- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- Manage Analytics Rules
- Tune Analytics Rules
- Find Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax'
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Analytics Engine Status
- Correlation Rules
- Correlation Rule Sequences
- Correlation Rules Templates
- Create Correlation Rules
- Create a Correlation Rule Using the Exabeam Nova Rule Creator
- Create a Correlation Rule from Scratch Using the Manual Rule Creator
- Create a Correlation Rule from a Template
- Create a Correlation Rule from Search
- Group by Field in Correlation Rules
- Detect Absent Events or Fields Using Correlation Rules
- Granular Suppression
- Correlation Rule Evaluation Delay
- Manage Correlation Rules
- Find Correlation Rules
- Share Correlation Rules
- View Correlation Rules Metrics
- Threat Scoring
Create an Exclusion
To exclude events or event field values from triggering an analytics rule, create an exclusion.
To create an exclusion, you define two properties: the conditions events or event field values must match for it to be excluded from triggering an analytics rule; and the scope of the rules to which the exclusion applies.
The conditions events or event field values must match for it to be excluded from triggering an analytics rule are defined in an expression using specific syntax.
You can create a limited number of exclusions, up to:
25 exclusions that apply to all analytics rules
25 exclusions per specific analytics rule family
25 exclusions per specific analytics rule
You can track your progress toward these limits when you create an exclusion.
Ensure there are no pending changes or updates to your analytics rules. If there are pending changes or updates, apply those changes or updates to your environment or delete the changes or updates.
Under Rule Exclusions, click Add.
OR
In Exclusions, click + New Rule.
OR
For a specific analytics rule, click the More menu
, then select Exclude.Enter information about the exclusion:
Exclusion Name – Enter the exclusion name.
(Optional) Description – Enter details about the purpose or use of the exclusion.
Condition – Enter an expression that defines the events or event field values excluded from triggering an analytics rule. Ensure that you use the appropriate syntax.
Scope – Define the analytics rules to which the exclusion applies:
To exclude events or event field values matching the conditions from triggering any analytics rule, select Global.
You can create up to 25 exclusions that apply to all analytics rules. View your progress toward this limit under Global exclusions limit.
To exclude events or event field values matching the conditions from triggering one or more specific analytics rules, select Specify rules. Click the empty field, then from the list, select an analytics rule. To find a specific analytics rule, start typing, then select an analytics rule from the list.
You can create up to 25 exclusions per specific rule. View your progress toward this limit next to each analytics rule:
To exclude events or event field values matching the conditions from triggering one or more analytics rule families, select Specific rule families. Click the empty field, then from the list, select a family. To find a specific analytics rule family, start typing, then select a family from the list.
You can create up to 25 exclusions per specific analytics rule family. View your progress toward this limit next to each analytics rule family:
Create the exclusion in enabled or disabled status:
If you're creating multiple exclusions, it's best to create them in disabled status and enable them all at once.
When you enable exclusions, the analytics engine restarts and re-trains on past events with the exclusions and temporarily stops processing incoming events. Enabling multiple exclusions at once minimizes disruptions to other Exabeam applications, analytics engine downtime, and your use of entitled training days.
To create the exclusion in a disabled state, click Create.
To create and enable the exclusion, click Create & Enable. The analytics engine restarts and retrains analytics rules, which can take up to 10 minutes.