Skip to main content

Custom exclusion rules

Use the Custom exclusion rules page to define rules that mark specific behavior as irrelevant for your organization, and thus prevent the creation of incidents in The Incidents page.

Partners can manage rules for other companies and can use the Company filter in the grid to view the rules created for each company. Customers can also see the rules Partners have applied on their company.

However, when switching to a new Partner, all custom rules created by the former Partner are disabled. The new Partner will not be able to view the rules applied by the former Partner.

Custom exclusion rules - grid

  1. Click the Add rule button to create a new custom exclusion rule. For more details, refer to Creating Custom exclusion rules.

  2. Select the global check box or the individual rule check boxes to select them. After selecting one or more rules, you can manage them in the following ways:

    • To enable or disable the rules, click the Change status drop-down menu and choose the desired action.

    • To delete the rules, click the More actions drop-down menu and select Delete.

  3. Use these action buttons to customize your grid:

    • Click the Reset view button to reset the grid to the default settings in terms of displayed columns and filters. This option also clears existing filters and their values.

    • Click the show_or_hide_filters.pngShow or hide filters button to show or hide the filters bar.

    • Click the open_settings.pngOpen Settings button to add or remove columns from the grid.

  4. Click a rule's name to enter edit mode and update the rule. Click a rule in the list to expand its Details panel, view the rule details, update it or delete it. For more details, refer to Exclusion rule Details panel.

Creating Custom exclusion rules

To create custom exclusion rules, follow these steps:

  1. In the Custom exclusion rules page, click the Add rule button.

    You will be redirected to the Add rule page.

    Exclusions - Add rule page

  2. In the Exclusion rule definition section, select the type of element you want to include in the detection rule.

    Exclusions - Element type

    The element types are:

    • Process

    • File

    • Connection

  3. Select the matching criteria:

    Exclusions - Rule criteria

    1. Select one of the available criteria options.

    2. Select the type of relationship between the matching criteria and its value:

      • Is - matches the exact value entered in the value field.

      • Contains - matches all values that contain the string entered in the value field (for example, file extensions).

        Important

        Use wildcards with caution when creating an exclusion rule, as it raises the risk of making it too generic. Generic rules may increase the possibility of ignoring real threats and making your company more vulnerable.

      • Is one of - matches any of the values entered in the value field (an OR operation is performed between the values). You must press Enter after each value, to complete the action.

    3. Enter the specific value for each criteria.

  4. Use the Add new button to add new criteria to the rule.

    Note

    The rule excludes incidents only when all criteria is met (an AND operation is performed between the added criteria).

  5. In the Rule configuration section, add a rule name, a rule description, and rule-related tags.

    Rule tags can help you identify, group, and sort for rules as needed. If you do not have a tag that suits your rule, you can click the Create tag button, and add one.

    Exclusions - Rule configuration

  6. To activate the rule immediately after creation, select the Enable exclusion rule checkbox.

  7. Click Next.

  8. In the Rule targets window, select which endpoints the rule will scan. You can select the entire company or specific endpoint tags. These tags are created and managed in Network > Tags Management.

    When you select the Endpoint tags option, you can choose the tags from the list in the left-side menu, and your current selection of tags will appear in the right-side menu.

    Rule targets

  9. Click Save.

    The new rule is now available in the Custom exclusion rules grid, and you can view the generated alerts in the Incidents > Search page by using the other.rule_id field in your query.

Exclusion rule use case

Let's consider the following scenario: you need to exclude anything with the word "Automate" in the name.

To achieve this result, you would have to create four exclusion rules: two for processes and two for files.

Here's an example of what the process rules might look like:

Exclusions - Parent process path
Exclusions - Process path

Here's an example of what the file rules might look like:

Exclusions - File creation process path
Exclusions - File path

All rules will be listed in the Custom exclusion rules grid:

Exclusion rules

Exclusion rule Details panel

The rule Details panel contains information on the selected rule, rule criteria, rule tags, rule outcome, and options to update it or delete it.

Exclusion Rule - Details panel

  • The View alerts option redirects you to the Search page, where a prefilled query runs automatically to retrieve all the alerts triggered by the rule.

  • The Edit rule button brings up the rule definition window, where you can change the rule settings.

In this section: