File event exclusions
Overview
Use file event exclusions to define what file activity to exclude from Incydr monitoring. Excluding files by path or process prevents user devices from consuming resources to index file activity you're not interested in monitoring. It also prevents irrelevant or unimportant file events from appearing in dashboard visualizations, alerts, and Forensic Search results.
This article describes how to set and manage file event exclusions in the Code42 console.
Considerations
- File event exclusions apply to all organizations and devices in your Code42 environment.
- To view and modify file event exclusions, you must have the Security Administrator or Customer Cloud Admin role.
- Process exclusions only apply to the insider risk agent. Path exclusions apply to all agent types.
What is excluded?
In general, file event exclusions apply to endpoint activity on disk, not exfiltration. For example, Incydr still detects files in excluded paths being uploaded via a browser or moved to removable media.
See the table below for details about how each exclusion type affects detection of file exfiltration activity. In the table:
- Excluded = file activity is not detected
- Not excluded = file activity is detected
| Detection type | |||||
|---|---|---|---|---|---|
| All file activity / File metadata collection | Cloud sync applications | Removable media | Browser and other app activity | ||
|
Path Directory exclusion 1 |
Excluded | Excluded 2 | Not excluded 3 | Not excluded | Not excluded |
|
Path File extension exclusion 1 |
Excluded | Excluded | Excluded | Not excluded | Not excluded |
|
Path Filename exclusion (via regex) |
Excluded | Excluded | Excluded | Not excluded | Not excluded |
| Process exclusion | Excluded | Excluded | Excluded | Not excluded | Not excluded |
1 Directory and file extension exclusions created via a custom regular expression (regex) follow the same rules as those created via the dedicated fields below.
2 If the cloud sync directory is excluded (for example C:/Users/Username/Google Drive), sync activity within that directory is excluded. However, if a file in that directory is uploaded via a web browser or moved to removable media, that exfiltration activity is still detected.
3 Files moved from an excluded path to removable media are detected, unless the removable media destination path itself is also excluded.
File event exclusions
To view file event exclusions:
- Sign in to the Code42 console.
- Select Administration > Environment > File event exclusions.
| Item | Description | |
|---|---|---|
| a | Create exclusion | Creates a file event exclusion, either by path or process. |
| b | Path Exclusions | Displays the list of exclusions by path. |
| c | Process Exclusions |
Displays the list of exclusions by process.
Process exclusions only apply to the insider risk agent. |
| d | Exclusion |
The file extension, directory, or regular expression being excluded. Regular expressions are case sensitive
Exclusions entered using regular expressions are case sensitive. Code42 evaluates the regular expression as entered, taking any capitalization used into account. File extension or directory exclusions are not case sensitive. |
| e | Type | The file event exclusion type. |
| f | Operating System | The operating system to which the file event exclusion applies. |
| g | Edit | Click to edit the file event exclusion. |
| h | Delete | Click to delete the file event exclusion. |
Create exclusion
To create file event exclusions:
- Sign in to the Code42 console.
- Select Administration > Environment > File event exclusions.
- Click Create exclusion.
- Choose either:
- Select the operating system to which the exclusion applies.
- Select an exclusion type.
- Click Next.
The following options vary based on exclusion type.
Path exclusions
When creating a path exclusion, you can create one by file extension, directory, or regular expression.
File extension
To exclude file events by file extension:
- Enter the file extension, without the leading period.
File extension exclusions are not case sensitive. - (Optional) Add multiple file extension exclusions in one step by clicking the plus
icon.
- Click Create.
Directory
To exclude file events by directory:
- Choose Path prefix or Contains.
- Enter the prefix or string. Do not use wildcards.
Directory exclusions are not case sensitive.- Path prefix: For Windows, the prefix must start with a letter. For Mac and Linux, it must start with a
/. For example:- Windows:
C:/proc/ - Mac:
/Library/Application Support/Code42-AAT/Data/logs/ - Linux:
/usr/local/qualys/cloud-agent/
- Windows:
- Contains: For example:
- Windows: /
Mozilla/Firefox/.cache./ - Mac:
/Library/Application Support/CrashReporter/ - Linux:
/Mozilla/Firefox/.cache./
- Windows: /
- Path prefix: For Windows, the prefix must start with a letter. For Mac and Linux, it must start with a
- (Optional) Add multiple file extension exclusions in one step by clicking the plus icon.
- Click Create.
Regular expression
A regular expression (regex) is a search pattern that locates files and folders containing a specific sequence of characters by comparing that sequence to absolute file paths on your device. You can use the power of regular expressions to fine-tune and allow for more complex file event exclusion rules.
Because these types of regular expressions are often complex, it is especially important to test any regular expressions thoroughly prior to deployment in a production environment. Our Technical Support Engineers can't help validate your regular expressions.
Remember that regular expressions are case sensitive. Code42 evaluates the regular expression as entered, taking any capitalization used into account.
Regular expression examples:
- Any operating system:
^/proc/.*' - Windows:
^.:/Users/[^/]*/AppData/.* - Mac:
^/Users/[^/]*/Library/.*\.db - Linux:
^/dev/shm$
Process exclusions
Applies to the insider risk agent only
Use process exclusions to prevent Incydr from generating file events for any activity triggered by processes that don't add value to insider risk detection or investigation. Create a process exclusion by process name, process path, or regular expression.
Process name
To exclude file events by process name:
- Enter the process name as the name of the file on disk.
- (Optional) Add multiple processes in one step by clicking the plus icon.
- Click Create.
Process path
To exclude file events by process path:
- Choose Full process path, Path prefix, or Contains.
- Enter the prefix or string.
- Process path exclusions are not case sensitive.
- Do not use wildcards.
- Use forward slashes (
/). - When entering a Path prefix for Windows, the prefix must start with a letter. For Mac, it must start with a forward slash
(/).
Regular expression
A regular expression (regex) is a search pattern that locates files and folders containing a specific sequence of characters by comparing that sequence to absolute file paths on your device. You can use the power of regular expressions to fine-tune and allow for more complex file event exclusion rules.
Because these types of regular expressions are often complex, it is especially important to test any regular expressions thoroughly prior to deployment in a production environment. Our Technical Support Engineers can't help validate your regular expressions.
Remember that regular expressions are case sensitive. Code42 evaluates the regular expression as entered, taking any capitalization used into account.
Use forward slashes (
/) in your regular expressions.Manage exclusions
To view, edit, or delete a file event exclusion, see the File event exclusions list.