Issue
If CrowdStrike Falcon is showing threats that you don’t want to see, or is preventing activity that you want to allow, you can create exclusions to quiet threats for known file paths and allow trusted processes to run.
Environment
CrowdStrike Falcon
Resolution
Sensor support:
- Machine learning exclusions Falcon sensor for Windows
- version 5.34 and later
- versions earlier than 5.30
- Falcon sensor for macOS
- version 5.34 and later
- version earlier than 5.28
-
Falcon sensor for Linux version 5.34 and later
NOTE: Falcon Container does not support exclusions for pods.
- IOA exclusions
- Falcon sensor for Windows version 5.41 and later
- Falcon sensor for macOS version 6.11 and later
- Falcon sensor for Linux version 6.14 and later
- Sensor visibility exclusions
- Falcon sensor for Windows version 5.34 and later
- Falcon sensor for macOS version 5.34 and later
- Falcon sensor for Linux version 6.20 and later
Roles:
- These roles can create and manage exclusions:
- Falcon Administrator
- Detections Exceptions Manager
- These roles can view exclusions, exclusion audit logs, and IOA exclusion activity logs:
- Falcon Endpoint Manager
- Falcon Analyst
- Falcon Analyst - Read Only
- Falcon Security Lead
- Falcon Investigator
Before you begin
Exclusions are applied to hosts based on their group membership. Set up host groups before you create an exclusion. For more info, see Managing Host Groups.
Exclusions let you create a specific allowlist, but they aren’t the only way to adjust the threats you see. Review your prevention policy settings to see if any policies are set to a level that's more aggressive than recommended by our best practices. These policies might trigger certain detections about activity that you don’t need to see. For more info, see Prevention Policy Settings.
Understanding exclusions
Occasionally, Falcon might detect or prevent activity that you expect and allow in your environment. By creating exclusions, you can stop seeing threats that you don’t want to see, and allow processes that would otherwise be prevented. The exclusions that you create effectively form an allowlist that explicitly defines your organization’s known trusted activity.
You can create these types of exclusions:
Machine learning (ML) exclusion |
For trusted file paths, stop all ML-based detections and preventions, or stop files from being uploaded to the CrowdStrike cloud. |
Yes |
Indicator of attack (IOA) exclusion |
Stop all behavioral detections and preventions for an IOA that’s based on a CrowdStrike-generated detection. |
Yes |
Sensor visibility exclusion |
For trusted file paths that you want to exclude from sensor monitoring, minimize sensor event collection, and stop all associated detections and preventions.
Use sensor visibility exclusions with extreme caution. Potential attacks and malware associated with excluded files will not be recorded, detected, or prevented. |
No |
Machine learning exclusions
For trusted file paths, reduce false-positive detections by creating machine learning exclusions. Define patterns to exclude files from threats or preventions derived from machine learning techniques:
-
Stop static file-based threats and preventions, through ML-based techniques or custom hash blocklists
-
Stop file uploads to the CrowdStrike cloud
A machine learning exclusion has three configurable parts:
- An exclusion pattern that defines a file path, name, or extension. Exclusion patterns are written in glob syntax.
- An exclusion type that defines the type of activity that you want to exclude. Choose one or both exclusion types:
- Detect/Prevent
- Upload Files to CrowdStrike
-
A set of hosts that the exclusion applies to. Choose all hosts or select specific host groups.
Detect/prevent
Any file matching the exclusion pattern won’t be detected or blocked by the Falcon sensor. The activity is logged through events sent to the CrowdStrike cloud, but a detection is not generated.
The most common reason to create a Detect/Prevent exclusion is to minimize false-positive detections for trusted applications. For example, your organization might use an internal tool that's blocked by the Falcon sensor. You can create an exclusion to permit that tool to run without triggering a Detect or Prevent action.
Create Detect/Prevent exclusions to target very specific situations. If your exclusion is too broad, you might inadvertently permit malicious activity that should be detected or blocked.
Upload files to CrowdStrike
Any file matching the exclusion pattern won’t be available for download in Activity > Quarantined Files, and those files won't be uploaded to the CrowdStrike cloud for analysis.
The most common reason to create this type of exclusion is to prevent certain executable files from being uploaded to the CrowdStrike cloud. For example, you might want to prevent uploads of self-extracting archives containing design files from the group of hosts that includes your engineering department's workstations.
Uploading files to CrowdStrike is disabled by default. To enable it, go to Configuration > Upload Quarantined Files or Configuration > Prevention Policies.
IOA exclusions
Reduce false-positive threat alerts from IOAs by creating exclusions that stop behavioral IOA threats and preventions. You can create an IOA exclusion directly from a CrowdStrike-generated threat, or by duplicating and then modifying an existing IOA exclusion.
