Creating Indicator Exclusion Lists

Last Updated: Jun 12, 2018 06:26PM EDT
Organization Administrator
None

Overview

Indicator Exclusion Lists are created to prevent the import of Indicators that may be deemed legitimate or non-hostile to an organization. ThreatConnect® allows users to create an Indicator Exclusion List at the System level and at the Organization level. See the ThreatConnect System Administration Guide for more information on System-level Indicator Exclusion Lists. Table 1 displays a list of features and actions and specifies which are and which are not blocked by an Indicator Exclusion List.

Table 1

Item Yes No
Manual Creation  
Structured Import  
Unstructured Import  
E-mail Ingestion (Phishing and Feed)  
Source Feed Monitor  
STIX/TAXII Feeds  
API Creation  
API Bulk Import  
Contribute/Copy to my Org  
pDNS  
Track Import  
DNS Monitoring  

NOTE: Indicator Exclusion Lists support wildcarding before, in the middle of, or after the Indicator. Wildcarding works for all Indicators, although it may not make sense for some Indicators (e.g., file hashes). In addition, for IPv4 and IPv6 addresses, Classless Inter-Domain Routing (CIDR) notation is supported, although blanket CIDR terms, such as /0 or /32 for IPv4 and /0 or /128 for IPv6, are not accepted.
NOTE: When a user tries to create an Indicator that has been placed on an Exclusion List, a message will appear in the Create window to warn that the Indicator is contained on an Organization-wide Exclusion List.

Steps

  1. On the top navigation bar (Figure 1), hover the cursor over the Settings  icon and select ORG CONFIG from the dropdown menu (Figure 2).
  2. The Organization Config screen will appear (Figure 3).
  3. Click the Indicator Exclusions tab, and the Indicator Exclusions screen will appear (Figure 4).
  4. Click on the Modify icon for an Indicator from the Type column (e.g., Host), and the Exclusion Details window will appear (Figure 5).
  5. Enter the Exclusion List directly into the text box, or upload an Exclusion List by clicking the + UPLOAD FILE button and browsing to and selecting the desired file (Figure 6). Place an asterisk (*) at the beginning and end of an Indicator to exclude all results. For example, *xyz.com* in the URL Exclusion List would exclude any URL that contains the string xyz.com.

    NOTE: If uploading an Exclusion List, the file must be in .txt format.
    NOTE: Additional Exclusion List items may be entered directly into the text box after uploading an Exclusion List file. However, entering items and then uploading a file will result in the contents of the file overwriting the items that were entered before the upload.

  6. Click the CLEAR button to clear the contents of the text box. Click the DOWNLOAD button to download the contents of the text box. Click the SAVE button to save the Exclusion List.

20046-05 EN Rev. A

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us



https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete