Delete and exclude indicators - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-10-31
Category
Administrator Guide
Solution
On-prem
Abstract

Indicators added to an exclusion list are disregarded by the system. Add indicators to an exclusion list in Cortex XSOAR.

Indicators added to an exclusion list are disregarded by the system and are not created or involved in automated flows such as indicator extraction. You can still manually enrich IP addresses and URLs that are on the exclusion list, but the results are not posted to the War Room.

Add indicators to the exclusion list either in the Indicators table or in the Exclusion List page.

Delete and exclude indicators in the Indicators table

Select one or more indicators from the Indicators table and click the Delete and Exclude button. The indicators are deleted from the Indicators table and added to the exclusion list. You can associate these indicators with one or more indicator types.

If you delete the indicator it is removed from Cortex XSOAR. This option should be used mainly for correcting errors in ingestion, and not as part of your regular workflow.

Add indicators in the Exclusion List page

From the Exclusion List page, you can view the list of excluded indicators, add an indicator to the exclusion list, or define indicator values to be excluded using a regular expression (regex) or CIDR.

  1. Select Settings & InfoSettingsObject SetupIndicatorsExclusion ListNew excluded indicator.

  2. Add the indicator value. For example, example.com (for a domain).

    Caution

    Ensure you are using the correct syntax when defining the values for your exclusion lists.

  3. Select whether to use Regex.

    A regular expression enables you to identify a sequence of characters in an unknown string. The following example would identify www.demisto.com: [A-Za-z0-9!@#$%\.&]*demisto[A-Za-z0-9!@#$%\.&]*.

    Classless inter-domain routing (CIDR) enables you to define a range of IP addresses. For example, the IPv4 block 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255.

  4. Add a reason as to why you are excluding the indicator.

  5. Add the indicator types that apply.

  6. Save the excluded indicator.

Exclusion list examples

Exclusion

Description

Settings

Domain, URLs, and subdomains

Excludes a specific domain, and all subdomains and URLs associated with the domain.

Define two entries to cover all URLs and subdomains associated with a specific domain.

Entry one:

  • Value: Subdomains and URLs. Example: \.example\.com

  • Select Use Regex.

  • Do not select any indicator types.

Entry two:

  • Value: The specific domain. Example: example.com

  • Do NOT select Use Regex.

  • Do not select any indicator types.

Subdomain (and URLs) specifically

Excludes any subdomains and URLs of a domain, but the domain is still extracted.

  • Value: Subdomains and URLs. Example: \.example\.com

  • Select Use Regex.

  • Do not select any indicator types.

Specific domain only

Excludes a specific domain. Subdomains and URLs are still extracted.

  • Value: The specific domain. Example: example.com

  • Do NOT select Use Regex.

  • Select indicator type: Domain.

URL with wildcards

Excludes any indicators of type URL matching the regex. Indicators example.com and examplesub.example.com of type Domain would still be extracted. Start the regex with https?:// to exclude both HTTP and HTTPS URLs.

  • Value: The URL with wildcard added at the end. Example: http://examplesub.example.com

  • Select Use Regex.

  • Select indicator type: URL.

Specific URL

Excludes a specific URL, but the domain and subdomains are still extracted.

  • Value: The specific URL. Example: http://examplesub.example.com/myexample

  • Do NOT select Use Regex.

  • Select indicator type: URL.

URLs, domain, and subdomains, case-insensitive, anchored to start

Excludes domain example.com, its subdomains, and its URLs. Case-insensitive. Anchors regex match to the start of the indicator value, so indicators that contain but do not start with a match (e.g., example.net?param=example.com) are not excluded.

  • Value: Domain, subdomains and URLs, case insensitive and anchored to the start of the indicator. Example: (?i)^(https?://)?(([a-zA-Z0-9\-]+\.)+)?example\.com

  • Select Use Regex.

  • Select indicator types: URL, Domain.

All URLs

Excludes all URLs for a specific domain that have a path (even an empty path), but the domain and subdomains are still extracted.

  • Value: URLs with or without a path. Example: example\.com/

  • Select Use Regex.

  • Do not select any indicator types.