File event exclusions
Overview
Use file event exclusions to define a list of file types and file paths to exclude from Incydr monitoring. Excluding file types and paths prevents user devices from consuming resources to index file activity you're not interested in monitoring. It also prevents irrelevant or unimportant file events from appearing in dashboard visualizations, alerts, and Forensic Search results.
This article describes how to set and manage file event exclusions in the Code42 console.
Considerations
- File event exclusions apply to all organizations and devices in your Code42 environment.
- To view and modify file event exclusions, you must have the Security Administrator or Customer Cloud Admin role.
What is excluded?
In general, file event exclusions apply to endpoint activity on disk, not exfiltration. For example, Incydr still detects files in excluded paths being uploaded via a browser or moved to removable media.
See the table below for details about how each exclusion type affects detection of file exfiltration activity. In the table:
- Excluded = file activity is not detected
- Not excluded = file activity is detected
Detection type | |||||
---|---|---|---|---|---|
All file activity / File metadata collection | Cloud sync applications | Removable media | Browser and other app activity | ||
Directory exclusion 1 | Excluded | Excluded 2 | Not excluded 3 | Not excluded | Not excluded |
File extension exclusion 1 | Excluded | Excluded | Excluded | Not excluded | Not excluded |
Filename exclusion (via regex) | Excluded | Excluded | Excluded | Not excluded | Not excluded |
1 Directory and file extension exclusions created via a custom regular expression (regex) follow the same rules as those created via the dedicated fields below.
2 If the cloud sync directory is excluded (for example C:\Users\Username\Google Drive), sync activity within that directory is excluded. However, if a file in that directory is uploaded via a web browser or moved to removable media, that exfiltration activity is still detected.
3 Files moved from an excluded path to removable media are detected, unless the removable media destination path itself is also excluded.
File event exclusions
To view file event exclusions:
- Sign in to the Code42 console.
- Select Administration > Environment > File event exclusions.
Item | Description | |
---|---|---|
a | Create exclusion | Creates a file event exclusion. |
b | Exclusion |
The file extension, directory, or regular expression being excluded. Regular expressions are case sensitive
Exclusions entered using regular expressions are case sensitive. Code42 evaluates the regular expression as entered, taking any capitalization used into account. File extension or directory exclusions are not case sensitive. |
c | Type | The file event exclusion type. |
d | Operating System | The operating system to which the file event exclusion applies. |
e | Edit | Click to edit the file event exclusion. |
f | Delete | Click to delete the file event exclusion. |
Create exclusion
To create file event exclusions:
- Sign in to the Code42 console.
- Select Administration > Environment > File event exclusions.
- Click Create exclusion.
- Select the operating system to which the exclusion applies.
- Select an exclusion type.
- Click Next.
The following options vary based on exclusion type: file extension, directory, or regular expression.
File extension
To exclude file events by file extension:
- Enter the file extension, without the leading period.
File extension exclusions are not case sensitive. - (Optional) Add multiple file extension exclusions in one step by clicking the plus
icon.
- Click Create.
Directory
To exclude file events by directory:
- Choose Path prefix or Contains.
- Enter the prefix or string. Do not use wildcards.
Directory exclusions are not case sensitive.- Path prefix: For Windows, the prefix must start with a letter. For Mac and Linux, it must start with a
/
. For example:- Windows:
C:/proc/
- Mac:
/Library/Application Support/Code42-AAT/Data/logs/
- Linux:
/usr/local/qualys/cloud-agent/
- Windows:
- Contains: For example:
- Windows: /
Mozilla/Firefox/.cache./
- Mac:
/Library/Application Support/CrashReporter/
- Linux:
/Mozilla/Firefox/.cache./
- Windows: /
- Path prefix: For Windows, the prefix must start with a letter. For Mac and Linux, it must start with a
- (Optional) Add multiple file extension exclusions in one step by clicking the plus
icon.
- Click Create.
Regular expression
A regular expression (regex) is a search pattern that locates files and folders containing a specific sequence of characters by comparing that sequence to absolute file paths on your device. You can use the power of regular expressions to fine-tune and allow for more complex file event exclusion rules.
Because these types of regular expressions are often complex, it is especially important to test any regular expressions thoroughly prior to deployment in a production environment. Our Customer Champions can't help validate your regular expressions.
Remember that regular expressions are case sensitive. Code42 evaluates the regular expression as entered, taking any capitalization used into account.
Regular expression examples:
- Any operating system:
^/proc/.*'
- Windows:
^.:/Users/[^/]*/AppData/.*
- Mac:
^/Users/[^/]*/Library/.*\.db
- Linux:
^/dev/shm$
Manage exclusions
To view, edit, or delete a file event exclusion, see the File event exclusions list.