Exclusions

Exclusions are lists of specific users, IP addresses, or hosts that you want to exclude from an automated simple response. You can apply one or more exclusion lists when you create your simple response. For more information about creating a simple response, see the Simple Response Configuration Guide.

Exclusion types

Exclusion types, and common scenarios for creating and applying exclusion lists of each type, include:

  • IP addressAlert Logic suggests that you create a list with addresses for services such as public addresses of your data centers, VPN endpoints, and external scanners. Apply the list to simple responses that block IP addresses.
  • HostnameAlert Logic suggests you create a list with hostnames of computers used by your security team and any other hosts that are key to your organization. Apply the list to simple responses that isolate hosts.
  • UsernameAlert Logic suggests that you create a list with usernames of your security team, for example. Apply the list to simple responses that disable users.

You can respond manually to incidents that affect excluded users, IP addresses, or hosts.

Access the Exclusions page

To access the Exclusions page, click the navigation menu icon () in the Alert Logic console, click Respond, click Automated Response, and then click Exclusions.

On the Exclusions page, you can view a list of exclusion lists available in your account. From this page, you can also create and manage exclusion lists.

Create an exclusion list

  1. On the Exclusions page, click the add icon ().
  2. In Exclusion Type, select the type of exclusion list you want to create.
  3. In List Name, enter a descriptive name for your exclusion list.
  4. In List, enter each hostname, IP address, or username (depending on the exclusion type selected) on a separate line. For formatting guidelines and examples, see Format of exclusion lists.
  5. Click SAVE.

Format of exclusion lists

When you create your lists, refer to this table for the accepted format of each exclusion type. If you include multiple items, list each item on a separate line.

Exclusion Type Format Examples
IP address IP addresses or address ranges in CIDR notation

192.0.0.1
192.0.0.128/27

Hostname

Simple textual hostnames, including fully qualified names

Hostnames can include letters (a-z, A-Z), numbers (0-9), underscores (_), and hyphens (-). Spaces are not supported.

host
prodWWW.example.com
prodwww2.example.com

Username

Simple textual usernames, not including fully qualified names such as username@example.com

Usernames can include letters (a-z, A-Z), numbers (0-9), underscores (_), and hyphens (-). Spaces are not supported.

user
Jsmith
username2

Search for an exclusion list

You can use the search bar at the top of the Exclusions page to filter the list to include only exclusion lists that contain specific words in the list name.

Edit an exclusion list

On the Exclusions page, click the Edit icon next to the exclusion list that you want to edit, and then change any of the available settings.

Delete an exclusion list

On the Exclusions page, click the Delete icon next to the exclusion list that you want to delete, and then click DELETE.

Before you delete an exclusion list, be aware that a simple response might use it. Deleting an exclusion list can cause a configured simple response to stop working.