You can associate rule exceptions with detection and endpoint rules to prevent trusted processes and network activity from generating unnecessary alerts, therefore, reducing the number of false positives.
Exceptions, also referred to as exception items, contain the source event conditions that determine when alerts shouldn't be generated.
You can create exceptions that apply exclusively to a single rule. These types of exceptions can't be used by other rules, and you must manage them from the rule’s details page. To learn more about creating and managing single-rule exceptions, refer to Add and manage exceptions.
You can also use value lists to define exceptions for detection rules. Value lists allow you to match an exception against a list of possible values.
If you want an exception to apply to multiple rules, you can add an exception to a shared exception list. Shared exception lists allow you to group exceptions together and then associate them with multiple rules. Refer to Create and manage shared exception lists to learn more.
On this page