Exceptions exclude specified objects and events from detection models, helping to eliminate false positives and reduce alert fatigue.
There are two types of exceptions:
-
Custom exceptions are created in the Detection Model Management app and use target, event source, and match criteria to define the objects and events to be excluded from detections.Click +Add to create a custom exception.
-
Context menu exceptions are created from the context menu in Workbench and Observed Attack Techniques and use the detection model filter and match criteria to define the objects and events to be excluded from detections.
The following table outlines the information available on the Exceptions
tab.
|
Column
|
Description
|
||
|
Exception ID
|
The unique identifier of the exception
|
||
|
Name
|
The user-defined name of the exception
|
||
|
Targets
|
The locations of the objects or events excluded from detections
|
||
|
Event source / Filter
|
|
||
|
Match criteria
|
The objects or events excluded from detections
|
||
|
Description
|
The user-defined information about the exception
|
||
|
Last updated
|
The date and time the exception was last updated
|
||
|
Created/Updated by
|
The user who created or last updated the exception
|
