Views:

Create a custom exception to exclude specified objects or events from future detections.

WARNING
WARNING
Detection model exceptions can cause false negatives, which may allow security threats to go undetected.
Note
Note
New exceptions might require a few minutes before taking effect.
Custom exceptions contain the following settings:
  • Targets: The location of the objects or events you want to exclude from detections
    For example, you can exclude objects on a specific endpoint using the endpointGUID field and the globally unique identifier (GUID) of the endpoint.
  • Event source: The types of events you want to exclude from detections
    For example, you can exclude file creation events on endpoints using the ENDPOINT_ACTIVITY event type, the TELEMETRY_FILE event ID, and the TELEMETRY_FILE_CREATE event sub-ID.
  • Match criteria: The objects and events you want to exclude from detections
    For example, you can exclude a specific file attachment using the file_sha1 field type, the attachmentFileHash field, and the secure hash algorithm 1 (SHA-1) of the file attachment.

Procedure

  1. Go to XDR Threat InvestigationDetection Model Management and click the Exceptions tab.
  2. Click + Add.
  3. Specify the General Settings for the Exceptions table.
    1. Specify a name for the exception.
    2. Type a description to help your team identify the exception and the reason for adding it.
  4. Define up to 10 Targets.
    1. Select a target type from Field.
    2. Specify the targets Values.
      • You can specify up to 50 targets.
      • Each value cannot exceed 128 characters.
      • The values must match the specified field. For example, if the field is endpointGUID, then the value provided must be a GUID.
    3. Click +Add Target to define another target.
  5. Define the Event Source.
    1. Select an Event type.
      Note
      Note
      Each event type is associated with one type of activity data collected by a specific set of data sources. For example, the ENDPOINT_ACTIVITY_DATA event type is associated with endpoint activity data collected by endpoint sensors.
      To learn more about activity data and data sources, see Search method data sources.
    2. Select an Event ID.
    3. Select an Event sub-ID.
  6. Define up to 10 Match Criteria.
    1. Select a Field type.
    2. Select a Field.
    3. Specify up to 20 Values. Each value cannot exceed 2048 characters.
    4. To replace certain parts of the object with wildcards, select Edit using wildcards.
      The object value supports the following elements:
      • .*: Multiple character substitute
      • \: Escape character
      • If the object value contains any of the following characters, use the escape character, backslash (\), to indicate an ordinary characters that has no special meaning:
        \ { } ( ) [ ] . + * ? ^ $ |
    5. Click +Add Criteria to add another match criteria.
  7. Click Add.