Defining the scope of an exception
When defining an exception, it is important not to make it too broad or too narrow in scope, so that it properly identifies and catches the data items that you want.
If an exception does not cover all the raw data items for a security event, the 
icon displays for that exception. This can happen, for example if the exception was defined only on part of the collector groups and the security event occurred on devices that are not part of the collector groups on which the exception was set.
|
The |
icon), if new raw data items come in and turn the event into partially covered, the In addition, the raw data items comprising a security event distinguish between data items that are covered (
) and not covered (
) by the exception, based on the exception’s current definition.
For example, if you see that the current exception is too narrow and excludes a raw data item that you want to include in the exception, you can click the icon and then modify and broaden the exception sufficiently so that it will also include that raw data item. When you click the icon, the Event Exceptions window automatically opens and displays the existing exception which can be broadened. Alternatively, you can click the + icon to create another exception that will include the non-covered raw data item. Clicking the + icon after the exception is opened using the covered icon next to the raw data item opens a new exception from the perspective of that raw data item, meaning that it includes all the data that is relevant for that raw data item, as shown below:
In addition, when saving an exception, if the exception does not cover all raw data items for a security event, a message such as the following displays.
You can click the Non-covered items link in this message to open the Event Viewer in a new window, and display only not-covered raw data items, as shown below:
