Indicator Exclusion Lists are created to prevent the import of Indicators that may be deemed legitimate or non-hostile to an organization. ThreatConnect® allows users to create an Indicator Exclusion List at the System level and at the Organization level. See the ThreatConnect System Administration Guide for more information on System-level Indicator Exclusion Lists. Table 1 displays a list of features and actions and specifies which are and which are not blocked by an Indicator Exclusion List.
|E-mail Ingestion (Phishing and Feed)||✓|
|Source Feed Monitor||✓|
|API Bulk Import||✓|
|Contribute/Copy to my Org||✓|
NOTE: Indicator Exclusion Lists support wildcarding before, in the middle of, or after the Indicator. Wildcarding works for all Indicators, although it may not make sense for some Indicators (e.g., file hashes). In addition, for IPv4 and IPv6 addresses, Classless Inter-Domain Routing (CIDR) notation is supported, although blanket CIDR terms, such as /0 or /32 for IPv4 and /0 or /128 for IPv6, are not accepted.
NOTE: When a user tries to create an Indicator that has been placed on an Exclusion List, a message will appear in the Create window to warn that the Indicator is contained on an Organization-wide Exclusion List.
Creating Indicator Exclusion Lists
- On the top navigation bar (Figure 1), hover the cursor over the Settings icon and select Org Config from the dropdown menu (Figure 2).
- The Organization Config screen will be displayed (Figure 3).
- Click the Indicator Exclusions tab, and the Indicator Exclusions screen will be displayed (Figure 4).
- Click on the Modify icon for an Indicator from the Type column (Host in this example), and the Exclusion Details window for that Indicator type will be displayed (Figure 5).
- Enter the Exclusion List directly into the text box, or upload an Exclusion List by clicking the + UPLOAD FILE button and browsing to and selecting the desired file (Figure 6). Place an asterisk (*) at the beginning and end of an Indicator to exclude all results. For example, *xyz.com* in the URL Exclusion List would exclude any URL that contains the string xyz.com.
- Click the CLEAR button to clear the contents of the text box. Click the DOWNLOAD button to download the contents of the text box. Click the SAVE button to save the Exclusion List.
NOTE: If uploading an Exclusion List, the file must be in .txt format.
NOTE: Additional Exclusion List items may be entered directly into the text box after uploading an Exclusion List file. However, entering items and then uploading a file will result in the contents of the file overwriting the items that were entered before the upload.