SIEM & UEBA

Expand all | Collapse all

Exception Rule not working

  • 1.  Exception Rule not working

    Posted Jan 14, 2021 07:36 PM

    Hi Guys,

    I try to create exception rule by clicking incident -> Action > Edit Rule Exception.

    but it still trigger the incident. Any ideas?


  • 2.  RE: Exception Rule not working

    Posted Jan 14, 2021 09:02 PM
    Hi Muhammad,

    The operator contains is checking for an exact string match where Info URL contains the string literal "teamviewer.com, digicert.com", it is not treating this as a list.
    You could probably do this two ways.

    Probably the most reliable way to exclude:
    Info URL CONTAINS teamviewer.com OR
    Info URL CONTAINS digitcert.com

    An alternative is to try:
    Info URL IN "teamviewer.com","digicert.com"  -- Where the IN is an exact match of the info url. e.g. teamviewer.com won't match test.teamviewer.com or test2.teamviewer.com


  • 3.  RE: Exception Rule not working

    Posted Jan 14, 2021 11:35 PM
    Thanks for the reply