Indicator Set exceptions are modifications of the Indicator Set that eliminate reports for actions that match the exception. They allow you to reduce or eliminate reporting of events that are not of interest, while leaving the rest of the Indicator Set functionality enabled.

To create an Indicator Set exception, you identify an ATI-related event on the Events page to remove from future reporting. You can create an exception specific to that event automatically, or you can modify the exception so that applies to a broader or narrower range of targets, processes, or users.

Indicator Set exceptions are specific to the Indicator Set that generated the event that you use to create them. You can create multiple exceptions at one time, but you cannot create an exception using a non-ATI-based event.

You can edit an Indicator Set exception after it is created (including its name), or you can add special parameters at the time of creation by create an advanced Indicator Set exception. However, an advanced Indicator Set exception can only be created for one event at a time.

Create Indicator Set Exceptions

To create Indicator Set exceptions by using the default method, perform the following procedure.

Procedure

  1. If the events for which you want to create exceptions are not displayed, click Reports > Events on the console menu and then click the Threat Indicators Saved View. You can also choose an event from another view, but using Threat Indicators ensures that the events shown all have an associated Indicator Set.
    Note: You also can click the Recent Events link on an Indicator Set Details page to see all recent events for that set.
  2. If necessary, change the Max Age value to view older events.
  3. When one or more relevant events are displayed, select the check box next to each one. On the Action menu, click Create Indicator Set Exceptions.

Results

A status message at the top of the page indicates if the exceptions have been successfully created, or show an error if they have not. A common error is selection of an event that does not have an Indicator Set.

Each exception created in this way uses the name of the Indicator Set plus incrementing digits (for example, the first exception to the Windows System Configuration set is named “Windows System Configuration Exception 1”).

Create an Advanced Indicator Set Exception

To create an advanced Indicator Set exception, perform the following procedure.

Procedure

  1. If the events for which you want to create exceptions are not displayed, click Reports > Events on the console menu and then click the Threat Indicators Saved View. You can also choose an event from another view, but using Threat Indicators ensures that the events shown all have an associated Indicator Set.
    Note: You also can click the Recent Events link on an Indicator Set Details page to see all recent events for that set.
  2. If necessary, change the Max Age value to view older events.
  3. When the event for which you want to create an advanced exception displays, select the check box next to it and on the Action menu, click Create an advanced Indicator Set Exception. The Add Indicator Set Exception dialog appears with the Indicator Set and Platform entered in read-only form, and the other parameters editable. (If you select more than one check box, an error message displays.)
  4. In the Add Indicator Set Exception dialog box, enter an Exception Name and optionally a Description.
  5. Edit the other parameters to create the rule. For a description of the parameters, see Indicator Set Exception Details.
  6. When you have finished configuring the exception, click the Save button to stay on the page or click the Save & Exit button to return to the Events page.

Results

The new exception appears in the Exceptions panel of the Indicator Set Details page.