To reduce false positives or duplicate events in your detection results, you can create exceptions for detection rules. When you create a detection exception, the specified processes will not be evaluated by the Aurora Focus detection engine. Use caution when you create detection exceptions, because they have the potential to reduce the overall security of devices.
Note: If you create and enable a rule exception that uses only RegEx matches for conditions, it may cause higher than normal CPU usage on some systems with a consistently high number of events, due to the rule exception running on every event. If you encounter this issue, Arctic Wolf recommends disabling the rule exception that uses RegEx matches for conditions.
- In the management console, on the menu bar, click Focus > Configurations.
- On the Exceptions tab, click Create Exception.
- Type a name for the detection exception.
- In the Conditions section, configure exception conditions. Click Add Another Condition to configure additional exceptions.
In a detection exception, an AND statement is applied to all conditions. All conditions must be met for the exception to be true. When you specify a value for a condition, it is treated as an ANY statement. When two or more values are added, if any of the values exist, the condition is true.
- Click Save.
On the menu bar, click Focus > Configurations, then click the Rule Sets tab. Edit a detection rule set and assign the detection exception to the desired rules. Click Confirm.
