Creating Indicator Exclusion Lists
  • 24 Oct 2022
  • 3 Minutes to read
  • Dark
    Light

Creating Indicator Exclusion Lists

  • Dark
    Light

Minimum Role: Organization role of Organization Administrator

Prerequisites: To add an Indicator to an Organization-level Exclusion List using the Add to Exclusion List checkbox on the Indicator’s Details screen, a System Administrator must enable the system setting that allows this functionality, and you must be on a Dedicated Cloud instance of ThreatConnect

Overview

Indicator Exclusion Lists are created to prevent the import of Indicators that may be deemed legitimate or non-hostile to an organization. ThreatConnect® allows System Administrators to create Indicator Exclusion Lists at the System level and Organization Administrators to create Indicator Exclusion Lists at the Organization level. See the ThreatConnect System Administration Guide for more information on System-level Indicator Exclusion Lists. This article covers Organization-level Indicator Exclusion Lists.

Table 1 displays a list of features and actions and specifies whether they are blocked by an Indicator Exclusion List.

 

ItemYesNo
Manual Creation
Structured Import
Unstructured Import
E-mail Ingestion (Phishing and Feed)
Source Feed Monitor
STIX/TAXII Feeds
API Creation
API Bulk Import
Contribute/Copy to my Org
pDNS
Track Import
DNS Monitoring
Note
Indicator Exclusion Lists support wildcarding before, in the middle of, or after the Indicator. Wildcarding works for all Indicators, although it may not make sense for some Indicators, such as file hashes. In addition, for IPv4 and IPv6 addresses, Classless Inter-Domain Routing (CIDR) notation is supported for IPv4 and IPv6 addresses, although blanket CIDR terms, such as /0 or /32 for IPv4 and /0 or /128 for IPv6, are not accepted.
Note
If you try to create an Indicator that has been placed on an Indicator Exclusion List, a warning message will be displayed in the Create window stating that the Indicator is contained on an Organization-level Indicator Exclusion List.

Creating Indicator Exclusion Lists

  1. On the top navigation bar, hover the cursor over Settings A picture containing text, light  Description automatically generated and select Org Config. The Organization Config screen will be displayed with the Attribute Types tab selected.
  2. Click the Indicator Exclusions tab. The Indicator Exclusions screen will be displayed (Figure 1).

    Table  Description automatically generated

     

  3. Click Edit Icon  Description automatically generatedin the Options column for an Indicator (Host in this example). The Exclusion Details window for the selected Indicator type will be displayed (Figure 2).

    Graphical user interface, text, application  Description automatically generated

     

    • Custom: Enter the Indicator(s) to be added to the Exclusion List in this text box.
    • + UPLOAD FILE: Click this button to upload a .txt file containing the Indicator(s) to be added to the Exclusion List.
      Note
      Place an asterisk (*) at the beginning and end of an Indicator to exclude all results. For example, entering *xyz.com* in the URL Exclusion List will exclude any URLs that contain the string xyz.com.
      Note
      You can enter additional Indicators into the Custom text box after uploading an Exclusion List file. However, if you enter Indicators into the Custom text box and then upload a file, the Indicators entered before the upload will be overwritten by the file’s contents.
    • Click the SAVE button.

Clearing and Downloading Indicator Exclusion Lists

Follow Steps 1–3 in the “Creating Indicator Exclusion Lists” section to access the Exclusion Details window for an Indicator type. If an Exclusion List was previously created for an Indicator type, a DOWNLOAD button and a CLEAR button will be displayed (Figure 3).

 

  • CLEAR: Click this button to remove all Indicators from the Exclusion List.
  • DOWNLOAD: Click this button to download the contents of the Exclusion List in a .txt file.

Adding an Indicator to an Exclusion List from the Details Screen

On Dedicated Cloud instances of ThreatConnect, System Administrators can enable the ability to add an Indicator to an Organization-level Exclusion List from its Details screen. When this feature is enabled, Organization and System Administrators will see the Add to Exclusion List checkbox displayed in the Indicator Status section of an Indicator’s Details screen (Figure 4).

Note
The Add to Exclusion List checkbox will be displayed for all Indicators, regardless of whether the Indicator’s status is active.

Creating Indicator Exclusion Lists_Figure 4

 

Select the Add to Exclusion List checkbox to add the Indicator to the Exclusion List corresponding to its Indicator type. After you select this checkbox, a message will be displayed at the lower-left corner of the screen confirming that the Indicator was added to the Exclusion List.

If you select Add to Exclusion List checkbox for an Indicator, you cannot clear this checkbox to remove it from your Organization’s Indicator Exclusion List. Instead, you must follow these steps to remove it from the Exclusion List:

  1. Navigate to the Indicator Exclusions tab of the Organization Config screen (Figure 1).
  2. Click EditIcon  Description automatically generatedfor the Exclusion List corresponding to the Indicator’s type. The Exclusion Details window for that Indicator type will be displayed (Figure 3).
  3. Delete the Indicator’s entry in the Custom text box.
  4. Click the SAVE button.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20046-01 v.08.A


Was this article helpful?