Exceptions exclude specified objects and events from detection models to help eliminate false positives and reduce alert fatigue.
There are two types of exceptions:
-
Custom exceptions come from Detection Model Management and use target, event source, and match criteria to define the objects and events to exclude from detections.Click +Add to create a custom exception.
-
Context menu exceptions come from the context menu in Workbench and Observed Attack Techniques and use the detection model filter and match criteria to define the objects and events to exclude from detections.
The following table outlines the information on the Exceptions tab.
|
Column
|
Description
|
||
|
Exception ID
|
The unique identifier of the exception
|
||
|
Name
|
The user-defined name of the exception
|
||
|
Targets
|
The locations of the objects or events excluded from detections
|
||
|
Event source / Filter
|
|
||
|
Match criteria
|
The objects or events excluded from detections
|
||
|
Description
|
The user-defined information about the exception
|
||
|
Last updated
|
The date and time the exception was last updated
|
||
|
Created/Updated by
|
The user who created or last updated the exception
|
