Exclusion rules overview

  • Release version: Yokohama
  • Updated January 30, 2025
  • 1 minute to read

    • Exclusion rules provide a way to filter or exclude detections from getting converted into vulnerable items (VITs) during the ingestion process in Vulnerability Response.

    These rules can be set up to handle various scenarios such as:
    • Excluding vulnerabilities with low severity or risk that don’t require immediate remediation.
    • Improving the remediation process by prioritizing the most critical VITs for action.
    • Reducing the processing time during data import by excluding a percentage of detections from VIT conversion.
    During the process of ingesting data, there are distinct approaches for handling new and existing detections.
    • For new detections:
      • If a new detection doesn't meet the conditions of an exclusion rule, a detection is created with the VITs.
      • If a new detection meets the conditions of an exclusion rule, the rule gets associated with the detection, but VIT is not created. Populate the matching Exclusion Rule reference on Detection record​. The Exclusion rule column is populated with Exclusion Rule reference on the Detection record accordingly.
    • For existing detections:
      • If the detection doesn't meet the conditions of any exclusion rule, it proceeds with the normal workflow.
      • If an existing detection matches the conditions of an exclusion rule, the VIT associated with that detection stays in its current state but the rule gets associated with the detection. The state of the VIT is governed by the value defined in the sn_vul.close_vit_with_excluded_detections property. By default, the value in this property is set to False. If the value is set to False,then the detections under a VIT get excluded and state of the VITs stays in its current state. However, if the value is set to True, the following scenarios may occur:
        • If every detection under a VIT is excluded, the VIT's status is updated to Closed Excluded.
          Note:
          Starting from v22.1.2 of Vulnerability Response a new substate called Excluded has been added,
        • If one detection is marked as Closed while the remaining are excluded, the VIT is designated as Closed Fixed.
        • If the VIT has open detections, then the VIT remains Open.