Rule exceptionsedit

Rule exceptions can be associated with detection and endpoint rules to prevent those rules from generating alerts under specific circumstances. Exceptions are made up of three main components: exception items, default rule lists, and shared exception lists.

Exception itemsedit

Exception items, also referred to as exceptions, contain the source event conditions that determine when alerts are not generated. You can use exceptions to reduce the number of false positives, and to prevent trusted processes and network activity from generating unnecessary alerts.

Rules can have multiple exceptions and exceptions can apply to multiple rules. Refer to Add and manage exceptions to learn more about adding exceptions to rules.

An exception item

You can also use value lists to define exceptions for detection rules. Value lists allow you to match an exception against a list of possible values.

Default rule listsedit

A default rule list is a group of exceptions that belong to a single rule. Exceptions within a rule’s default rule list cannot be used by other rules. Refer to Add and manage exceptions to learn more.

A default rule list

Shared exception listsedit

Shared exception lists allow you to group exceptions together and then apply them to multiple rules. Use the Shared Exception Lists page to set up a shared exception list with exception items, and then associate the list with multiple detection rules. Refer to Create and manage shared exception lists to learn more.

Shared Exception Lists page