Most types of IOA detections can be excluded through the Falcon console. However, some types of threats (OverWatch, custom IOA, and some others) cannot be excluded.
Considerations for IOA Exclusions
IOA exclusions are created from within a threat, or by duplicating and then modifying an existing IOA exclusion.
You can exclude most types of IOA threats. However, the following types of threats cannot be excluded:
-
OverWatch threats: For assistance with OverWatch threats, contact Support
-
Custom IOA threats: To adjust these threats, modify the custom IOA instead
-
Forced Address Space Layout Randomization (ASLR) bypass preventions
-
Forced Data Execution Protection (DEP) preventions
-
Heap Spray Preallocation preventions
-
A small set of internal threat types
The Falcon console indicates whether you can exclude a specific IOA threat. If you want to exclude a threat that Falcon indicates cannot be excluded, open a Support case.
Sensor visibility exclusions
For trusted file paths that you want to exclude from sensor monitoring, sensor visibility exclusions minimize sensor event collection, and stop all associated threats and preventions.
Use sensor visibility exclusions with extreme caution. Potential attacks and malware associated with excluded files will not be recorded, detected, or prevented. For more info, see Considerations for Sensor Visibility Exclusions.
The most common reason to create a sensor visibility exclusion is to improve endpoint performance at the excluded file paths, where sensor event data collection might interfere with highly resource-sensitive tasks. When planning and configuring sensor visibility exclusions, balance performance and security considerations. We recommend using sensor visibility exclusions only on hosts for which the sensor’s performance overhead without exclusions is unacceptable, and we recommend choosing excluded paths with care.
Considerations for sensor visibility exclusions
Use sensor visibility exclusions with extreme caution. If you create a sensor visibility exclusion for a file path, Falcon won’t record all events, won’t report any threats, and won’t perform any prevention actions. This means that you won’t have visibility into potential attacks or malware related to that file path.
When planning and configuring sensor visibility exclusions, balance performance and security considerations. We recommend using sensor visibility exclusions only on hosts for which the sensor’s performance overhead without exclusions is unacceptable, and we recommend choosing excluded paths with care.
Before creating sensor visibility exclusions, consider the potential security risks. If you do create sensor visibility exclusions, we recommend following these best practices:
- Configure exclusions to be as narrow as possible. It’s safer to exclude a single executable file than an entire folder or all subfolders.
- Avoid specifying file exclusions for built-in operating system executable files and folders, such as these:
- bash, /sbin, /bin, /usr/bin
- java, python, ruby
Additional sensor visibility exclusion considerations:
- The sensor minimizes event reporting for process executions that match file exclusion criteria.
- Processes that match file exclusion criteria will no longer generate the majority of events that would be seen otherwise, including process-related events.
- The sensor will continue to send EndOfProcess events on Windows and macOS.
- Process tree and file name are still captured, but SHA256 digest is not.
- For excluded processes, data will not be available in the following features and contexts:
- Any app usage dashboard (for example, Falcon Discover)
- Hash search (Falcon Investigate)
- FDRv2 app info
-
Excluding container-relative paths (and more generally, paths inside a chroot) is not supported.
-
At this time, any Linux sensor visibility exclusions apply to both the host and all containers running on the system.
Planning your exclusions
Consider the potential implications of an exclusion before you put it into effect in your environment.
To maintain a strong security posture, create exclusions to be as specific as possible while meeting your exclusion needs. If your exclusion is too broad, you might inadvertently permit malicious activity that should be detected or blocked.
When you're creating or editing an exclusion, Falcon displays a list of affected threats before you save it. This list shows threats that wouldn’t have been generated if the current exclusion were live in your environment. Previewing threats that you would no longer see helps you quickly understand the expected effect of an exclusion before you save it.
For IOA exclusions that are already in effect in your environment, you can view a log of activity that would have triggered a threat if an IOA exclusion hadn’t been in place. Reviewing activity that’s being excluded helps you understand the actual effects of your IOA exclusions.
CrowdStrike automatically records all changes to your exclusions. Each exclusion type has its own audit log where you can view the revision history for exclusions of that type. We recommend that you include a comment for the audit log whenever you create, edit, or delete an exclusion. In the audit log comment, include any info that would help other people in your organization understand what you changed and why. For example, when creating or editing an exclusion, include info about what activity was excluded and why.
After you create, edit, or delete an exclusion, it can take up to 40 minutes for the changes to go into effect.
