Adding a temporary exclusion list for a correlation rule

Users that do not have the rights to edit correlation rules in the KUMA web interface, can create a temporary list of exclusions (for example, create exclusions for false positives when managing alerts). A user with the rights to edit correlation rules can then add the exclusions to the rule and remove them from the temporary list.

To add exclusions to a correlation rule when managing alerts:

1. Go to the Alerts section and select an alert.
2. Click the Find in events button.

   Events of the alert are displayed on the events page.

3. Open the correlation event.

   This opens the event card in which each field has a (arrow) button that lets you add an exclusion.

4. Click the button and select Add to exclusions .

   A sidebar is displayed, containing the following fields: Correlation rule, Exclusion, Alert, Comment.

5. Click the Create button.

The exclusion rule is added.

The exclusion is added to the temporary list. This list is available to anyone with rights to read correlation rules: in the Resources → Correlation rules section, in the rule list tools toolbar, click the List of exclusions button. If you want to view the exclusions of a specific rule, open the card of the rule and select the Exclusions tab.

The exclusion list contains entries with the following parameters:

• Exclusion

  Exclusion condition.

• Correlation rule

  Name of the correlation rule.

• Alert

  Name of the alert from which the exclusion was added.

• Tenant

  The tenant to which the rule and the exclusion apply.

• Condition

  Generated automatically based on the selected field of the correlation event.

• Сreation date

  Date and time when the exclusion was added.

• Expires

Date and time when the exclusion will be automatically removed from the list.

• Created

  Name of the user that added the exclusion.

• Comment

After the exclusion is added, by default, the correlation rule takes the exclusion into account for 7 days. In the Settings → Other → General section, you can configure the duration of exclusions by editing the corr_rule_exclusion_ttl_hours parameter in the Core properties section. You can configure the lifetime of exclusions in hours and days. The minimum value is 1 hour, the maximum is 365 days. This setting is available only for users with the General administrator role.

For fields from base events to be propagated to correlation events, these fields must be specified in the card of the correlation rule on the General tab, in the Propagated fields field. If the fields of base events are not mapped to the correlation event, these fields cannot be added to exclusions.

To remove exclusions from a correlation rule:

1. Go to the Resources → Correlation rules section.
2. In the toolbar of the rule list, click List of exclusions button.

   This opens the window with the list of exclusions.

3. Select the exclusions that you want to delete and click the Delete button.

Exceptions are deleted from the correlation rule.

KUMA generates an audit event whenever an exception is created or deleted. You can view the changes of event settings in the Event details window.

Page top