Create Exception

The Create Exception option allows you to suppress a past or a future event that you consider is non-malicious. It can be performed for an event listed in Historic View or Current View.

Note: Incident or Alerts will not be reported for the events that matches with the exception rules, although its malicious events or any alerting rule is created for them.

Perform the following steps in the Hunting tab of Historic View or Current View to Create Exception for an event:

1. Hover the mouse on the required event and click on the drop-down icon .

2. From the Quick Actions menu, click Create Exception

Create Exception option in Quick Actions menu of Hunting tab

3. In the Create Exception window, provide the inputs in the mandatory fields. Fields marked in red asterisk  are mandatory.

The Reason field is categorized as:

- False Positive: Choose this option to reduce the indicator score associated with the event. If the score of an event is 8 or greater than 8, by default the Reason chosen is False Positive. However, you can chose the Hide option.

- Risk Accepted: Choose this option to reduce the indicator score associated with the event. If the score of an event is between 1 to 7, by default the Reason chosen is Risk Accepted. However, you can chose the Hide option.

- Hide: If you do not want to change the score for False Positive or Risk Accepted you can choose this option to hide the event. Only the events from the Current View tab will be moved to the Hidden Events tab. 

Following screenshot is an example of Basic Information section:

Basic Information page of Create Exception option

4. Click Next.

5. The Event section describes the event for which an exception is created. Enable the toggle if you want the exception to be created for future. Select the event factors from the Select Event Factors. To delete an event factor, select  .

Note: In scenarios, where an event with a score of 5 is suppressed, and if one of its future events has a score of 8, this future event will not be suppressed and will be listed in Historic View and Current View tab. 

Event page of Create Exception option

6. Click Next.

7. The Review and Confirm page displays the entire summary of the exception. Verify the event exception and click Save.

Review and Confirm page of Create Exception option

A notification at the top right corner of the window confirms the exception has been successfully created.