Collection Exclusions
Exclusions are needed for reducing the amount of Threat Hunting data that is collected and by doing so prolonging the data retention. The less data that is collected, the longer it will be stored in the databases.
Exclusions enable you to define certain types of activity events to be excluded from being collected by Threat Hunting data (even though should be collected according to the Threat Hunting Collection Profile assigned to a Collector group, which was described in Collection Profiles). For example, if you know that a certain process is legitimate, but it creates many activity events that are not relevant to your Threat Hunting investigation, you can use the Collection Exclusions to define that these activities are not collected.
The Collection Exclusions enables you to define and manage exclusion lists and the exclusions that they contain.
Note – Exclusions are different than security event exceptions, as follows:
- Exclusions define which activity events should be collected. They are exclusions to the Threat Hunting Profile.
- Security event exceptions are defined after a particular security event has occurred. They are an exception to the assigned Security Policy
To access the Collection Exclusions, select SECURITY SETTINGS > Threat Hunting > Collection Exclusions.
The Collection Exclusions page contains the following areas: