Rule exceptions
Understand the different types of rule exceptions.
You can associate rule exceptions with detection and endpoint rules to prevent trusted processes and network activity from generating unnecessary alerts, therefore, reducing the number of false positives.
When creating exceptions, you can assign them to individual rules or to multiple rules.
Exceptions for individual rules
Exceptions, also referred to as exception items, contain the source event conditions that determine when alerts shouldn't be generated.
You can create exceptions that apply exclusively to a single rule. These types of exceptions can't be used by other rules, and you must manage them from the ruleās details page. To learn more about creating and managing single-rule exceptions, refer to Add and manage exceptions.
Note
You can also use value lists to define exceptions for detection rules. Value lists allow you to match an exception against a list of possible values.
Exceptions shared among multiple rules
If you want an exception to apply to multiple rules, you can add an exception to a shared exception list. Shared exception lists allow you to group exceptions together and then associate them with multiple rules. Refer to Create and manage shared exception lists to learn more.