Exclusion List - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-28
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

When adding to an exclusion list, indicators are disregarded by the system. Add indicators to an exclusion list in Cortex XSOAR using Allow list.

Indicators added to the exclusion list are disregarded by the system, and are not created or involved in automated flows such as indicator extraction. You can still manually enrich IP addresses and URLs that are on the exclusion list, but the results are not posted to the War Room.

There are several methods by which to add indicators to the exclusion list.

Delete and Exclude Indicators

You can select one or more indicators from the Indicators table and click the Delete and Exclude button. The indicators are deleted from the Indicators table and added to the exclusion list. You can associate these indicators with one or more indicator types.

If you delete the indicator it is removed from Cortex XSOAR. This option should be used mainly for correcting errors in ingestion, and not as part of your regular work flow.

Manually Add Indicators to the Exclusion List

From the Exclusion List page, you can manually add a single indicator or define indicators using a regular expression (regex) or CIDR.

Regex

A regular expression enables you to identify a sequence of characters in an unknown string. The following example would identify www.demisto.com: [A-Za-z0-9!@#$%\.&]*demisto[A-Za-z0-9!@#$%\.&]*.

CIDR

Classless inter-domain routing (CIDR) enables you to define a range of IP addresses. For example, the IPv4 block 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255.

Exclusion List Examples

Exclusion

Description

Settings

URLs, domains, and subdomains

Excludes the top level domain (TLD), its subdomains, and URLs (http or https) on the top level domain.

  • Value: The top-level domain (TLD). Example: example.com

  • Check Use Regex.

  • Do not select any indicator types.

Subdomain (and URLs) specifically

Excludes the given subdomain and its URLs, but the TLD is still extracted.

  • Value: The subdomain. Example: examplesub.example.com

  • Check Use Regex.

  • Do not select any indicator types.

Specific domain only

Specifically excludes the TLD. Subdomains and URLs are still extracted.

  • Value: The domain. Example: example.com

  • Do NOT select Use Regex.

  • Select indicator type: Domain.

URL with wildcards

Excludes any indicators of type URL matching the regex. Indicators example.com and examplesub.example.com of type Domain would still be extracted. Start the regex with https?:// to exclude both HTTP and HTTPS URLs.

  • Value: The URL with wildcard added at the end. Example: http://examplesub.example.com/*

  • Check Use Regex.

  • Select indicator type: URL.

Specific URL

Excludes the given URL, but the TLD and subdomains are still extracted.

  • Value: The URL. Example: http://examplesub.example.com/myexample

  • Do NOT select Use Regex.

  • Select indicator type: URL.

URLs, domain, and subdomains, case-insensitive, anchored to start

Excludes domain example.com, its subdomains, and its URLs. Case-insensitive. Anchors regex match to the start of the indicator value, so indicators that contain but do not start with a match (e.g., example.net?param=example.com) are not excluded.

  • Value example: (?i)^(https?://)?(([a-zA-Z0-9\-]+\.)+)?example\.com

  • Check Use Regex.

  • Select indicator types: URL, Domain.