Skip to main content
Go to Red Canary Documentation
Red Canary Support

How to Create Exclusions in CrowdStrike

  • Updated .

Issue

If CrowdStrike Falcon is showing threats that you don’t want to see, or is preventing activity that you want to allow, you can create exclusions to quiet threats for known file paths and allow trusted processes to run.

Environment

CrowdStrike Falcon

Resolution

Table of Contents

Sensor support:

  • Machine learning exclusions Falcon sensor for Windows
    • version 5.34 and later
    • versions earlier than 5.30
  • Falcon sensor for macOS
    • version 5.34 and later
    • version earlier than 5.28

  • Falcon sensor for Linux version 5.34 and later

    NOTE: Falcon Container does not support exclusions for pods.

  • IOA exclusions
    • Falcon sensor for Windows version 5.41 and later
    • Falcon sensor for macOS version 6.11 and later
    • Falcon sensor for Linux version 6.14 and later
  • Sensor visibility exclusions
    • Falcon sensor for Windows version 5.34 and later
    • Falcon sensor for macOS version 5.34 and later
    • Falcon sensor for Linux version 6.20 and later

Roles:

  • These roles can create and manage exclusions:
    • Falcon Administrator
    • Detections Exceptions Manager
  • These roles can view exclusions, exclusion audit logs, and IOA exclusion activity logs:
    • Falcon Endpoint Manager
    • Falcon Analyst
    • Falcon Analyst - Read Only
    • Falcon Security Lead
    • Falcon Investigator
Before you begin

Exclusions are applied to hosts based on their group membership. Set up host groups before you create an exclusion. For more info, see Managing Host Groups.

Exclusions let you create a specific allowlist, but they aren’t the only way to adjust the threats you see. Review your prevention policy settings to see if any policies are set to a level that's more aggressive than recommended by our best practices. These policies might trigger certain detections about activity that you don’t need to see. For more info, see Prevention Policy Settings.

Understanding exclusions

Occasionally, Falcon might detect or prevent activity that you expect and allow in your environment. By creating exclusions, you can stop seeing threats that you don’t want to see, and allow processes that would otherwise be prevented. The exclusions that you create effectively form an allowlist that explicitly defines your organization’s known trusted activity.

You can create these types of exclusions:

Exclusion type Description Events logged?
Machine learning (ML) exclusion For trusted file paths, stop all ML-based detections and preventions, or stop files from being uploaded to the CrowdStrike cloud. Yes
Indicator of attack (IOA) exclusion Stop all behavioral detections and preventions for an IOA that’s based on a CrowdStrike-generated detection. Yes
Sensor visibility exclusion

For trusted file paths that you want to exclude from sensor monitoring, minimize sensor event collection, and stop all associated detections and preventions.

Use sensor visibility exclusions with extreme caution. Potential attacks and malware associated with excluded files will not be recorded, detected, or prevented.

 No
Machine learning exclusions

For trusted file paths, reduce false-positive detections by creating machine learning exclusions. Define patterns to exclude files from threats or preventions derived from machine learning techniques:

  • Stop static file-based threats and preventions, through ML-based techniques or custom hash blocklists
  • Stop file uploads to the CrowdStrike cloud

A machine learning exclusion has three configurable parts:

  • An exclusion pattern that defines a file path, name, or extension. Exclusion patterns are written in glob syntax.
  • An exclusion type that defines the type of activity that you want to exclude. Choose one or both exclusion types: Detect/Prevent or Upload Files to CrowdStrike
  • A set of hosts that the exclusion applies to. Choose all hosts or select specific host groups.
Detect/prevent

Any file matching the exclusion pattern won’t be detected or blocked by the Falcon sensor. The activity is logged through events sent to the CrowdStrike cloud, but a detection is not generated.

The most common reason to create a Detect/Prevent exclusion is to minimize false-positive detections for trusted applications. For example, your organization might use an internal tool that's blocked by the Falcon sensor. You can create an exclusion to permit that tool to run without triggering a Detect or Prevent action.

Create Detect/Prevent exclusions to target very specific situations. If your exclusion is too broad, you might inadvertently permit malicious activity that should be detected or blocked.

Upload files to CrowdStrike

Any file matching the exclusion pattern won’t be available for download in Activity > Quarantined Files, and those files won't be uploaded to the CrowdStrike cloud for analysis.

