- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- Manage Analytics Rules
- Tune Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Analytics Engine Status
- Correlation Rules
- Threat Scoring
Create an Exclusion
To exclude events or event field values from triggering an analytics rule, create an exclusion.
To create an exclusion, you define two properties: the conditions events or event field values must match for it to be excluded from triggering an analytics rule; and the scope of the rules to which the exclusion applies.
The conditions events or event field values must match for it to be excluded from triggering an analytics rule are defined in an expression using specific syntax.
You can configure up to 1000 exclusions.
Ensure there are no pending changes or updates to your analytics rules. If there are pending changes or updates, apply those changes or updates to your environment or delete the changes or updates.
Under Rule Exclusions, click Add.
OR
In Exclusions, click + New Rule.
OR
For a specific analytics rule, click the More menu
, then select Exclude.Enter information about the exclusion:
Exclusion Name – Enter the exclusion name.
(Optional) Description – Enter details about the purpose or use of the exclusion.
Condition – Enter an expression that defines the events or event field values excluded from triggering an analytics rule. Ensure that you use the appropriate syntax.
Scope – Define the rules to which the exclusion applies:
To exclude events or event field values matching the conditions from triggering any rule, select All.
To exclude events or event field values matching the conditions from triggering one or more specific rules, select Specific rules. Click the empty field, then from the list, select a rule. To find a specific rule, start typing, then select a rule from the list.
To exclude events or event field values matching the conditions from triggering one or more analytics rule families, select Specific rule families. Click the empty field, then from the list, select a family. To find a specific analytics rule family, start typing, then select a family from the list.
Create the exclusion in enabled or disabled status:
If you're creating multiple exclusions, it's best to create them in disabled status and enable them all at once.
When you enable exclusions, the analytics engine restarts and re-trains on past events with the exclusions and temporarily stops processing incoming events. Enabling multiple exclusions at once minimizes disruptions to other Exabeam applications, analytics engine downtime, and your use of entitled training days.
To create the exclusion in a disabled state, click Create.
To create and enable the exclusion, click Create & Enable. The analytics engine restarts and retrains analytics rules, which can take up to 10 minutes.