Automatically deleting detections generated by an IOA

Automatic deletion rules remove detections generated by an IOA that you deem false positives or unimportant.

To create an automatic deletion rule, you must select a specific detection as the basis for the rule. After you create the rule, you can edit it to make it more general or specific, to apply only to certain computers or groups, or to avoid detections that meet certain characteristics.

Automatic deletion rules do not delete already generated detections; they only mark new detections that match the rule definition as Deleted. Advanced EDR deletes these detections effectively after 40 days. After they are permanently deleted, you cannot recover detections.

You can manage only rules that affect computers you have visibility of. For more information, see Managing roles and permissions.

This topic includes these sections:

• Creating automatic deletion rules

• Listing automatic deletion rules

• Editing automatic deletion rules

• Deleting automatic deletion rules

• Listing detections deleted by an automatic deletion rule

Creating automatic deletion rules

• From the top menu, select Status.

• From the side menu, click Add. A dialog box opens that shows the available lists.

• In the Security section, select Indicators of attack (IOA). The New list: Indicators of attack (IOA) page opens.

• Configure the filters. Click Launch query. The list shows all detections that match the selected filtering criteria.

• Click the icon to the right of the detection you want to use as the basis for the new automatic deletion rule. A context menu opens.

• Select Add automatic deletion rule . A dialog box opens that shows the base configuration of the automatic deletion rule.

• In the Add automatic deletion rule dialog box, click the icon to add Computer groups that will not generate detections.

• Click the icon to add Additional computers that will not generate detections.

  • If Computer groups and Additional computers are empty, the automatic deletion rule affects all groups.

  • Only accounts that access the Advanced EDR console with the Full Control role can create automatic deletion rules with empty Computer groups and Additional computers.

• From the Details drop-down list, specify the content of the Other details field for the detections you want to delete. For more information about the details field, see Details page.

  • Equals: Specify the exact content of the field.

  • RegEx: Specify the field content flexibly using a regular expression. See Regular expressions.

• Click Add. A message appears at the top of the page indicating that the automatic deletion rule was created successfully. The rule begins to assign the Deleted status to all detections that match its definition.

Regular expressions

For more information about the supported syntax in regular expressions, go to https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference.
To test and validate your regular expressions, go to http://regexstorm.net/tester.

Advanced EDR supports RegEx C to describe flexible patterns in the Other details field for IOA detections. As with most languages used to describe character patterns, you must escape characters considered special or specific to the language. The character "\" is used for this purpose in RegEx C.

To help with the development of regular expressions, there is a preview panel which enables you to check whether the patterns you want to search for match the written regular expression.

To generate a regular expression, from the Details drop-down list, select RegEx. The content of the field updates to show a regular expression that meets the content of the preview panel. All special characters are automatically escaped by the console to make it easier to edit the regular expression.

Example of exclusion using regular expressions in the Details field

Because it is a risk-free but frequent action, you want to mark as Deleted all IOA detections generated when the net.exe tool runs and tries to add the user “gcch\GG_SEC_IBM_PC_Admins” to the administrators group.

The detection Advanced EDR generates in this situation is as follows

{ “contents”: [ { “ChildPath”: “SYSTEM|\net.exe”, “CommandLine”: “net localgroup administrators “gcch\GG_SEC_IBM_PC_Admins” /add”, “ParentPath”: “SYSTEM|\cmd.exe”, “extendedInfo”:“”, “loggedUser”: “NT AUTHORITY\SYSTEM” } ] }

The Other details field for the detection shows its raw information as:

{“contents”:[{“ChildPath”:“SYSTEM|\net.exe”,“CommandLine”:“net localgroup administrators “gcch\GG_SEC_IBM_PC_Admins /add”,“ParentPath”:“SYSTEM|\cmd.exe”,”extendedInfo”:“”,“loggedUser”: “NT AUTHORITY\SYSTEM”}]}

The regular expression that filters detections by the content of the Other details field according to your established criteria is:

{"ChildPath":"SYSTEM\|\\net.exe".+gcch\\GG_SEC_IBM_PC_Admins

The preview panel enables you to verify that the regular expression defined generates the character pattern that matches the content of the Other details field for the detection.

Listing automatic deletion rules

• From the top menu, select Settings.

• From the side menu, select Automatic IOA deletion rules.

• To filter the list by the type of IOA used as the basis for creating the automatic deletion rules:

  • Click Filters. The filter panel appears.

  • From the Indicator of attack drop-down list, select an indicator of attack. The list updates to show the automatic deletion rules that used detections generated by the selected IOA.

• To filter the list by a rule name, type it in the Search text box and press Enter. The list updates to show the automatic deletion rules whose Name field partially or fully matches the text entered in the text box.

Editing automatic deletion rules

• From the top menu, select Settings.

• From the side menu, select Automatic IOA deletion rules.

• Select the automatic deletion rule you want to edit. The Edit automatic deletion rule dialog box opens.

• To edit the settings for the automatic deletion rule, see Creating automatic deletion rules.

If you create an automatic deletion rule with the Computer groups and Additional computers fields empty, Advanced EDR applies the rule to IOA detections generated by all computers in the account. Otherwise, if you clear the Computer groups and Additional computers fields of an existing automatic deletion rule, Advanced EDR does not apply the rule to any computers in the account and it becomes ineffective.

Deleting automatic deletion rules

When you delete an automatic deletion rule, all detections marked as Deleted that have not been permanently removed from Advanced EDR change their status to Pending.

• From the top menu, select Settings.

• From the side menu, select Automatic IOA deletion rules.

• Select the checkboxes to the left of the deletion rules you want to remove.

• From the toolbar, select Delete rule. A confirmation dialog box opens.

• Click Delete. The automatic deletion rule is removed and ceases to mark detections that match its definition as Deleted. All past detections not permanently deleted change their status to Pending.

Listing detections deleted by an automatic deletion rule

• From the top menu, select Settings.

• From the side menu, select Automatic IOA deletion rules. The Automatic IOA deletion rules list opens.

• Click the icon to the right of the automatic IOA deletion rule for which you want to see the deleted detections. A context menu opens.

• Select View deleted IOA. The Indicators of attack list opens filtered to show IOA detections deleted by the selected rule.