The most common reason to create this type of exclusion is to prevent certain executable files from being uploaded to the CrowdStrike cloud. For example, you might want to prevent uploads of self-extracting archives containing design files from the group of hosts that includes your engineering department's workstations.

Uploading files to CrowdStrike is disabled by default. To enable it, go to  Configuration > Upload Quarantined Files or Configuration > Prevention Policies.

IOA exclusions

Reduce false-positive threat alerts from IOAs by creating exclusions that stop behavioral IOA threats and preventions. You can create an IOA exclusion directly from a CrowdStrike-generated threat, or by duplicating and then modifying an existing IOA exclusion.

Most types of IOA detections can be excluded through the Falcon console. However, some types of threats (OverWatch, custom IOA, and some others) cannot be excluded.

Considerations for IOA Exclusions

You can exclude most types of IOA threats. However, the following types of threats cannot be excluded:

  • OverWatch threats: For assistance with OverWatch threats, contact Support
  • Custom IOA threats: To adjust these threats, modify the custom IOA instead
  • Forced Address Space Layout Randomization (ASLR) bypass preventions
  • Forced Data Execution Protection (DEP) preventions
  • Heap Spray Preallocation preventions
  • A small set of internal threat types

The Falcon console indicates whether you can exclude a specific IOA threat. If you want to exclude a threat that Falcon indicates cannot be excluded, open a Support case.

Sensor visibility exclusions

For trusted file paths that you want to exclude from sensor monitoring, sensor visibility exclusions minimize sensor event collection, and stop all associated threats and preventions.

Use sensor visibility exclusions with extreme caution. Potential attacks and malware associated with excluded files will not be recorded, detected, or prevented. For more info, see Considerations for Sensor Visibility Exclusions.

The most common reason to create a sensor visibility exclusion is to improve endpoint performance at the excluded file paths. When planning and configuring sensor visibility exclusions, balance performance and security considerations.

Considerations for sensor visibility exclusions

Use sensor visibility exclusions with extreme caution. If you create a sensor visibility exclusion for a file path, Falcon won’t record all events, won’t report any threats, and won’t perform any prevention actions.

Before creating sensor visibility exclusions, consider the security risks and follow these best practices:

  • Configure exclusions to be as narrow as possible.
  • Avoid specifying file exclusions for built-in operating system executable files and folders, such as: bash, /sbin, /bin, /usr/bin, java, python, ruby

Additional sensor visibility exclusion considerations:

  • The sensor minimizes event reporting for process executions that match file exclusion criteria.
  • Processes matching criteria will no longer generate the majority of events, including process-related events.
  • The sensor will continue to send EndOfProcess events on Windows and macOS.
  • Process tree and file name are still captured, but SHA256 digest is not.
  • Data will not be available in Falcon Discover, Investigate hash searches, or FDRv2 app info.
  • Excluding container-relative paths is not supported.
  • Linux sensor visibility exclusions apply to both the host and all containers running on the system.

Planning your exclusions

To maintain a strong security posture, create exclusions to be as specific as possible. When you're creating or editing an exclusion, Falcon displays a list of affected threats before you save it. Previewing threats helps you quickly understand the expected effect. For existing IOA exclusions, you can view an activity log to understand actual effects.

CrowdStrike records all changes to your exclusions in an audit log. We recommend including a comment whenever you create, edit, or delete an exclusion. After you save changes, it can take up to 40 minutes to go into effect.

Managing machine learning exclusions

Getting to machine learning exclusions

Go to Configuration > Detections Management > Exclusions, and then go to the Machine Learning Exclusions tab.

mceclip0.png

Creating machine learning exclusions

Create a machine learning exclusion from within a threat summary by clicking Create ML exclusion.

mceclip3.png

  1. On Activity > Detections, expand the threat's Summary and click Create ML exclusion.
  2. Select host groups or all hosts, then click Next.
  3. In Excluded from, select Detections and preventions and/or Uploads to CrowdStrike.
  4. Verify the Exclusion pattern in glob syntax.
  5. (Optional) Use Pattern test to check syntax against a test file path.
  6. (Recommended) Enter an audit log comment and click Create.
Editing machine learning exclusions
  1. Go to the Machine Learning Exclusions tab.
  2. In the Actions column, click Edit.
    • mceclip4.png
  3. Modify host groups, exclusion types, or patterns as needed.
  4. (Recommended) Enter an audit log comment and click Update.
Deleting machine learning exclusions
  1. Go to the Machine Learning Exclusions tab.
  2. Click Delete in the Actions column.
    • mceclip5.png
  3. Review changes, enter a comment, and click Delete exclusion.

