Create exclusion
This topic covers both the rule exclusion and script exclusion creation process.
|
If the create exclusion button was used for the selected rule(s), for example on Detection rules page or Detections, some data specific to rule(s) are prefilled. |
To create a new exclusion, click Exclusion > New exclusion.
In the Basics section, type basic information about the exclusion, such as an Exclusion name and Note (optional) for a more in-depth description.
Criteria
Click Continue to configure the exclusion settings. Exclude processes is divided into three parts:
•Current process—Criteria created for the currently selected process.
•Parent process—Criteria created for the parent process of actual selection.
•Any ancestor process—Criteria created for any ancestor process.
You can use pre-defined criteria:
•Process name is one of—Type the names of the process that you want to apply the exclusion.
•Process path starts with—The path to the specified process (C:\Windows or %SYSTEM% can be used).
•Cmd. line contains—Type in the process parameters if you want to exclude them by parameters.
•Signer is one of—Type the names of the signer for exclusion.
•Signature type is—Choose comparison operators, is, is not, greater than or equal, less or equal and then the type of Signer can be Trusted, Valid, None, Invalid, Unknown. It is a mandatory field when Signer is selected.
•SHA-1 is one of—Type the SHAs of the processes you want to exclude if known.
•User is one of—Type in the names of all users you want to apply the exclusion.
Optionally, use Advanced editor to further modify the criteria by changing the Rule syntax.
Rules
Select rules that you want to exclude. Click Add filter, and select Rule name and type string to search.
Auto-resolving—When selected, all detections (already detected in the past) fulfilling the exclusion criteria will be marked as resolved. They will not appear in the default view in detections views.
Targets
Click Assign to select computers or groups where you want this exclusion to apply and click OK.
Summary
Review the summary of configured settings in the Exclusion preview. Verify all the settings for this exclusion and click Create exclusion.
After creating the exclusion, you are redirected to the Exclusions sub-tab from the More tab.
Create an exclusion for a specified script
In the Basics section, type basic information about the exclusion, such as an Exclusion name and Note (optional) for a more in-depth description.
Criteria
You can use pre-defined criteria:
•Process name is one of—Type the names of the process that you want to apply the exclusion.
•Cmd. line contains—Type in the process parameters if you want to exclude them by parameters.
•User is one of—Type in the names of all users you want to apply the exclusion.
Optionally, use Advanced editor to further modify the criteria by changing the Rule syntax.
Targets
Click Assign to select computers or groups where you want this exclusion to apply and click OK.
Summary
Review the summary of configured settings in the Exclusion preview. Verify all the settings for this exclusion and click Create exclusion.
Create event storage filter
In the Basics section, type basic information about the exclusion, such as an Exclusion name and Note (optional) for a more in-depth description.
Criteria
You can use pre-defined criteria:
•Process name is one of—Type the names of the process that you want to apply the exclusion.
•Process path starts with—The path to the specified process (C:\Windows or %SYSTEM% can be used).
•Cmd. line contains—Type in the process parameters if you want to exclude them by parameters.
•Signer is one of—Type the names of the signer for exclusion.
•Signature type is—Choose comparison operators, is, is not, greater than or equal, less or equal and then the type of Signer can be Trusted, Valid, None, Invalid, Unknown. It is a mandatory field when Signer is selected.
•SHA-1 is one of—Type the SHAs of the processes you want to exclude if known.
•User is one of—Type in the names of all users you want to apply the exclusion.
Optionally, use Advanced editor to further modify the criteria by changing the Rule syntax.
Targets
Click Assign to select computers or groups where you want this exclusion to apply and click OK.
Summary
Review the summary of configured settings in the Exclusion preview. Verify all the settings for this exclusion and click Create exclusion.
Event types
•File system events
•TCP events
•Registry events
•HTTP events
•DNS events
After creating the exclusion, you are redirected to the Event filters sub-tab from the More tab.