Defining Collection Exclusions
All exclusions must belong to an Exclusion List. Select an Exclusion List on the left to display the exclusions that are defined in it.
Exclusions can be defined for a
- Source (process) – Which is identified by a source attribute, such as a Signer.
- Type/Action – Activity event types, as described in Threat Hunting.
- Target – Which is identified by a target attribute, such as IP & Port
Exclusion can include all of these three or any combination. However, defining an exclusion that only contains a Type is not valid, because this kind of exclusion should be defined in a Threat Hunting Profile.
For example, you can define to exclude activity events of a specific Type that have a specific source and a specific target or to exclude (for example) activity events that have a specific source and any activity or target.
Adding an Exclusion
- In the left pane, click the Exclusion List to which to add the exclusion.
- In the right pane, click the + Add Exclusion button. The following displays:
- From the Operating system dropdown menu, select either Linux or Windows.
- To define that an exclusion includes a specific Activity Event Type, select the type of action(s) to exclude from the displayed dropdown list. Alternatively, select the Any option (the default option), which means that you are not specifying a specific action type.
All action types to be collected are listed according to Category. You can select one or more actions from a single Category. Actions cannot be selected from different categories. For example, you can select the Process Termination and the Process Start options from the Process Category in the same exclusion. However, you cannot select the Key Created option together and the Thread Created options in the same exclusion – to do this you must create two different exclusions.
- To define that an exclusion includes a Source attribute condition, from the Select box, select Source attribute, which can be identified by file name, path, hash and signer for Source Process or Event Log Name for event log related activity events, as shown below:
If you select Hash, then specify the hash, as shown below:
If you select Path, then specify the Path, as shown below. A path can include wild cards. If you wish to include sub-folders as well, check the Select sub folders checkbox.
If you select File Name, then enter the file name.
If you select Signer, then either upload the Signer’s Certificate, provide its thumbprint or provide the Signer’s name.
- To define that an exclusion includes a Target attribute condition, click the + button. From the Select box, select the Target Attribute and then define the target criteria, as described below:
Targets can be identified by various criteria, depending on the selected Activity Event Category.
- A process Category event is identified by hash, path, file name or Signer.
- A network Category event is identified by network-related properties, such as a remote IP and port.
- A registry Category event is identified by a registry key path, value name, value type or value size.
- An Event log Category event is identified by the Event Log ID.
When defining an exclusion that contains multiple conditions, an AND relationship exists between the conditions.
Note: If an OR relationship is needed between the conditions that you define, simply create another exclusion.
- Click the Add button. This new exclusion is then listed in the Collection Exclusions page, as shown below:
- The newly defined exclusions appear with a green background and the words Pending save appear in their LAST UPDATED column. To define that these exclusions take effect, you must click the Apply button and then click the Save button in the window that pops up. Their LAST UPDATED column then shows the timestamp when they were saved.
Setting the State of an Exclusion
The Set State button enables you to enable or disable the selected exclusion(s). By default, an exclusion is enabled.
Deleting an Exclusion
The Delete button enables you to delete the selected exclusion(s).
To delete multiple exclusions, check the requested exclusions checkboxes and choose Delete in the toolbar.