Exclusion List
When adding to an exclusion list, indicators are disregarded
by the system. Add indicators to an exclusion list in Cortex XSOAR.
Allow list.
Indicators added to the exclusion list
are disregarded by the system, and are not created or involved in
automated flows such as indicator extraction. You can still manually
enrich IP addresses and URLs that are on the exclusion list, but the
results are not posted to the War Room.
There are several methods by which to add indicators to the exclusion list.
Delete and exclude Indicators
You can select one or more indicators from the Indicators
table and click the
Delete and Exclude
button.
The indicators are deleted from the Indicators table and added to
the exclusion list. You can associate these indicators with one
or more indicator types.If you delete the indicator it is removed from Cortex XSOAR.
This option should be used mainly for correcting errors in ingestion,
and not as part of your regular work flow.
Manually add indicators to the exclusion list
From the
Exclusion List
page,
you can manually add a single indicator or define indicators using
a regular expression (regex) or CIDR.Regex
A regular expression enables you to identify a sequence of characters
in an unknown string. The following example would identify www.demisto.com:
[A-Za-z0-9!@#$%\.&]*demisto[A-Za-z0-9!@#$%\.&]*
.CIDR
Classless inter-domain routing (CIDR) enables you to define a
range of IP addresses. For example, the IPv4 block 192.168.100.0/22
represents the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255.
Exclusion List Examples
Exclusion | Description | Settings |
---|---|---|
URLs, domains, and subdomains | Excludes the top level domain (TLD), its subdomains,
and URLs (http or https) on the top level domain. |
|
Subdomain (and URLs) specifically | Excludes the given subdomain and its URLs, but
the TLD is still extracted. |
|
Specific domain only | Specifically excludes the TLD. Subdomains and URLs
are still extracted. |
|
URL with wildcards | Excludes any indicators of type URL matching
the regex. Indicators example.com and examplesub.example.com of
type Domain would still be extracted. Start the regex with https?:// to
exclude both HTTP and HTTPS URLs. |
|
Specific URL | Excludes the given URL, but the TLD and subdomains
are still extracted. |
|
URLs, domain, and subdomains, case-insensitive, anchored
to start | Excludes domain example.com, its subdomains,
and its URLs. Case-insensitive. Anchors regex match to the start
of the indicator value, so indicators that contain but do not start with
a match (e.g., example.net?param=example.com) are not excluded. |
|
Recommended For You
Recommended Videos
Recommended videos not found.