Exclusion List

When adding to an exclusion list, indicators are not considered indicators. You can add indicators to an exclusion list.
Indicators added to the exclusion list are ignored by the system and are not considered indicators. You can still manually enrich IP addresses and URLs that are on the exclusion list, but the results are not posted to the War Room.
There are several methods by which to add indicators to the exclusion list.

Delete and exclude

You can select one or more indicator from the Indicators table and click the
Delete and Exclude
button. The indicators are deleted from the Indicators table and added to the exclusion list. You can associate these indicators with one or more indicator types.

Manually add indicators to the exclusion list

From the
Exclusion List
page, you can manually add a single indicator or define indicators using a regular expression (regex) or CIDR.
Regex
A regular expression enables you to identify a sequence of characters in an unknown string. The following example would identify www.demisto.com:
[A-Za-z0-9!@#$%\.&]*demisto[A-Za-z0-9!@#$%\.&]*
.
CIDR
Classless inter-domain routing (CIDR) enables you to define a range of IP addresses. For example, 192.168.100.14/24 represents the IPv4 address 192.168.100.14 and its associated routing prefix 192.168.100.0, or equivalently, its subnet mask 255.255.255.0, which has 24 leading 1-bits. The IPv4 block 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255.

Recommended For You