Manage Deletion Rules

To manage deletion rules centrally, select Settings in the top menu. In the side panel, select Deletion rules. A list opens that shows all the deletion rules created so far.

Deletion Rules List

Field Description

Name

Deletion rule name assigned by the analyst.

Creation date

Date the deletion rule was created.

Modification date

Date the deletion rule was last modified.

Description

Description assigned by the analyst.

Hunting rule

Name of the hunting rule that generated the indicator and description of the artifacts monitored on the client’s computer.

Indicators deleted in the last 30 days

Number of indicators deleted by the rule in the last 30 days. Analysts can use this field to determine the usefulness of the deletion rule.

Last deletion date

Date and time the rule last deleted an indicator. Analysts can use this field to determine the usefulness of the deletion rule.

Fields in the Deletion Rules list

Edit a Deletion Rule

If an analyst finds that a rule is deleting useful indicators, they can edit it. Follow these steps:

  • In the side panel, select Bin to show the deletion rules created.

  • Click the context menu icon for the deletion rule you want to edit. A drop-down menu appears.

  • Select Edit automatic deletion rule. Set the new criteria for deleting indicators:

    • Name: Name of the deletion rule.

    • Description: Text field where the analyst can specify the reasons for deleting indicators.

    • Client ID: Specify the IDs of the clients that the computers where the indicators you want to delete were detected belong to.

    • Hunting rule: Name of the hunting rule associated with the deletion rule.

    • MUID: Specify the IDs of the computers where the indicators you want to delete were detected.

    • Computer name: Name of the computers where the indicators you want to delete were detected.

    • Details: Specify the Details field for the indicators you want to delete. You can determine the exact content of the field with the Equals option, or flexibly with a regular expression by using the RegEx option. For more information, see Regular Expressions.

Indicators already affected by the deletion rule do not undergo any changes and are not shown in the main list, although they are shown when you click the edited rule.

Delete a Deletion Rule

If an analyst finds that a rule is deleting useful indicators, they can delete it.

  • In the side panel, select Bin to show the deletion rules created.

  • Click the context menu icon for the deletion rule you want to delete. A drop-down menu appears.

  • Select Delete. Recent indicators affected by the deletion rule reappear in the Indicators list with the status Pending. Indicators from more than seven days ago are not retrieved.

Export the List

Click the icon to download a CSV file with the content of the Deletion rules list.