Exclusions are lists of specific users, IP addresses, or hosts that you want to exclude from an automated simple response. You can apply one or more exclusion lists when you create your simple response. For more information about creating a simple response, see the Simple Response Configuration Guide.
Exclusion types, and common scenarios for creating and applying exclusion lists of each type, include:
- IP address—Alert Logic suggests that you create a list with addresses for services such as public addresses of your data centers, VPN endpoints, and external scanners. Apply the list to simple responses that block IP addresses.
- Hostname—Alert Logic suggests you create a list with hostnames of computers used by your security team and any other hosts that are key to your organization. Apply the list to simple responses that isolate hosts.
- Username—Alert Logic suggests that you create a list with usernames of your security team, for example. Apply the list to simple responses that disable users.
You can respond manually to incidents that affect excluded users, IP addresses, or hosts.
Access the Exclusions page
To access the Exclusions page, click the navigation menu icon () in the Alert Logic console, click Respond, click Automated Response, and then click Exclusions.
On the Exclusions page, you can view a list of exclusion lists available in your account. From this page, you can also create and manage exclusion lists.
Create an exclusion list
- On the Exclusions page, click the add icon ().
- In Exclusion Type, select the type of exclusion list you want to create.
- In List Name, enter a descriptive name for your exclusion list.
- In List, enter each hostname, IP address, or username (depending on the exclusion type selected) on a separate line. For formatting guidelines and examples, see Format of exclusion lists.
- Click SAVE.
Format of exclusion lists
When you create your lists, refer to this table for the accepted format of each exclusion type. If you include multiple items, list each item on a separate line.
|IP address||IP addresses or address ranges in CIDR notation||
Simple textual hostnames, including fully qualified names
Hostnames can include letters (a-z, A-Z), numbers (0-9), underscores (_), and hyphens (-). Spaces are not supported.
Simple textual usernames, not including fully qualified names such as email@example.com
Usernames can include letters (a-z, A-Z), numbers (0-9), underscores (_), and hyphens (-). Spaces are not supported.
Search for an exclusion list
You can use the search bar at the top of the Exclusions page to filter the list to include only exclusion lists that contain specific words in the list name.
Edit an exclusion list
On the Exclusions page, click the Edit icon next to the exclusion list that you want to edit, and then change any of the available settings.
Delete an exclusion list
On the Exclusions page, click the Delete icon next to the exclusion list that you want to delete, and then click DELETE.