Managing IOA exclusions

Getting to IOA exclusions

Go to Configuration > Detections Management > Exclusions, and select the IOA Exclusions tab.

mceclip7.png

Creating IOA exclusions
  1. On Activity > Detections, expand the summary and click Create IOA exclusion.
    • mceclip8.png
  2. Select host groups, enter a name/description, and define Image filename or Command line patterns in regex.
  3. Review predicted affects and click Create exclusion.
Duplicating IOA Exclusions
  1. On the IOA Exclusions tab, click Duplicate in the Actions column.
    • mceclip9.png
  2. Modify host groups and patterns for the new exclusion and click Create.
Editing IOA Exclusions
  1. On the IOA Exclusions tab, click Edit.
    • mceclip10.png
  2. Modify name, description, or patterns and click Update.
Deleting IOA exclusions
  1. On the IOA Exclusions tab, click Delete.
    • mceclip11.png
  2. Confirm deletion after reviewing changes.
Viewing the IOA exclusions activity log
  1. On the IOA Exclusions tab, click See activity.
  2. Click any event to see its Details summary.

mceclip13.png

IOA exclusion regex syntax
  • Regex fields support a max of 256 characters.
  • Suggested patterns exceeding this are truncated with .* appended.

Managing sensor visibility exclusions

Getting to sensor visibility exclusions

Go to Configuration > Detections Management > Exclusions, and select the Sensor Visibility Exclusions tab.

mceclip14.png

Creating sensor visibility exclusions
  1. On the tab, click Create exclusion.
    • mceclip15.png
  2. Select hosts, enter glob pattern, and click Confirm and Create.
Editing sensor visibility exclusions
  1. In the Actions column, click Edit.
    • mceclip16.png
  2. Modify pattern or host groups and click Confirm and Update.
Deleting sensor visibility exclusions
  1. In the Actions column, click Delete.
    • mceclip17.png
  2. Enter comment and click Delete exclusion.

Viewing exclusions audit logs

  1. On any exclusions tab, click See audit log.
  2. Click any revision to see its Details summary.

Exclusions audit log example

Glob syntax

Glob syntax allows you to create exclusion patterns to easily exclude files and folders. Our glob syntax supports standard ASCII characters. All alphabetical characters are not case-sensitive.

Examples

Windows: Start with the root folder. Do not include drive letters or leading backslashes. NOTE:  If the path includes any spaces, your exclusion must include those same spaces. Replicate the actual folder name.

Rule Description
Program Files (x86)\MySoftware\* Excludes everything in the folder, but not subfolders
Program Files (x86)\MySoftware\** Excludes everything in the folder, including subfolders
Program Files (x86)\MySoftware\SampleSoftware.exe Excludes SampleSoftware.exe if it's in ProgramFiles(x86)\MySoftware\
Users\*\Desktop\RunMe.exe Excludes "RunMe.exe" within any user folders
**\RunMe.exe (The exception) Globally excludes "RunMe.exe" in any location

macOS/Linux: Prefix folders with a leading slash (/) and then continue with the root folder in the full path.

Rule Description
/home/user/Downloads/* Excludes everything in the folder, but not subfolders
/home/user/Downloads/** Excludes everything in the folder, including subfolders
/home/user/Downloads/myprocess Excludes myprocess if it's in /home/user/Downloads folder only
/home/*/Downloads/myprocess Excludes myprocess within any user folders
**/myprocess (The exception) Globally excludes myprocess in any location
Wildcards
Wildcard Description Example pattern Does match example Doesn't match example
* Match any number of characters, excluding separators (\ or /). Crowd* CrowdStrike, Crowd CrowdStrike/Document1.ps1
** Match any number of characters, including separators (\ or /). Crowd** CrowdStrike, Crowd/Strike.ps1, CrowdStrike/Document1.ps1 BigCrowd, Crow, wd
? Match any single character. DO? DOC, DOS, DOs doc, docs, DO
[abc] Match any character inside brackets. version[a1] versiona, version1 version, version2