--- title: "Creating Indicator Exclusion Lists | ThreatConnect" slug: "creating-indicator-exclusion-lists" description: "This article describes how to create, view, and manage Organization-level Indicator Exclusion Lists, which prevent the import of Indicators that may be deemed legitimate or non-hostile. It also describes how to add an Indicator to an Exclusion List." tags: ["Administrator"] updated: 2023-03-15T21:19:18Z published: 2023-03-15T21:19:18Z --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Creating Indicator Exclusion Lists ## Overview Indicator Exclusion Lists are created to prevent the import of Indicators that may be deemed legitimate or non-hostile to an organization. ThreatConnect® allows System Administrators to create Indicator Exclusion Lists at the System level and Organization Administrators to create Indicator Exclusion Lists at the Organization level. See *ThreatConnect System Administration Guide* for more information on System-level Indicator Exclusion Lists. This article covers Organization-level Indicator Exclusion Lists. Table 1 displays a list of features and actions and specifies whether they are affected by an Indicator Exclusion List. | Item | Yes | No | | --- | --- | --- | | Manual Creation | ✔ | | | Structured Import | ✔ | | | Unstructured Import | ✔ | | | E-mail Ingestion (Phishing and Feed) | ✔ | | | Source Feed Monitor | ✔ | | | STIX/TAXII Feeds | ✔ | | | API Creation | ✔ | | | API Bulk Import | ✔ | | | Contribute/Copy to my Org | | ✔ | | pDNS | | ✔ | | Track Import | | ✔ | | DNS Monitoring | | ✔ | NoteIndicator Exclusion Lists support wildcarding before, in the middle of, or after an Indicator. Wildcarding works for all Indicators, although it may not make sense for some Indicators, such as file hashes. In addition, for IPv4 and IPv6 addresses, Classless Inter-Domain Routing (CIDR) notation is supported for IPv4 and IPv6 addresses, although blanket CIDR terms, such as **/0** or **/32** for IPv4 and **/0** or **/128** for IPv6, are not accepted.NoteIf you try to create an Indicator that has been placed on an Indicator Exclusion List, a warning message will be displayed in the [**Create**](/v1/docs/create) window stating that the Indicator is contained on an Organization-level Indicator Exclusion List. ## Before You Start | Minimum Role(s) | Organization role of Organization Administrator | | --- | --- | | Prerequisites | To add an Indicator to an Organization-level Exclusion List from the Indicator’s **Details** screen, a System Administrator must enable the system setting that allows this functionality, and you must be on a Dedicated Cloud instance of ThreatConnect | ## Creating Indicator Exclusion Lists 1. On the top navigation bar, hover the cursor over **Settings**![A picture containing text, light Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-indicator-exclusion-lists-image-dphggvea.png) and select **Org Config**. The **Organization Config** screen will be displayed with the **Attribute Types**tab selected. 2. Click the **Indicator Exclusions** tab. The **Indicator Exclusions**screen will be displayed (Figure 1). ![Table Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-indicator-exclusion-lists-image-hr6vxdsj.png) 3. Click **Edit ![Icon Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-indicator-exclusion-lists-image-5g1nmeaz.png)**in the **Options**column for an Indicator (**Host** in this example). The **Exclusion Details**window for the selected Indicator type will be displayed (Figure 2). ![Graphical user interface, text, application Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-indicator-exclusion-lists-image-fh703avg.png) - **Custom**: Enter the Indicator(s) to be added to the Exclusion List in this text box. - **+ UPLOAD FILE**: Click this button to upload a **.txt**file containing the Indicator(s) to be added to the Exclusion List.NotePlace an asterisk (*) at the beginning and end of an Indicator to exclude all results. For example, entering ***xyz.com*** in the URL Exclusion List will exclude any URLs that contain the string **xyz.com**.NoteYou can enter additional Indicators into the **Custom** text box after uploading an Exclusion List file. However, if you enter Indicators into the **Custom** text box and then upload a file, the Indicators entered before the upload will be overwritten by the file’s contents. - Click the **SAVE** button. ## Clearing and Downloading Indicator Exclusion Lists Follow Steps 1–3 in the [“Creating Indicator Exclusion Lists”](/v1/docs/creating-indicator-exclusion-lists#creating-indicator-exclusion-lists) section to access the **Exclusion Details**window for an Indicator type. If an Exclusion List was previously created for an Indicator type, a **DOWNLOAD**button****and a **CLEAR**button will be displayed (Figure 3). ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-indicator-exclusion-lists-image-cdzuxp45.png) - **CLEAR**: Click this button to remove all Indicators from the Exclusion List. - **DOWNLOAD**: Click this button to download the contents of the Exclusion List in a **.txt** file. ## Adding an Indicator to an Exclusion List from the Details Screen On Dedicated Cloud instances of ThreatConnect, Organization and System Administrators can add an Indicator to an Organization-level Exclusion List from the Indicator’s [**Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen) if a System Administrator has enabled this ability on their ThreatConnect instance. ### New Details Screen On an Indicator’s [**Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen), click on the **Options** ![Creating Indicator Exclusion Lists_Options button](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Creating%20Indicator%20Exclusion%20Lists_Options%20button.png) button at the upper-right corner of the screen and select **Add to Exclusion List** to add the Indicator to the Exclusion List corresponding to its Indicator type (Figure 4). After you select this option, a message will be displayed at the lower-left corner of the screen confirming that the Indicator was added to the Exclusion List. ![Creating Indicator Exclusion Lists_Figure 4 ](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Creating%20Indicator%20Exclusion%20Lists_Figure%204.png ) ImportantYou cannot reselect the **Add to Exclusion List** option to remove the Indicator from your Organization’s Indicator Exclusion List. See the [“Removing an Indicator from an Exclusion List”](/v1/docs/creating-indicator-exclusion-lists#removing-an-indicator-from-an-exclusion-list%20) section for instructions on how to remove the Indicator. Once the Indicator has been removed from the Exclusion List, the **Add to Exclusion List** option will be available for selection again. ### Legacy Details Screen On an Indicator’s [legacy **Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen-legacy), select the **Add to Exclusion List**checkbox displayed in the [**Indicator Status** section](https://knowledge.threatconnect.com/docs/indicator-status) to add the Indicator to the Exclusion List corresponding to its Indicator type (Figure 5). After you select this checkbox, a message will be displayed at the lower-left corner of the screen confirming that the Indicator was added to the Exclusion List. NoteThe **Add to Exclusion List** checkbox will be displayed for all Indicators, regardless of whether the Indicator's status is active. ![Creating Indicator Exclusion Lists_Figure 5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Creating%20Indicator%20Exclusion%20Lists_Figure%205.png) ImportantYou cannot reselect the **Add to Exclusion List** checkbox to remove the Indicator from your Organization’s Indicator Exclusion List. See the [“Removing an Indicator from an Exclusion List”](/v1/docs/creating-indicator-exclusion-lists#removing-an-indicator-from-an-exclusion-list) section for instructions on how to remove the Indicator. Once the Indicator has been removed from the Exclusion List, the **Add to Exclusion List**checkbox will be available for selection again. ## Removing an Indicator from an Exclusion List Follow these steps to remove an Indicator from your Organization’s Exclusion List: 1. Navigate to the **Indicator Exclusions**tab of the **Organization Config**screen (Figure 1). 2. Click **Edit**![Icon Description automatically generated ](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-indicator-exclusion-lists-image-5g1nmeaz.png )for the Exclusion List corresponding to the Indicator’s type. The **Exclusion Details**window for that Indicator type will be displayed (Figure 3). 3. Delete the Indicator’s entry in the **Custom** text box. 4. Click the **SAVE**button. --- *ThreatConnect® is a registered trademark of ThreatConnect, Inc.* 20046-01 v.09.A ## Related - [Contributing to a Community or Source](/contributing-to-a-community-or-source.md) - [Copying a Group From a Community or Source](/copying-a-group-from-a-community-or-source.md) - [Creating a Phishing Mailbox](/creating-a-phishing-mailbox.md) - [Creating an HTTP Feed](/creating-an-http-feed.md) - [Creating an Inbound TAXII Exchange Feed](/creating-an-inbound-taxii-exchange-feed.md) - [Email Import](/email-import.md) - [Structured Indicator Import](/structured-indicator-import.md) - [Unstructured Indicator Import](/unstructured-indicator-import.md)