...
-
This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to an Incydr product plan. If you do not know your CSM, please contact our Customer Champions.
-
To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr.
...
Adding trusted domains helps focus your investigations on file activity that may be a higher risk by not showing trusted file activity on the Risk Exposure dashboard, detection lists, and alerts. All file activity, including trusted file activity, is available to view in ParseError: EOF expected (click for details)Callstack:
at (Article_Update_Log/2021-07-01/Data_Preferences_reference), /content/body/ins/span, line 1, column 10
....
Item |
Description |
a |
Domain list |
List of domains you trust. File events from domains in this list are excluded from:
- Data on the
ParseError: EOF expected (click for details)Callstack:
at (Article_Update_Log/2021-07-01/Data_Preferences_reference), /content/body/table[1]/tbody/tr[1]/td[2]/ul/li[1]/a/span, line 1, column 10
dashboard
ParseError: EOF expected (click for details)Callstack:
at (Article_Update_Log/2021-07-01/Data_Preferences_reference), /content/body/table[1]/tbody/tr[1]/td[2]/ul/li[2]/a/span, line 1, column 10
- File event counts for
ParseError: EOF expected (click for details)Callstack:
at (Article_Update_Log/2021-07-01/Data_Preferences_reference), /content/body/table[1]/tbody/tr[1]/td[2]/ul/li[3]/a[1]/span, line 1, column 10
, ParseError: EOF expected (click for details)Callstack:
at (Article_Update_Log/2021-07-01/Data_Preferences_reference), /content/body/table[1]/tbody/tr[1]/td[2]/ul/li[3]/a[2]/span, line 1, column 10
, and User Profiles
ParseError: EOF expected (click for details)Callstack:
at (Article_Update_Log/2021-07-01/Data_Preferences_reference), /content/body/table[1]/tbody/tr[1]/td[2]/ul/li[4]/a/span, line 1, column 10
results including the following search criteria:
- The Trusted Activity filter with the value Exclude (applies to endpoint and email events)
- The Exposure Type filter with the value Outside trusted domain (applies to cloud events)
|
b |
Edit |
Click Edit to add or remove domains.
- To add multiple domains, enter a comma-separated list.
- File activity on a specific domain is only considered trusted starting the date the domain was added to this list. File activity that occurred before the domain was added is considered untrusted.
- Do not include
https:// in the trusted domain entry.
- Including
www in the trusted domain entry is optional. The www prefix is ignored when evaluating trust.
- Only the domain is evaluated for trust. The protocol (https://) and characters after the top-level domain (TLD) are ignored. For example, for file activity on
https://subdomain.corp.example.com/pages , only subdomain.corp.example.com is evaluated for trust.
- For email activity, a trusted domain entry of
example.com trusts activity from all users with email addresses on the example.com domain. Trusting specific email addresses is not supported.
- Optionally, use the asterisk (*) character as a wildcard for partial domain names. For example, enter
*.corp.example.com to trust all subdomains ofany domain ending with ".corp. example.com." . See below for more guidance and warnings about wildcards.
|
WildcardsUse wildcards carefully to minimizeintroduce risk
Using a wildcard character
, especially at the end of a trusted domain, may lead to unintentionally trusting unknown or malicious domains. For example, a trusted domain value of
examplecorp*
would trust not only
examplecorp.com
, but also any domain starting with
examplecorp
, such as
examplecorp.fake.com
,
examplenotyourrealdomaincorpnotarealcorp.com
, and
examplecorp.info
.
To trust both a parent domain and all subdomains, we do not recommend an overly inclusive wildcard value, such as *example.com
. Instead, add these two values to minimize risk:
example.com
*.example.com
Since the first entry does not include a wildcard, it only trusts activity that matches the example.com
domain exactly. In the second entry, including a period (.) after the wildcard ensures only subdomains of your legitimate domain are trusted.
...
|
Trusted domain entry |
|
<<< More secure Less secure >>> |
Activity on: |
example.com |
*.example.comexample |
example |
*example.com |
example* |
*example* |
www.example.com |
Yes |
No |
No |
Yes |
Yes |
Yes |
https://subdomain.example.com |
No |
Yes |
No |
Yes |
No |
Yes |
www.not-example.com |
No |
No |
No |
Yes |
No |
Yes |
www.example.fake.com |
No |
No |
No |
No |
Yes |
Yes |
first.last@example.com |
Yes |
No |
No |
Yes |
Yes |
Yes |
...