Managing machine learning exclusions
Getting to machine learning exclusions
The Machine Learning Exclusions tab is where you can view, create, edit, and delete ML exclusions, and where you can view the ML exclusion audit log. By default, the list of exclusions is sorted by Last modified.
-
Go to Configuration > Detections Management > Exclusions, and then go to the Machine Learning Exclusions tab.
Creating machine learning exclusions
Create a machine learning exclusion from within a threat. The exclusion pattern is pre-populated based on the threat. Verify or change the pattern as needed before saving the exclusion.
Note: Alternatively, you can create a machine learning exclusion on the Machine Learning Exclusions tab on Configuration > Detections Management > Exclusions.
- On Activity > Detections, for the machine learning detection that you want to create an exclusion from, click to expand the threat's Summary.
- Click Create ML exclusion.
- In Create machine learning exclusion, select the host groups that the exclusion will apply to or select all hosts, and then click Next.
- In the Excluded from list, select the actions to apply to the selected host groups:
-
Detections and preventions: Excludes files from ML-based detections and preventions.
-
Uploads to CrowdStrike: Excludes files from being uploaded to the CrowdStrike cloud.
-
In the Exclusion pattern field, verify the prepopulated pattern value or enter a new pattern in glob syntax.
-
(Optional) Under Pattern test, test the exclusion pattern:
-
Type a file path, and then click Test pattern.
-
Check the confirmation message to see whether your test pattern matches the syntax.
-
(Recommended) Enter a comment to include in the audit log.
-
(Optional) If you want to add another exclusion pattern after you save this one, select Create another exclusion with these hosts after saving.
-
Click Create.
Editing machine learning exclusions
Modify an existing exclusion to stop ML-based threats and preventions, or to stop file uploads to the CrowdStrike cloud, for a trusted file path.
- Go to Configuration > Detections Management > Exclusions, and then go to the Machine Learning Exclusions tab.
- In the Actions column for the exclusion that you want to modify, click Edit.
- In Edit machine learning exclusion, select the host groups that the exclusion will apply to, or select all hosts.
- In the Excluded from list, select the actions to apply to the selected host groups:
- Detections and preventions: Excludes files from ML-based detections and preventions.
- Uploads to CrowdStrike: Excludes files from being uploaded to the CrowdStrike cloud.
- In the Exclusion pattern field, enter an exclusion pattern in glob syntax.
- (Recommended) Enter a comment to include in the audit log.
- (Optional) Under Pattern test, test the exclusion pattern:
- Type a file path, and then click Test pattern.
- Check the confirmation message to see whether your test pattern matches the syntax.
-
(Optional) If you want to add another exclusion pattern after you save this one, select Create another exclusion with these hosts after saving.
-
Click Update.
Deleting machine learning exclusions
Delete exclusions with caution. A deleted exclusion cannot be recovered.
-
Go to Configuration > Detections Management > Exclusions, and then go to the Machine Learning Exclusions tab.
-
In the Actions column for the exclusion that you want to delete, click Delete.
-
In Delete machine learning exclusion, review the list of changes that would apply if the exclusion were deleted.
-
(Recommended) Enter a comment to include in the audit log.
-
Click Delete exclusion.
Managing IOA exclusions
IOA exclusions are created from within a threat, or by duplicating and then modifying an existing IOA exclusion.
Getting to IOA exclusions
The IOA Exclusions tab is where you can view, edit, duplicate, and delete IOA exclusions, and where you can view the IOA exclusion audit log and activity log.
By default, the list of exclusions is sorted by Last modified.
-
Go to Configuration > Detections Management > Exclusions, and then go to the IOA Exclusions tab.
Note: IOA exclusions are created from within a threat, or by duplicating and then modifying an existing IOA exclusion.
Creating IOA exclusions
Add an IOA to your allowlist to reduce behavioral IOA threats and preventions. IOA exclusions are created from within CrowdStrike-generated IOA detections.
- On Activity > Detections, for the CrowdStrike-generated IOA detection that you want to create an exclusion from, click to expand the threat's Summary.
- Click Create IOA exclusion.
- In Create IOA exclusion, select the host groups that the exclusion will apply to, or select all hosts.
- Enter a name and a description for the exclusion.
- In the Image filename field, enter an exclusion pattern in regex format.
- (Optional) Test the image filename pattern:
- Type an image filename test string, and then click Test pattern.
- Check the confirmation message to see whether your test pattern matches the syntax.
- In the Command line field, enter a command line value in regex format.
- (Optional) Test the command line pattern:
- Type a command line test string, and then click Test pattern.
- Check the confirmation message to see whether your test pattern matches the syntax.
-
(Recommended) Enter a comment to include in the audit log.
-
Click Next.
