Views:

Exceptions exclude specified objects and events from detection models to help reduce false positives and alert fatigue.
There are two types of exceptions:
  • Custom exceptions: Originate from Detection Model Management. Custom exceptions use target, event source, and match criteria to define the objects and events to exclude from detections.
  • Context menu exceptions: Originate from the context menu in Workbench and Observed Attack Techniques. Context menu exceptions use the detection model filter and match criteria to define the objects and events to exclude from detections.
Exceptions contain the following information:
Column
Description
Exception ID
The unique identifier of the exception
Name
The name of the exception
Note
Note
Context menu exceptions do not have names.
Targets
The location of the objects or events you want to exclude from detections
For example, you can exclude objects on a specific endpoint using the globally unique identifier (GUID) of the endpoint.
Event source / Filter
  • Event source: The types of events you want to exclude from detections
    For example, you can exclude file creation events on endpoints using the ENDPOINT_ACTIVITY event type, the TELEMETRY_FILE event ID, and the TELEMETRY_FILE_CREATE event sub-ID.
  • Filter: The detection model filter that identified the object as a threat indicator (context menu exceptions)
Match criteria
The objects or events excluded from detections
For example, you can exclude a specific file attachment using the file_sha1 type, the attachmentFileHash field, and the SHA-1 of the file attachment.
Description
The additional information about the exception
Last updated
The date and time the exception was last updated
Created/Updated by
The user who created or last updated the exception
Related information