Configure rule exclusions

Create exclusions from the Exclusions tab

You might find that the curated detections provided by the Google Cloud Threat Intelligence (GCTI) team are generating too many detections. You can configure exclusions to the curated detection rules to help reduce the volume of these detections. Rule exclusions are used only with Google Security Operations curated detections.

To configure an exclusion to a curated detection rule, complete the following steps:

  1. In the navigation bar, select Rules & Detections. Click the Exclusions tab.

  2. Click Create Exclusion to create a new exclusion. The Create Exclusion window opens.

    Create Exclusion

    Figure 1: Create Exclusion

  3. Specify a unique exclusion name. This name will appear in the list of exclusions on the Exclusions tab.

  4. Select the Rule or Rule Set to apply the exclusion to. You can either scroll through the list of rules or search for a particular rule using the search field and clicking Search. Rules in a rule set are displayed only if they triggered a detection.

  5. Enter the UDM value to exclude by selecting a UDM Field, specifying an operator, and entering a value. You must press the Enter key for each value, otherwise you receive an error message when you click + Conditional Statement. For example, you might want to configure an exclusion when principal.hostname = google.com.

    You can enter additional values to a condition. Each time you press the Enter key, the value is recorded and you are able to enter another value. Multiple values for one condition are joined using a logical OR, meaning an exclusion matches if any of the values matches.

    You can add additional conditions to this exclusion by clicking + Conditional Statement. If you attempt to specify an invalid condition, you will receive an error message. Multiple conditions are joined using a logical AND, meaning an exclusion only matches if every one of the conditions also matches.

  6. (Optional) Click Run Test to determine how many exclusions would be made if enabled, computed by evaluating the exclusion over the past two weeks of recorded detections.

  7. (Optional) Uncheck Enable Exclusion Upon Creation if you want to disable the exclusion for the time being (this option is enabled by default).

  8. Click Add Rule Exclusion when ready.

Create exclusions from the UDM viewer

You can also create exclusions from within the UDM viewer by completing the following steps:

  1. In the navigation bar, select Rules & Detections. Click the Curated Detections tab.

  2. Click Dashboard and then select a rule with detections.

  3. Navigate to an event in the Timeline and click the Raw Log and UDM Event viewer icon.

  4. In the UDM Event view, select the UDM field to exclude, select View Options, and then select Exclude. The Create Exclusion window opens. The window is pre-populated with the rule, UDM field, and value drawn from your UDM selection.

  5. Give the new exclusion a unique name.

  6. (Optional) Click Run Test to determine how many exclusions would be made if enabled, computed by evaluating the exclusion over the past two weeks of recorded detections.

  7. Click Add Rule Exclusion when ready.

Manage exclusions

Once you have created one or more exclusions, you have the following options from the Exclusions tab (in the navigation bar, select Rules & Detections. Click the Exclusions tab.):

  • The exclusions are listed in the exclusions table. You can disable any of the exclusions listed by setting the Enabled toggle to the Disabled.
  • You can filter which exclusions are displayed by clicking the filter icon . Select the Enabled, Disabled, or Archived options as needed.
  • To edit an exclusion, click the menu icon and select Edit.
  • To archive an exclusion, click the menu icon and select Archive.
  • To unarchive an exclusion, click the menu icon and select Unarchive.