Automatically close cases based on natural language queries
Exclusions and their queries allow you to automatically close a case when it matches certain properties. These queries follow a simple property=value
format, combining expressions with AND
or OR
. You may also wrap groups of conditions in parentheses to specify hierarchy.
A simple example is category=IDENTITY__LOGIN and prevented=true
which will automatically close all cases categorized as logins if they were automatically prevented by the source system.
property=value
property.sub=value
property=value AND property=value
property=value OR property=value
(property=value AND property=value) OR property=value
Is that enough property=value
s for you?
Operator | Description |
---|---|
= | equal |
!= | not equal |
>= | greater than or equal |
<= | less than or equal |
> | greater than |
< | less than |
~ | contains |
!~ | not contains |
@= | all array values equal |
@~ | all array values contain |
@~= | some array values equal |
@~~ | some array values contain |
@!= | no array values equal |
@!~ | no array values contain |
You will be provided with a JSON document containing the property values you can query from. These are values from your detection and all of its associated assets. When typing in the search, property names will autocomplete.
Query | Result | Description |
---|---|---|
name="Late stage tools" | true | name equals "Late stage tools" |
id~WSPD | true | id contains WSPD |
createdAt>2024-11-01T15:36:00.433Z | true | createdAt is greater than 2024-11-02T15:36:00.433Z |
name=null | false | name is empty |
externalIP~"1.1.1.0/24" | true | externalIP is in cidr range 1.1.1.0/24 |
description=/.*mimikatz.*/i | true | description matches regular expression /.*mimikatz.*/i |
description="LST Mimikatz discovered" | true | description equals "LST Mimikatz discovered" |
Arrays are flattened and can be queried with the special @ operators.
Query | Result | Description |
---|---|---|
files.name@=powershell.exe | true | All files’ name equals powershell.exe |
files.path@=C:\Users\Tim | true | All files’ path equals C:\Users\Tim |
files.name@~shell | true | All files’ name contains shell |
internalIPs@~"10.0.0.0/24" | true | All internalIPs are in cidr range 10.0.0.0/24 |
users.email@~="jake@wirespeed.co" | true | Some users’ email equals jake@wirespeed.co |
users.email@~~jake | true | Some users’ email contains jake |
users.email@!="some value" | true | No users’ email equals some value |
users.email@!~none | true | No users’ email contains none |
locations=null | true | No locations values |
Exclusions can be disabled and will not be used until they are reenabled. Once an exclusion has caused a detection to be automatically closed it cannot be deleted, only disabled. If you would like an exclusion removed from your audit log and deleted please open a support ticket.
You can set a TTL for an exclusion. This will automatically disable the exclusion after the specified amount of time.
Rolling TTLs reset their timer each time the exclusion matches a detection. This ensures that common patterns in your environment remain excluded as long as they occur regularly. If the pattern stops occurring, the TTL will eventually expire and future occurrences will no longer be excluded.