Add custom exceptions

Procedure

1. Go to Agentic SIEM and XDR → Detection Model Management → Exceptions.
2. Click + Add.
3. Specify the general settings (Exception name and Description).
4. Specify the Field and Values target settings.

   Note You can specify up to 50 values. Each value cannot exceed 128 characters. The values must match the format of the selected field. For example, if the field is endpointGUID, you must specify a GUID. If you need to define multiple targets, click +Add Target to define another target.

5. Select the event source Event type, Event ID, and Event sub-ID.

   Note Each event type is associated with one type of activity data that specific data sources collect. For example, the ENDPOINT_ACTIVITY_DATA event type is associated with endpoint activity data that endpoint sensors collect. For more information about data sources, see Data sources.

6. Specify the match criteria (Field type, Field, and Values). If you need to add multiple criteria, click Add criteria.
7. To use regex in criteria values, select Allow regex in criteria values.

   Note Standard regex syntax is supported: .*: Match zero or more characters .+: Match one or more characters ^: Start of string $: End of string \: Escape characters Use a backslash (\) if the value contains any of the following characters and you want to match the characters exactly: \ { } ( ) [ ] . + * ? ^ $ | Example 1: To match all .exe files in C:\Users\Temp, type C:\\Users\\Temp\\.*\.exe. Example 2: To match all URLs starting with https://example.com/, type https://example\.com/.*.

8. Click Add.