- 01 Jul 2024
- 3 Minutes to read
- Print
- PDF
Create Data Detection and Response Alert Exclusions
- Updated on 01 Jul 2024
- 3 Minutes to read
- Print
- PDF
Overview
Alert exclusions streamline the process of refining Data Detection and Response (DDR) policies by addressing situations where legitimate or recognized processes trigger alerts. This can occur when legitimate procedures align with the criteria triggering a specific alert. Exclusions enable the establishment of rules that instruct the DDR mechanism not to generate alerts in such cases, thereby reducing noise and overhead caused by acknowledged legitimate behavior.
This procedure describes how to do the following:
- Create a rule to exclude use cases from DSPM Data Detection and Response (DDR) alerts.
- Edit an exclusion rule.
- Delete an exclusion rule.
Create a Rule to Exclude Use Cases from DDR Alerts
- In the DSPM side menu, click Settings and go to the Exclusions tab. The Exclusions tab lists the rules in which use cases are excluded from the Risk and Alert policies.
- Click Add New. The New Exclusion Rule window opens.
- In the New Exclusion Rule window, choose one of the following options:
Alert Exclusion: Prevent specific alerts from triggering for designated scenarios.
Risk Exclusion: Customize your security settings by excluding specific risk factors.
Alert Exclusion
Prevent specific alerts from triggering for designated scenarios.
- Click the Alert Exclusion option, and then click Next.
- In the Alerts exclusion rulesection, define alert exclusions to customize your data security configurations:
- Provide a descriptive name for the exclusion rule to easily identify its purpose.
- If required, provide a short description about the exclusion rule.
- In the Affected policies drop-down list, select the policies to be included in the exclusion rule.
- In the Additional exclusion options section, select at least one of the following additional parameters.
- Affected Assets: In the drop-down list select the assets to be included in the exclusion rule.
- Destination: In the drop-down list select the Cloud (AWS, Azure, GCP) to be included in the exclusion rule.
- Actor: Configure how to identify the actor. Choose between Email, Role Name, or Project ID and enter the actor’s name in the field provided.
- Source IP: Enter the source IP or CIDR (Classless Inter-Domain Routing) to be included in the exclusion rule.
- Click Create. The new exclusion rule is displayed in the list of Exclusion Rules alongside the following information:
- Rule Name: The name of the rule.
- Scope: Alerts/Risks.
- Rule Query: The parameters you selected when configuring the exclusion rule.
- Date Created: The date the exclusion rule was created.
- Last Modified: If the exclusion rule is modified, the date it was modified appears under this column.
- Last Modified By: If the exclusion rule is modified, the email address of the person who modified the rule appears under this column.
- Description: If a description was added to the exclusion rule, hover over the blue icon to reveal the description.
Create an Exclusion Rule From an Alert
It is also possible to create an exclusion rule from an alert, as described below.
- In the DSPM side menu, click Alerts. The Alerts window opens.
- Click the name of the alert you want to exclude. The side draw opens.
- In the side draw, click Options, and choose Exclude similar alerts. The Alerts exclusion rule window opens.
- Enter the information in the Alerts exclusion rule window as described in the previous section.
Risk Exclusion
Customize your security settings by excluding specific risk factors.
- Click the Risk Exclusion option, and then click Next.
- In the Risks exclusion ruleform, specify risk exclusions to customize your data security configurations:
- Provide a descriptive name for the exclusion rule to easily identify its purpose.
- If required, provide a short description about the exclusion rule.
- In the Cloud drop-down list select the cloud (AWS, Azure, GCP, Microsoft 365) to be included in the exclusion rule.
- In the Permitted project field, enter the name of the project of the project ID.
- Click Create. The new exclusion rule is displayed in the list of Exclusion Rules.
Edit an Exclusion Rule
Do the following to edit an exclusion rule:
- In the DSPM side menu, click Settings and go to the Exclusions tab. The Exclusions tab lists the rules in which use cases are excluded from the Risk and Alert policies.
- Go to the rule you wish to edit, and click Edit.
- Edit the exclusion rule as required, and click Edit. The edited exclusion rule is displayed in the list of Exclusion Rules alongside the date and person who modified the rule.
Delete an Exclusion Rule
Do the following to delete an exclusion rule:
- In the DSPM side menu, click Settings and go to the Exclusions tab. The Exclusions tab lists the rules in which use cases are excluded from the Risk and Alert policies.
- Go to the rule you wish to edit, and click Delete.
- When prompted, click Delete. The deleted exclusion rule is deleted and is no longer visible in the list of Exclusion Rules.