Create Exception

The Create Exception option allows you to suppress a past or a future event that you consider non-malicious. It can be performed for an event listed in Events.

Incidents or Alerts will not be reported for the events that match with the exception rules, although its malicious events or any alerting rule is created for them.

Perform the following steps in the Hunting tab of Events to Create Exception for an event:

The Reason field is categorized as follows:

  1. Hover the mouse on the required event and click the drop-down icon drop-down icon..
  2. From the Quick Actions menu, click Create Exception.

    Create Exception option in Quick Actions menu of Hunting tab

  3. In the Create Exception window, provide the inputs in the mandatory fields. Fields marked in red asterisk Mandatory option. are mandatory.
    • False Positive: Choose this option to reduce the indicator score associated with the event. If an event's score is 8 or greater, by default, the Reason chosen is False Positive. However, you can choose the Hide option.
    • Risk Accepted: Choose this option to reduce the indicator score associated with the event. If an event's score is between 1 to 7, by default, the Reason chosen is Risk Accepted. However, you can choose the Hide option.
    • Hide: If you do not want to change the False Positive or Risk Accepted score, you can choose this option to hide the event. Only the events from the Events tab will be moved to the Exempted Events tab. 

      The following screenshot is an example of the Basic Information section:

      Basic Information page in Create Exception option.

  4. Click Next
  5. The Event section describes the event for which an exception is created. Enable the toggle if you want the exception to be created for the future. Select the event factors from the Select Event Factors.
  6. To delete an event factor, select Recycle Bin.

    In scenarios where an event with a score of 5 is suppressed, and if one of its future events has a score of 8, this event will not be suppressed and will be listed in the Events tab. 

    Event page of Create Exception option

  7. Click Next.
  8. The Review and Confirm page displays the complete summary of the exception. Verify the event exception and click Save. Review and Confirm page of Create Exception option

A notification at the window's top right corner confirms the exception has been successfully created. 

To view the list of Exceptions created using the Create Exception, perform the following steps:

  1. Click the Configuration tab.
  2. Click the Exception Rules.

    The following screenshot is an example of the Exception Rules tab:

    Exception rules
    You can simplify the search using the Exception Rules Tokens in the Exception Rules tab.