Exclusions are a very powerful feature and when used correctly can reduce your false positive rate to zero. However, when done improperly they can silence important critical detections. The Wirespeed team is always here to help you review exclusions before deploying them.
property=value format, combining expressions with AND or OR. You may also wrap groups of conditions in parentheses to specify hierarchy.
A simple example is category=IDENTITY__LOGIN and prevented=true which will automatically close all cases categorized as logins if they were automatically prevented by the source system.
Demo Video
You’ll notice the “Query Match” stays true once the first condition is typed. This is because any invalid query parts are not processed when queries are evaluated.
property=valueproperty.sub=valueproperty=value AND property=valueproperty=value OR property=value(property=value AND property=value) OR property=value
Is that enough property=values for you?
Operators
| Operator | Description |
|---|
| = | equal |
| != | not equal |
| >= | greater than or equal |
| <= | less than or equal |
| > | greater than |
| < | less than |
| ~ | contains |
| !~ | not contains |
| @= | all array values equal |
| @~ | all array values contain |
| @~= | some array values equal |
| @~~ | some array values contain |
| @!= | no array values equal |
| @!~ | no array values contain |
Property Values
You will be provided with a JSON document containing the property values you can query from. These are values from your detection and all of its associated assets. When typing in the search, property names will autocomplete.
{
"id": "WSPD-24",
"name": "Late stage tools",
"description": "LST \"Mimikatz\" discovered",
"users": [{ "email": "jake@wirespeed.co" }, { "email": "tim@wirespeed.co" }],
"externalIP": "1.1.1.1",
"internalIPs": ["10.0.0.1", "10.0.0.2"],
"files": [{ "name": "powershell.exe", "path": "C:\\Users\\Tim" }],
"locations": [],
"createdAt": "2024-11-02T15:36:00.433Z"
}
| Query | Result | Description |
|---|
name="Late stage tools" | true | name equals "Late stage tools" |
id~WSPD | true | id contains WSPD |
createdAt>2024-11-01T15:36:00.433Z | true | createdAt is greater than 2024-11-02T15:36:00.433Z |
name=null | false | name is empty |
externalIP~"1.1.1.0/24" | true | externalIP is in cidr range 1.1.1.0/24 |
description=/.*mimikatz.*/i | true | description matches regular expression /.*mimikatz.*/i |
description="LST Mimikatz discovered" | true | description equals "LST Mimikatz discovered" |
Arrays
Arrays are flattened and can be queried with the special @ operators.
Pay special attention to what array operator you are using. For example, using the “some array values equal” operator (@~=) will automatically close any cases containing at least one match, even if other values in the array do not match. Ensure this is the intended action.
| Query | Result | Description |
|---|
files.name@=powershell.exe | true | All files’ name equals powershell.exe |
files.path@=C:\Users\Tim | true | All files’ path equals C:\Users\Tim |
files.name@~shell | true | All files’ name contains shell |
internalIPs@~"10.0.0.0/24" | true | All internalIPs are in cidr range 10.0.0.0/24 |
users.email@~="jake@wirespeed.co" | true | Some users’ email equals jake@wirespeed.co |
users.email@~~jake | true | Some users’ email contains jake |
users.email@!="some value" | true | No users’ email equals some value |
users.email@!~none | true | No users’ email contains none |
locations=null | true | No locations values |
Dates must be provided in ISO 8601 format
Email addresses, CIDR ranges, and strings with spaces in them must be quoted
Double nested object arrays are not queryable at this time
If a string contains quotes inside of it, they are removed during comparison
Backslashes in strings are double escaped when presented in the UI, you only need to provide one escape when referring to them
Settings
Exclusions can be disabled and will not be used until they are reenabled. Once an exclusion has caused a detection to be automatically closed it cannot be deleted, only disabled. If you would like an exclusion removed from your audit log and deleted please open a support ticket.
TTL
You can set a TTL for an exclusion. This will automatically disable the exclusion after the specified amount of time.
Rolling TTLs
Rolling TTLs reset their timer each time the exclusion matches a detection. This ensures that common patterns in your environment remain excluded as long as they occur regularly. If the pattern stops occurring, the TTL will eventually expire and future occurrences will no longer be excluded.
Suppress source system updates
By default, when Wirespeed automatically closes a detection because it matched an exclusion, we also sync that outcome to the integration (for example, closing or updating the alert in the vendor console). You can enable Suppress source system updates on an exclusion to stop that outbound sync for detections matched by that rule. Use this when you only want to silence or auto-close detections inside Wirespeed without changing how the alert appears or is handled in the source product.
