Skip to main content

Exception Rules

Exception rules suppress specific alert conditions without disabling the entire detection. They’re essential for managing false positives while maintaining detection coverage.

Why Exception Rules?

Instead of:
  • ❌ Disabling a rule entirely (losing detection coverage)
  • ❌ Modifying the rule (affects all environments)
Use exceptions to:
  • ✅ Suppress specific known-good activity
  • ✅ Keep the rule active for other matches
  • ✅ Document tuning decisions

Creating Exceptions

From an Alert

The easiest way to create an exception:
  1. Open a false positive alert
  2. Click Create Exception
  3. Select fields from the matched log
  4. Configure operators and values
  5. Save the exception
CHAD pre-populates field values from the alert.

From the Rule Editor

  1. Open the rule
  2. Click Exceptions tab
  3. Click Add Exception
  4. Define the exception conditions

Exception Logic

Simple Exceptions

A single condition: 
Field: source.ip
Operator: equals
Value: 10.0.0.1
This suppresses alerts where source.ip equals 10.0.0.1.

AND Logic (Same Group)

Multiple conditions with the same group_id are ANDed: 
Group 1:
  - source.ip equals 10.0.0.1
  - user.name equals admin
Both conditions must match to suppress the alert.

OR Logic (Different Groups)

Different groups are ORed: 
Group 1:
  - source.ip equals 10.0.0.1
  - user.name equals admin

Group 2:
  - source.ip equals 10.0.0.2
If either Group 1 (both conditions) OR Group 2 matches, the alert is suppressed.

Operators

OperatorDescriptionExample
equalsExact matchuser.name equals admin
not_equalsDoes not matchuser.name not_equals SYSTEM
containsSubstring matchprocess.command contains temp
not_containsSubstring not presentpath not_contains malware
starts_withPrefix matchfile.path starts_with C:\Windows
ends_withSuffix matchfile.name ends_with .exe
regexRegular expressionuser.name regex ^svc_.*
in_listMatch any valuesource.ip in_list [10.0.0.1, 10.0.0.2]

Examples

Suppress Specific User on Specific Host

Group 1:
  - host.name equals JUMPBOX01
  - user.name equals admin

Suppress Known Service Accounts

Group 1:
  - user.name regex ^svc_.*

Group 2:
  - user.name in_list [SYSTEM, LOCAL SERVICE, NETWORK SERVICE]

Suppress Traffic to Approved Destinations

Group 1:
  - destination.ip starts_with 10.
  - destination.port in_list [443, 8443]

Managing Exceptions

View All Exceptions

  1. Open the rule
  2. Click Exceptions tab
  3. See all active exceptions

Edit an Exception

  1. Click the exception
  2. Modify conditions
  3. Save changes

Disable an Exception

Temporarily disable without deleting:
  1. Click the exception
  2. Toggle Enabled off
  3. Exception is saved but inactive

Delete an Exception

  1. Click the exception
  2. Click Delete
  3. Confirm deletion

Exception Scope

Exceptions are rule-specific. Each rule has its own exceptions. For cross-rule tuning, consider:
  • Creating a base rule with filters
  • Using field mappings to normalize data
  • Documenting tuning patterns for consistency

Best Practices

Narrow exceptions reduce risk of suppressing real threats. Use multiple conditions.
Add a description explaining why this exception exists.
Exceptions may become stale. Review quarterly for relevance.
Regex is powerful but can accidentally match too much. Test thoroughly.
Exact matches are more precise and less likely to over-suppress.

Audit Trail

All exception changes are logged in the audit trail:
  • Who created/modified the exception
  • When the change was made
  • What conditions were added/removed
View in Audit Log filtered by rule exceptions.

Troubleshooting

Exception not suppressing alerts

  1. Check exception is enabled
  2. Verify field names match exactly (case-sensitive)
  3. Check operator logic (AND vs OR)
  4. Test with the specific alert values

Too much suppressed

  1. Review exception conditions
  2. Narrow with additional AND conditions
  3. Check regex patterns for over-matching

Exception field not available

  1. Ensure the field exists in the log schema
  2. Check field mapping configuration
  3. Use the exact field name from the matched log

Next Steps

Rule Management

Learn about rule configuration

Alert Investigation

Investigate alerts before creating exceptions