Exclusions are a very powerful feature and when used correctly can reduce your false positive rate to zero. However, when done improperly they can silence important critical detections. The Wirespeed team is always here to help you review exclusions before deploying them.
Exclusions and their queries allow you to automatically close a case when it matches certain properties. These queries follow a simple property=value format, combining expressions with AND or OR. You may also wrap groups of conditions in parentheses to specify hierarchy. A simple example is category=IDENTITY__LOGIN and prevented=true which will automatically close all cases categorized as logins if they were automatically prevented by the source system.

Demo Video

You’ll notice the “Query Match” stays true once the first condition is typed. This is because any invalid query parts are not processed when queries are evaluated.

Query Format

Example Detection Query Format

  • property=value
  • property.sub=value
  • property=value AND property=value
  • property=value OR property=value
  • (property=value AND property=value) OR property=value
Is that enough property=values for you?

Operators

OperatorDescription
=equal
!=not equal
>=greater than or equal
<=less than or equal
>greater than
<less than
~contains
!~not contains
@=all array values equal
@~all array values contain
@~=some array values equal
@~~some array values contain
@!=no array values equal
@!~no array values contain

Property Values

You will be provided with a JSON document containing the property values you can query from. These are values from your detection and all of its associated assets. When typing in the search, property names will autocomplete. 
{
  "id": "WSPD-24",
  "name": "Late stage tools",
  "description": "LST \"Mimikatz\" discovered",
  "users": [{ "email": "jake@wirespeed.co" }, { "email": "tim@wirespeed.co" }],
  "externalIP": "1.1.1.1",
  "internalIPs": ["10.0.0.1", "10.0.0.2"],
  "files": [{ "name": "powershell.exe", "path": "C:\\Users\\Tim" }],
  "locations": [],
  "createdAt": "2024-11-02T15:36:00.433Z"
}
QueryResultDescription
name="Late stage tools"truename equals "Late stage tools"
id~WSPDtrueid contains WSPD
createdAt>2024-11-01T15:36:00.433ZtruecreatedAt is greater than 2024-11-02T15:36:00.433Z
name=nullfalsename is empty
externalIP~"1.1.1.0/24"trueexternalIP is in cidr range 1.1.1.0/24
description=/.*mimikatz.*/itruedescription matches regular expression /.*mimikatz.*/i
description="LST Mimikatz discovered"truedescription equals "LST Mimikatz discovered"

Arrays

Arrays are flattened and can be queried with the special @ operators.
Pay special attention to what array operator you are using. For example, using the “some array values equal” operator (@~=) will automatically close any cases containing at least one match, even if other values in the array do not match. Ensure this is the intended action.
QueryResultDescription
files.name@=powershell.exetrueAll files’ name equals powershell.exe
files.path@=C:\Users\TimtrueAll files’ path equals C:\Users\Tim
files.name@~shelltrueAll files’ name contains shell
internalIPs@~"10.0.0.0/24"trueAll internalIPs are in cidr range 10.0.0.0/24
users.email@~="jake@wirespeed.co"trueSome users’ email equals jake@wirespeed.co
users.email@~~jaketrueSome users’ email contains jake
users.email@!="some value"trueNo users’ email equals some value
users.email@!~nonetrueNo users’ email contains none
locations=nulltrueNo locations values
Dates must be provided in ISO 8601 format

Email addresses, CIDR ranges, and strings with spaces in them must be quoted

Double nested object arrays are not queryable at this time

If a string contains quotes inside of it, they are removed during comparison

Backslashes in strings are double escaped when presented in the UI, you only need to provide one escape when referring to them

Settings

Exclusions can be disabled and will not be used until they are reenabled. Once an exclusion has caused a detection to be automatically closed it cannot be deleted, only disabled. If you would like an exclusion removed from your audit log and deleted please open a support ticket.

TTL

You can set a TTL for an exclusion. This will automatically disable the exclusion after the specified amount of time.

Rolling TTLs

Rolling TTLs reset their timer each time the exclusion matches a detection. This ensures that common patterns in your environment remain excluded as long as they occur regularly. If the pattern stops occurring, the TTL will eventually expire and future occurrences will no longer be excluded.