Configure exceptions for the Behavioral Detection Engine

If you want the Behavioral Detection Engine to disregard certain types of detections, you can create exceptions. The Behavioral Detection Engine will not collect or use telemetry data or generate alerts for detections that match the exception criteria that you specify.

Do any of the following:

Task

Steps

Create an exception using the data from an alert group

You can use an existing Aurora Focus alert group from the Alerts view to create and prepopulate an exception.

  1. In the management console, on the menu bar, click Alerts.
  2. Search for and click an Aurora Focus alert group.
  3. Click Actions > Add exception.
  4. If necessary, change the exception name.
  5. Type a description for the exception.
  6. In the Conditions section, change the prepopulated conditions as required. Click Add in the list of conditions to add more conditions.

    All conditions must be met for the exception to be true. When you specify a value for a condition, it is treated as an ANY statement. When two or more values are added, if any of the values exist, the condition is true.

  7. On the Assigned To tab, in the Assigned to drop-down list, click one of the following:
    1. Global: The exception applies to your organization’s entire Aurora Endpoint Security tenant.
    2. Zones: The exception applies to the zones that you select.
    3. Devices: The exception applies to the devices that you select.
    4. Device policies: The exception applies to the device policies that you select.
  8. Click Add.

Create an exception by specifying the criteria manually
  1. In the management console, on the menu bar, click Focus > Behavioral Detection Engine.
  2. On the Exceptions tab, click Add > Add exception.
  3. In the Tactic drop-down list, click a MITRE tactic.
  4. In the Technique drop-down list, click a MITRE technique.
  5. In the Alert description section, search for and select an alert type.
  6. Click Next.
  7. If necessary, change the exception name.
  8. Type a description for the exception.
  9. In the Conditions section, specify the artifact, facet, operator, and values for the exception. Click Add in the list of conditions to add more conditions.

    All conditions must be met for the exception to be true. When you specify a value for a condition, it is treated as an ANY statement. When two or more values are added, if any of the values exist, the condition is true.

  10. On the Assigned To tab, in the Assigned to drop-down list, click one of the following:
    1. Global: The exception applies to your organization’s entire Aurora Endpoint Security tenant.
    2. Zones: The exception applies to the zones that you select.
    3. Devices: The exception applies to the devices that you select.
    4. Device policies: The exception applies to the device policies that you select.
  11. Click Add.

Export exceptions

You can export exceptions if you want to save a backup or if you want to transfer exceptions to a different Aurora Endpoint Security tenant (see the import steps below). Each exception is exported as a separate .json file collected in a .zip file.

  1. In the management console, on the menu bar, click Focus > Behavioral Detection Engine.
  2. On the Exceptions tab, search for and select one or more exceptions.
  3. Click Export icon.
  4. Specify a name for the .zip file.
  5. Click Export.

Import exceptions

If you exported exceptions (see the export steps above), you can import them to an Aurora Endpoint Security tenant. You can import a .zip file that contains up to 100 exceptions.

  1. In the management console, on the menu bar, click Focus > Behavioral Detection Engine.
  2. On the Exceptions tab, click Add > Import exceptions.
  3. Click Browse Files. Navigate to and select the .zip file.
  4. Click Import.