When adding to an exclusion list, indicators are not
considered indicators. You can add indicators to an exclusion list.
Indicators added to the exclusion list
are ignored by the system and are not considered indicators. You
can still manually enrich IP addresses and URLs that are on the
exclusion list, but the results are not posted to the War Room.
There are several methods by which to add indicators to the exclusion list.
Delete and exclude
You can select one or more indicator from the Indicators
table and click the
Delete and Exclude
The indicators are deleted from the Indicators table and added to
the exclusion list. You can associate these indicators with one
or more indicator types.
Manually add indicators to the exclusion list
you can manually add a single indicator or define indicators using
a regular expression (regex) or CIDR.
A regular expression enables you to identify a sequence of characters
in an unknown string. The following example would identify www.demisto.com:
Classless inter-domain routing (CIDR) enables you to define a
range of IP addresses. For example, 192.168.100.14/24 represents
the IPv4 address 192.168.100.14 and its associated routing prefix
192.168.100.0, or equivalently, its subnet mask 255.255.255.0, which
has 24 leading 1-bits. The IPv4 block 192.168.100.0/22 represents
the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255.