Introduction to Exclusions
Automatically close cases based on natural language queries
Exclusions and their queries allow you to automatically close a case when it matches certain properties. These queries follow a simple property=value format, combining expressions with AND or OR. You may also wrap groups of conditions in parentheses to specify hierarchy.
A simple example is category=IDENTITY__LOGIN and prevented=true which will automatically close all cases categorized as logins if they were automatically prevented by the source system.
Demo Video
Query Format
Example Detection Query Format
property=valueproperty.sub=valueproperty=value AND property=valueproperty=value OR property=value(property=value AND property=value) OR property=value
Is that enough property=values for you?
Operators
| Operator | Description |
|---|---|
| = | equal |
| != | not equal |
| >= | greater than or equal |
| <= | less than or equal |
| > | greater than |
| < | less than |
| ~ | contains |
| !~ | not contains |
| @= | all array values equal |
| @~ | all array values contain |
| @~= | some array values equal |
| @~~ | some array values contain |
| @!= | no array values equal |
| @!~ | no array values contain |
Property Values
You will be provided with a JSON document containing the property values you can query from. These are values from your detection and all of its associated assets. When typing in the search, property names will autocomplete.
| Query | Result | Description |
|---|---|---|
name="Late stage tools" | true | name equals "Late stage tools" |
id~WSPD | true | id contains WSPD |
createdAt>2024-11-01T15:36:00.433Z | true | createdAt is greater than 2024-11-02T15:36:00.433Z |
name=null | false | name is empty |
externalIP~"1.1.1.0/24" | true | externalIP is in cidr range 1.1.1.0/24 |
description=/.*mimikatz.*/i | true | description matches regular expression /.*mimikatz.*/i |
description="LST Mimikatz discovered" | true | description equals "LST Mimikatz discovered" |
Arrays
Arrays are flattened and can be queried with the special @ operators.
| Query | Result | Description |
|---|---|---|
files.name@=powershell.exe | true | All files’ name equals powershell.exe |
files.path@=C:\Users\Tim | true | All files’ path equals C:\Users\Tim |
files.name@~shell | true | All files’ name contains shell |
internalIPs@~"10.0.0.0/24" | true | All internalIPs are in cidr range 10.0.0.0/24 |
users.email@~="jake@wirespeed.co" | true | Some users’ email equals jake@wirespeed.co |
users.email@~~jake | true | Some users’ email contains jake |
users.email@!="some value" | true | No users’ email equals some value |
users.email@!~none | true | No users’ email contains none |
locations=null | true | No locations values |
Email addresses, CIDR ranges, and strings with spaces in them must be quoted
Double nested object arrays are not queryable at this time
If a string contains quotes inside of it, they are removed during comparison
Backslashes in strings are double escaped when presented in the UI, you only need to provide one escape when referring to them
Settings
Exclusions can be disabled and will not be used until they are reenabled. Once an exclusion has caused a detection to be automatically closed it cannot be deleted, only disabled. If you would like an exclusion removed from your audit log and deleted please open a support ticket.
TTL
You can set a TTL for an exclusion. This will automatically disable the exclusion after the specified amount of time.
Rolling TTLs
Rolling TTLs reset their timer each time the exclusion matches a detection. This ensures that common patterns in your environment remain excluded as long as they occur regularly. If the pattern stops occurring, the TTL will eventually expire and future occurrences will no longer be excluded.