Skip to main content

Threat Detection ManagementThreat Detection Management Guide

Edit an Exclusion

Change the name, description, conditions, and scope of an exclusion.

  1. Under Exclusions, click View all Exclusions.

    The Threat Detection Management Analytics Rule tab with the View all Exclusions button under Rule Exclusions highlighted in a red rectangle.

  2. For an exclusion, click the More menu The more options menu; three vertical dark grey dots on an off-white background., then select Edit.

  3. Edit the exclusion details:

    • Exclusion Name – Enter the exclusion name.

    • (Optional) Description – Enter details about the purpose or use of the exclusion.

    • Condition – Enter an expression that defines the events or event field values excluded from triggering an analytics rule. Ensure that you use the appropriate syntax.

    • Scope – Define the rules to which the exclusion applies:

      • To exclude events or event field values matching the conditions from triggering any rule, select All.

      • To exclude events or event field values matching the conditions from triggering one or more specific rules, select Specific rules. Click the empty field, then from the list, select a rule. To find a specific rule, start typing, then select a rule from the list.

      • To exclude events or event field values matching the conditions from triggering one or more analytics rule families, select Specific rule families. Click the empty field, then from the list, select a family. To find a specific analytics rule family, start typing, then select a family from the list.

  4. Enable or disable the exclusion:

    • To enable the exclusion, toggle Enable on.

    • To disable the exclusion, toggle Enable off.

  5. Click Save.