Other changes:
- /body/table[2]/@style:
"width: 100%; table-layout: fixed;" ⇒ "width: 900px; table-layout: fixed;"- /body/table[2]/tbody/tr/td/@class: nothing ⇒
"mt-align-center"- /body/table[2]/tbody/tr/td/@style: nothing ⇒
"width:233px;"- /body/table[2]/tbody/tr/td[2]/@colspan: nothing ⇒
"5"- /body/table[2]/tbody/tr/td[2]/@style: nothing ⇒
"width:661px;"- /body/table[3]/@style:
"width: 100%; table-layout: fixed;" ⇒ "width: 901px; table-layout: fixed;"- /body/table[3]/tbody/tr/td/@style:
"width:271px;" ⇒ "width:232px;"- /body/table[3]/tbody/tr/td[2]/@style:
"width:150px;" ⇒ "width:118px;"- /body/table[3]/tbody/tr/td[3]/@style:
"width:108px;" ⇒ "width:128px;"- /body/table[3]/tbody/tr/td[4]/@style:
"width:137px;" ⇒ "width:90px;"- /body/table[3]/tbody/tr/td[6]/@style:
"width:104px;" ⇒ "width:95px;"- /body/table[3]/tbody/tr/td[7]/@style:
"width:111px;" ⇒ "width:98px;"- /body/table[3]/tbody/tr[2]/td/@style:
"width:271px;" ⇒ "width:232px;"- /body/table[3]/tbody/tr[2]/td[2]/@style:
"width:150px;" ⇒ "width:118px;"- /body/table[3]/tbody/tr[2]/td[3]/@style:
"width:108px;" ⇒ "width:128px;"- /body/table[3]/tbody/tr[2]/td[4]/@style:
"width:137px;" ⇒ "width:90px;"- /body/table[3]/tbody/tr[2]/td[6]/@style:
"width:104px;" ⇒ "width:95px;"- /body/table[3]/tbody/tr[2]/td[7]/@style:
"width:111px;" ⇒ "width:98px;"- /body/table[3]/tbody/tr[3]/td/@style:
"width:271px;" ⇒ "width:232px;"- /body/table[3]/tbody/tr[3]/td/span/@class: nothing ⇒
"mt-font-size-14"- /body/table[3]/tbody/tr[3]/td[2]/@style:
"width:150px;" ⇒ "width:118px;"- /body/table[3]/tbody/tr[3]/td[3]/@style:
"width:108px;" ⇒ "width:128px;"- /body/table[3]/tbody/tr[3]/td[5]/@style:
"width:137px;" ⇒ "width:124px;"- /body/table[3]/tbody/tr[3]/td[6]/@style:
"width:104px;" ⇒ "width:95px;"- /body/table[3]/tbody/tr[3]/td[7]/@style:
"width:111px;" ⇒ "width:98px;"- /body/table[3]/tbody/tr[4]/td/@style:
"width:271px;" ⇒ "width:232px;"- /body/table[3]/tbody/tr[4]/td[2]/@style:
"width:150px;" ⇒ "width:118px;"- /body/table[3]/tbody/tr[4]/td[3]/@style:
"width:108px;" ⇒ "width:128px;"- /body/table[3]/tbody/tr[4]/td[4]/@style:
"width:137px;" ⇒ "width:90px;"- /body/table[3]/tbody/tr[4]/td[6]/@style:
"width:104px;" ⇒ "width:95px;"- /body/table[3]/tbody/tr[4]/td[7]/@style:
"width:111px;" ⇒ "width:98px;"- /body/table[3]/tbody/tr[5]/td/@style:
"width:271px;" ⇒ "width:232px;"- /body/table[3]/tbody/tr[5]/td/span/@class: nothing ⇒
"mt-font-size-14"- /body/table[3]/tbody/tr[6]/td[2]/@style:
"width:150px;" ⇒ "width:118px;"- /body/table[3]/tbody/tr[6]/td[3]/@style:
"width:108px;" ⇒ "width:128px;"- /body/table[3]/tbody/tr[6]/td[4]/@style:
"width:137px;" ⇒ "width:90px;"- /body/table[3]/tbody/tr[6]/td[6]/@style:
"width:104px;" ⇒ "width:95px;"- /body/table[3]/tbody/tr[6]/td[7]/@style:
"width:111px;" ⇒ "width:98px;"