Views:

Add highlighted objects and events as exceptions to enabled detection models/filters to reduce alert fatigue and excessive false positives.

Note
Note
There are two types of exceptions:
  • Custom exceptions that originate from Detection Model Management (Agentic SIEM and XDRDetection Model ManagementExceptions), and use target, event source, and match criteria to define the highlighted objects and events to exclude from detection models and filters.
  • Context menu exceptions that originate from Workbench and Observed Attack Techniques, and use the detection model/filter match criteria to define the highlighted objects and events to exclude from detections.
Exceptions contain the following information:
Column
Description
Exception ID
The exception ID
Name
The exception name
Note
Note
Exceptions originating from the context menu do not have names.
Targets
The location of the highlighted objects or events you want to exclude from detections
Example: You can exclude highlighted objects on a specific endpoint using the endpoint GUID.
Event source / Filter
  • Event source: The types of events you want to exclude from detections
    Example: You can exclude file creation events on endpoints using the ENDPOINT_ACTIVITY event type, the TELEMETRY_FILE event ID, and the TELEMETRY_FILE_CREATE event sub-ID.
  • Filter: The detection model filter that identified the object as a threat indicator (context menu exceptions)
Match criteria
The highlighted objects or events excluded from detections
Example: You can exclude a specific file attachment using the file_sha1 type, the attachmentFileHash field, and the SHA-1 of the file attachment.
Description
The additional information about the exception
Last updated
The date and time the exception was last updated
Created/Updated by
The user who created or last updated the exception
To learn more about editing a custom exception, see Edit a custom exception.
Related information