Create a custom exception to exclude specified objects or events from future detections.
![]() |
WARNING
|
Procedure
- Go to .
- Specify the general settings for the new exception.
- Define up to 10 targets.
- Specify the target settings:
-
Field
-
Values
-
You can specify up to 50 values. Each value cannot exceed 128 characters.
-
The values must match the format of the selected field. For example, if the field is endpointGUID, you must specify a GUID.
-
-
- If you need to define multiple targets, click +Add Target to define another target.
- Specify the target settings:
- Define the event source.
-
Event typeEach event type is associated with one type of activity data that specific data sources collect. For example, the ENDPOINT_ACTIVITY_DATA event type is associated with endpoint activity data that endpoint sensors collect.To learn more about activity data and data sources, see Search method data sources.
-
Event ID
-
Event sub-ID
-
- Define up to 10 match criteria.
- Specify the match criteria:
-
Field type
-
Field
-
ValuesYou can specify up to 20 values. Each value cannot exceed 2048 characters.
-
- To replace certain parts of the object with wildcards, select Edit using wildcards.The object value supports the following elements:
-
.*
: Multiple character substitute -
\
: Escape character -
If the object value contains any of the following characters, use the escape character, backslash (\), to indicate an ordinary characters that has no special meaning:\ { } ( ) [ ] . + * ? ^ $ |
-
- If you need to add multiple criteria, click +Add Criteria to add another match criteria.
- Specify the match criteria:
- Click Add.