Manage Exceptions In The AgileBlue Portal

You can manage Rule Exceptions, Endpoint Exceptions, Allow Lists, and Block Lists all directly in the AgileBlue Portal.

Overview & Definitions

AgileBlue's SOC Analyst team and admin users in the portal can access a central location for managing Rule Exceptions, Endpoint Exceptions, Allow Lists, and Block Lists. This includes the ability to create, remove, and edit the related rules all within a single platform.

• Rule Exception
  • • A rule-level exclusion that prevents certain events or conditions from triggering alerts. We add rule exceptions to fine-tune Attack Indicators and rule out false positives. 
• Endpoint Exception
  • • An Endpoint Exception prevents the Cerulean Agent from taking action and raising alerts for specific files, processes, or behaviors. These exceptions prevent legitimate applications or behaviors from being blocked or flagged by the EDR. 
• Allow List
  • • A list of trusted entities (file hash/file path/file signature) that the agent will permit/ignore when evaluating threats. Items on the allow list are treated as safe and excluded from detections or preventative actions. 
• Block List
  • • A list of known malicious, untrusted, or undesired entities that will be automatically blocked by the Cerulean Agent. Anything on the block list (file hash/file path/file signature) is denied execution. 
    • A block list entry might be created when a malicious executable is identified during an investigation. For instance, if a specific file hash is confirmed to belong to ransomware, it can be added to the block list to ensure the agent automatically prevents it from running across all monitored endpoints. This is also often used to prevent the installation/execution of common PUPs (potentially unwanted programs), or any software the client would prefer not to run in their environment. 

Manage Rule Exceptions

Alert Exceptions can be applied to all Attack Indicators except for EDR/MDR alerts within the AgileBlue Platform. For exceptions related to EDR/MDR alerts, see the Endpoint Exceptions section of this document.

Create A Rule Exception

1. There are two ways to add a Rule Exception listed below – we recommended following option a whenever possible:
   1. Navigate to the Alert for which you would like to add an exception
      1. Click Create Exception in the top right-hand corner
   2. Select Alert Exceptions on the left-hand menu in the AgileBlue Portal then click Rule Exceptions
      1. Select the specific rule for which you would like to add an exception then click Add Exception
   3. NOTE: If you are logged in to a multi-tenant portal, ensure the target tenant is selected from the dropdown menu.
2. Give a name for your new Exception
3. Enter the Field the exception should be applied to (Ex. process.name)
   1. NOTE: When entering the field, it must exactly match the alert type. The exceptions will not work correctly unless the field type is a match.
4. Select one of the available operators
   1. is
   2. is not
   3. is one of
   4. is not one of
5. Enter the Value for the exception (Ex. svchost.exe)
   1. NOTE: The exception will not function properly unless the Value is an exact match.
6. Click +Add Conditional to include additional fields and values or click Save to create your exception

Edit Existing Rule Exception

1. Click on the target Attack Indicator
2. Select the Pen Icon
3. Update the exception
4. Click Save

Delete Existing Rule Exception

1. Click on the target Attack Indicator
2. Select the Trashcan Icon next to the exception to be removed

Manage Endpoint Exceptions

Endpoint Exceptions are specific to EDR/MDR alerts.

Create An Endpoint Exception

1. There are two ways to add an Endpoint Exception listed below – we recommended following option a whenever possible:
   1. Navigate to the EDR/MDR Alert for which you would like to add an exception
      1. Click Create Exception in the top right-hand corner
   2. Select Alert Exceptions on the left-hand menu in the AgileBlue Portal then click Endpoint Exceptions
      1. Select the specific rule for which you would like to add an exception then click Add Exception
   3. NOTE: If you are logged in to a multi-tenant portal, ensure the target tenant is selected from the dropdown menu.
2. Give a name for your new Exception
3. Add a Client Identifier
   1. For all Endpoint Exceptions, a specific Client Identifier must be included; set the Field to one of the following values:
      
      1. Custom.client_id
      2. client_id
      3. host.domain
      4. user.domain
      5. NOTE: Some alerts may not work unless the correct Client Identifier is entered. If the exception does not work with Custom.client_id, move on to the next option on this list until the exception is successfully configured.
         
         If you are manually adding an exception (not tied to a specific alert), the client ID can be found on the tenant's alert playbook page. Host domain and user domain values can be found in the corresponding alert logs.
   2. Set the Operator to is
   3. If the Value does not auto populate, fill in that field
4. Click +Add Conditional
5. Enter the details regarding the activity to be excepted – to learn more about how to create effective endpoint exceptions, click here

Edit Existing Endpoint Exception

1. Click on the target Exception
2. Select the Pen Icon
3. Update the exception
4. Click Save

Delete Existing Endpoint Exception

1. Click on the target Exception
2. Select the Trashcan Icon next to the exception to be removed

Manage Allow List & Block List

Allowlist and Block List only apply to tenants with EDR fully enabled through the AgileBlue Platform. If EDR is disabled or in passive mode, the blocklist will not function. These sections can be used to specifically allow or block applications based on a file path, hash, or signature. The Allow List should only be used for critical trusted applications the require 99.9% uptime.

Block List should be used for any known and potentially unwanted program to be blocked across the entire organization.

Update Allow List

1. Log in to the AgileBlue Portal and navigate to Alert Exceptions in the left-hand menu
   1. NOTE: If you are logged in to a multi-tenant portal, ensure the target tenant is selected from the dropdown menu.
2. Select the Allow List tab
3. Click + Add Allow List Item
4. Enter a Item Name
5. Select one or more policies the item should be applied to (in almost all instances, any available policy should be included)
6. Select the target OS Types
7. Select the Field to be allowed (Hash, Path, or Signature)
8. Enter the Value
9. Click + Add Conditional to add another parameter to the item or click Save

Update Block List

1. Log in to the AgileBlue Portal and navigate to Alert Exceptions in the left-hand menu
   1. NOTE: If you are logged in to a multi-tenant portal, ensure the target tenant is selected from the dropdown menu.
2. Select the Block List tab
3. Click + Add Block List Item
4. Enter a Item Name
5. Select one or more policies the item should be applied to (in almost all instances, any available policy should be included)
6. Select the target OS Types
7. Select the Field to be allowed (Hash, Path, or Signature)
8. Enter the Value
9. Click + Add Conditional to add another parameter to the item or click Save

Edit Existing Allow List/Block List Item

1. Click on the target Item
2. Select the Pen Icon
3. Update the item
4. Click Save

Delete Existing Allow List/Block List Item

1. Click on the target Item
2. Select the Trashcan Icon next to the exception to be removed

Questions? Contact AgileBlue Support.

Email: support@agileblue.com
Phone: (216) 606-9400