—Choose comparison operators: is, is not, greater than or equal, less or equal. Then the Signer type: Trusted, Valid, Self-signed, None, Invalid or Present. It is a mandatory field when a Signer is selected.
•SHA-1 is one of—Type the process SHAs you want to exclude if known.
•User is one of—Type all user names you want to apply to the exclusion.
Optionally, use Advanced editor to modify the criteria by changing the Rule syntax.
Rules
Select rules that you want to exclude. Click Add filter, and select Rule name and type string to search.
Auto-resolving—When selected, all detections (already detected in the past) fulfilling the exclusion criteria will be marked as resolved. They will not appear in the default view in detections views.
Targets
Click Assign to select computers or groups where you want this exclusion to apply and click OK.
Summary
Review the configured settings summary in the Exclusion preview. Verify the settings and click Create exclusion.
Create an exclusion for a specified script
In the Basics section, type basic information about the exclusion, such as an Exclusion name and Note (optional), for an in-depth description.
Criteria
You can use pre-defined criteria:
•Process name is one of—Type the process names you want to apply to the exclusion.
•Cmd. line contains—Type the process parameters if you want to exclude by parameter.
•User is one of—Type all user names you want to apply to the exclusion.
Optionally, use Advanced editor to modify the criteria by changing the Rule syntax.
Targets
Click Assign to select computers or groups where you want this exclusion to apply and click OK.
Summary
Review the configured settings summary in the Exclusion preview. Verify the settings and click Create exclusion.
Create event storage filter
In the Basics section, type basic information about the exclusion, such as an Exclusion name and Note (optional), for an in-depth description.
Criteria
You can use pre-defined criteria:
•Process name is one of—Type the process names you want to apply to the exclusion.
•Process path starts with—The path to the specified process (C:\Windows or %SYSTEM% can be used).
•Cmd. line contains—Type the process parameters if you want to exclude by parameter.
•Signer is one of—Type the signer for exclusion names.
•Signature type is—Choose comparison operators: is, is not, greater than or equal, less or equal. Then the Signer type: Trusted, Valid, Self-signed, None, Invalid or Present. It is a mandatory field when a Signer is selected.
•SHA-1 is one of—Type the process SHAs you want to exclude if known.
•User is one of—Type all user names you want to apply to the exclusion.
Optionally, use Advanced editor to modify the criteria by changing the Rule syntax.
Targets
Click Assign to select computers or groups where you want this exclusion to apply and click OK.
Summary
Review the configured settings summary in the Exclusion preview. Verify the settings and click Create exclusion.
Event types
•File system events
•TCP events
•Registry events
•HTTP events
•DNS events