Custom exclusion rules

Use the Custom exclusion rules page to define rules that mark specific behavior as irrelevant for your organization, and thus prevent the creation of incidents in The Incidents page.

Use these action buttons to customize your grid:

Click the Reset view button to reset the grid to the default settings in terms of displayed columns and filters. This option also clears existing filters and their values.
Click the Show or hide filters button to show or hide the filters bar.
Click the Open Settings button to add or remove columns from the grid.

Creating custom exclusion rules

To create custom exclusion rules, follow these steps:

In the Custom exclusion rules page, click the Add rule button.
You will be redirected to the Add rule page.
In the Exclusion rule definition section, configure the following settings:
1. From the Exclude every field, select the type of element you want to include in the exclusion rule.
  Possible values
  Process
  File
  Connection
  User connection
  Email
  Application
  Key vault
  Role
  Policy
  Sharing link
  Flow
  URL
  SSH key
  Launch template
  Service principle
  User group
  Automation account
  Automation account hook
  Api
  Certificate authority
  Bucket
2. Using the Matching the following settings, configure the settings that will trigger the rule:
  - In the Select criteria field, select the parameter you want for the rule. This is the elements that will be compared against the custom values you enter in the Type value here field.
    Some fields are only compatible with either XDR or EDR technology. These fields are marked with either an EDR or an XDR tag. This means that, for example, a rule that uses a parameter with an EDR tag will not apply on behavior detected through the XDR feature.
    Parameters that have no tags apply to both technologies.
    Tip
    You can use the Alert name parameter with every criteria to stop certain alerts from generating incidents.
    When using this parameter, make sure that the value you enter matches the alert name displayed in GravityZone. This paramter does not support wildcards, and is only compatible with the Is operator.
  - In the Select operator field, set the relationship between the selected criteriaand value you enter in the Type value here field:
    Is - matches the exact value entered in the value field.
    Contains - matches all values that contain the string entered in the value field (for example, file extensions).
    Important
    Use wildcards with caution when creating an exclusion rule, as it raises the risk of making it too generic. Generic rules may increase the possibility of ignoring real threats and making your company more vulnerable.
    Is one of - matches any of the values entered in the value field (an OR operation is performed between the values). You must press Enter after each value, to complete the action.
  - In the Type value here field, enter the custom value you want to compare the criteria against.
3. (Optional) Use the Add new button to add additional criteria to the rule.
  Note
  The rule excludes incidents only when all criteria is met (an AND operation is performed between the added criteria).
4. Click Next.
Note
Rules applied on XDR alerts work on a interaction level. If you want to exclude an alert that has interactions with more than 2 nodes, you need to configure the rule to cover all the interactions that you want to exclude.
Configure the settings in the Rule configuration section:
1. Under the Rule configuration section, type in a name, description, and add tags to the rule.
  Rule tags can help you identify, group, and sort for rules as needed. If you do not have a tag that suits your rule, you can click the Create tag button, and add one.
2. Select the Enable exclusion rule checkbox to activate the rule immediately after creation.
3. Read the information from the Rule outcome section. This indicates the application and effects of the rule.
4. Click Next.
Set the application of the rule in the Exclusion rule targets section:
There are two methods of applying the rule to endpoints:
- Apply the rule to your company directly - This method applies the rule to all the managed entities from a company.
  Note
  This option will be displayed using your company name.
  This method is compatible with all parameters.
- Endpoint tags - This method only applies the rule to endpoints that have specific tags assigned.
  Rules applied using this method apply only to behavior detected through the EDR feature. They are not compatible with XDR technology.
  Tip
  You can manage endpoint tags from the Network > Tags Management page.
  Select the checkboxes for tags you want from the Endpoint tags list on the left side of the section. You can use the search field to look up specific tags.
  All selected tags are added to the Selected endpoints tags list on the right side of the section.
Click Save.
The new rule is now available in the Custom exclusion rules grid, and you can view the generated alerts in the Incidents > Search page by using the other.rule_id field in your query.

Viewing exclusion rules details

To view the details of a specific rule, locate the rule in the grid, and click anywhere on its row to display the Rule details side panel.

custom_exclusion_rules_rule_details_side_panel_90854_en.png

The panel contains information regarding the creation of the rule, the settings applied to it, along with these options

The View alerts option redirects you to the Search page, where a prefilled query runs automatically to retrieve all the alerts triggered by the rule.
The Edit rule button brings up the rule definition window, where you can change the rule settings.
The Delete button permanently removes the rule.

In this section:

Custom exclusion rules

Creating custom exclusion rules

Tip

Important

Note

Note

Note

Tip

Viewing exclusion rules details

Search results