Whitelisting
Whitelisting allows you to suppress detections based on pre-defined rules. Rules can be based on one of the following options. These attributes are provided as part of the detection event from the Falcon Host Streaming API.
| File Name | Provide a regular expression pattern to match detections based the file name of the process responsible for triggering the detection. This attribute supports the use of regular expressions. For example, perhaps you have a suite of custom applications triggering false positives and they follow a naming convention of custom-app-service.exe, custom-app-web.dll, etc. You could write a pattern of ^custom-app-\w*\.(exe|dll)$ |
| File Path | Supports regular expressions. This will check the supplied regex against the File Path attribute supplies in the detection event. Using the same example as above, lets say you want to make sure the whitelist rule only applies when the file is located in the expected application directory. In this case we could write a pattern such as ^C:\\Program Files\\Custom Apps\\custom-app-\w*\.(exe|dll)$ |
| Command Line | This attribute also supports regular expressions and offers the most amount of control over your rule. The full command line arguments are supplied by Falcon Host with any detection event. As such, we can conditionally whitelist events only when certain arguments are used. As an example, perhaps we want to whitelist all occurrences of the net group command aside from an action to add an object is used. With this, we could write the following pattern net group (?!.*/add).*$ |
| SHA256 Hash | This is an explicit value and will perform a direct match on the calculated hash. Note that when inputting the value for this attribute type, the value must match the format of a SH256 hash |
In order to create a whitelisting rule, you must login to the Falcon Orchestrator web application and navigate to the Whitelisting section within the navigation bar at the top of the page. Click on the Create button. From this view you must provide the whitelist rule type, value and reason for the rule. As part of the submission for the rule creation the logged in user is also logged as the creator of the rule. Once the rule has been successfully created, any existing detection events that match the rule will automatically be set to a status of Whitelisted and have a closed date set to the current time. In addition, if the whitelisting processing rule is enabled, any new detections will be checked against these rules and updated accordingly.
When editing a whitelisting rule only the reason field can be modified. If you need to change the value or type, you should delete the rule and create a new one.
Deletion of a rule will result in all the associated detections being changed back to a status of Open. The system does not currently track the status of each detection prior to changing it to a Whitelisted status. As such, it is assumed that the detection was previously in an open status. Both editing and deletion of rules can be initiated from the main page for whitelisting. Select the action you want to perform from the action column within the table listing of all saved rules.