- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- 1. Define the analytics rule
- 2. Import the analytics rule
- 3. Enable the analytics rule
- 4. Apply the analytics rule to your environment
- factFeature Analytics Rule JSON Configuration
- profiledFeature Analytics Rule JSON Configurationh
- contextFeature Analytics Rule JSON Configuration
- numericCountProfiledFeature Analytics Rule JSON Configuration
- numericDistinctCountProfiledFeature Analytics Rule JSON Configuration
- numericSumProfiledFeature Analytics Rule JSON Configuration
- Manage Analytics Rules
- Tune Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Monitor the Analytics Engine
- Correlation Rules
- Threat Scoring
Create an Exclusion
To exclude events or event field values from triggering an analytics rule, create an exclusion.
To create an exclusion, you define two properties: the conditions events or event field values must match for it to be excluded from triggering an analytics rule; and the scope of the rules to which the exclusion applies.
The conditions events or event field values must match for it to be excluded from triggering an analytics rule are defined in an expression using specific syntax.
You can configure up to 1000 exclusions.
Under Rule Exclusions, click Add.
OR
In Exclusions, click + New Rule.
OR
For a specific analytics rule, click the More menu
, then select Exclude.Enter information about the exclusion:
Exclusion Name – Enter the exclusion name.
(Optional) Description – Enter details about the purpose or use of the exclusion.
Condition – Enter an expression that defines the events or event field values excluded from triggering an analytics rule. Ensure that you use the appropriate syntax.
Scope – Define the rules to which the exclusion applies:
To exclude events or event field values matching the conditions from triggering any rule, select All.
To exclude events or event field values matching the conditions from triggering one or more specific rules, select Specific rules. Click the empty field, then from the list, select a rule. To find a specific rule, start typing, then select a rule from the list.
To exclude events or event field values matching the conditions from triggering one or more analytics rule families, select Specific rule families. Click the empty field, then from the list, select a family. To find a specific analytics rule family, start typing, then select a family from the list.
Create the exclusion in enabled or disabled status:
If you're creating multiple exclusions, it's best to create them in disabled status and enable them all at once.
When you enable exclusions, the analytics engine restarts and re-trains on past events with the exclusions and temporarily stops processing incoming events. Enabling multiple exclusions at once minimizes disruptions to other Exabeam applications, analytics engine downtime, and your use of entitled training days.
To create the exclusion in a disabled state, click Create.
To create and enable the exclusion, click Create & Enable. The analytics engine restarts and retrains analytics rules, which can take up to 10 minutes.