-
Carefully review the list of detections that wouldn’t have appeared and associated processes that would have been allowed to run if the exclusion were already in place.
-
Click Create exclusion.
Duplicating IOA Exclusions
Create an IOA exclusion by duplicating an existing IOA exclusion and then modifying the new exclusion’s settings. This enables you to create IOA exclusions without needing to start from within an IOA detection.
The fields in the duplicated exclusion are pre-populated with values from the source exclusion. Verify or change these values as needed before saving the new exclusion.
The IOA Name uniquely identifies the IOA pattern and can’t be changed.
- Go to Configuration > Detections Management > Exclusions, and then go to the IOA Exclusions tab.
- In the Actions column for the exclusion that you want to copy, click Duplicate.
- In Duplicate IOA exclusion, select the host groups that the exclusion will apply to, or select all hosts.
- Enter a name and, optionally, a description for the exclusion.
- In the Image filename field, enter an exclusion pattern in regex format.
- (Optional) Test the image filename pattern:
- Type an image filename test string, and then click Test pattern.
- Check the confirmation message to see whether your test pattern matches the syntax.
- In the Command line field, enter a command line value in regex format.
- (Optional) Test the command line pattern:
- Type a command line test string, and then click Test pattern.
- Check the confirmation message to see whether your test pattern matches the syntax.
-
(Recommended) Enter a comment to include in the audit log.
-
Click Next.
-
Carefully review the list of detections that wouldn’t have appeared and associated processes that would have been allowed to run if the exclusion were already in place.
-
Click Create exclusion.
Editing IOA Exclusions
Modify an existing IOA exclusion.
- Go to Configuration > Detections Management > Exclusions, and then go to the IOA Exclusions tab.
- In the Actions column for the exclusion that you want to modify, click Edit.
- In Edit IOA exclusion, select the host groups that the exclusion will apply to, or select all hosts.
- Enter a name and a description for the exclusion.
- In the Image filename field, enter an exclusion pattern in regex format.
- (Optional) Test the image filename pattern:
- Type an image filename test string, and then click Test pattern.
- Check the confirmation message to see whether your test pattern matches the syntax.
- In the Command line field, enter a command line value in regex format.
- (Optional) Test the command line pattern:
- Type a command line test string, and then click Test pattern.
- Check the confirmation message to see whether your test pattern matches the syntax.
-
Type a command line test string, and then click Test pattern.Check the confirmation message to see whether your test pattern matches the syntax.
-
(Recommended) Enter a comment to include in the audit log.
-
Click Next.
-
Carefully review the list of detections that wouldn’t have appeared and associated processes that would have been allowed to run if the updated exclusion were already in place.
-
Click Update.
Deleting IOA exclusions
Delete exclusions with caution. A deleted exclusion cannot be recovered.
-
Go to Configuration > Detections Management > Exclusions, and then go to the IOA Exclusions tab.
-
In the Actions column for the exclusion that you want to delete, click Delete.
-
In Delete IOA exclusion, review the list of changes that would apply if the exclusion were deleted.
-
(Recommended) Enter a comment to include in the audit log.
-
Click Delete exclusion.
Viewing the IOA exclusions activity log
For your existing IOA exclusions, view a list of events that would have triggered threats if the exclusions hadn’t been in place.
-
Go to Configuration > Detections Management > Exclusions, and then go to the IOA Exclusions tab.
-
Click See activity.
-
Sort columns to adjust your view of the log.
-
Click any event to see its Details summary.
IOA exclusion regex syntax
Our IOA exclusion regex syntax enables you to create IOA exclusion patterns for image filenames and command lines.
-
When you start typing in regex fields for IOA exclusions, the Falcon console dynamically displays suggestions that can fix syntax errors and optimize your regex patterns.
-
Each IOA exclusion regex field supports a maximum length of 256 characters.
-
If a suggested regex field would exceed 256 characters (based on the detection data), the auto-population process truncates the entry to the maximum limit of 256 characters and appends
.*
to the end so that it matches any remaining characters.
Managing sensor visibility exclusions
Use extreme caution and consider the potential security risks before creating sensor visibility exclusions. For more info, see Sensor Visibility Exclusions.
Getting to sensor visibility exclusions
The Sensor Visibility Exclusions tab is where you can view, create, edit, and delete your sensor visibility exclusions, and where you can view the sensor visibility exclusion audit logs.
By default, the list of exclusions is sorted by Last modified.
-
Go to Configuration > Detections Management > Exclusions, and then go to the Sensor Visibility Exclusions tab.
Create an exclusion to stop sensor visibility, threats, and preventions for a trusted file path.
NOTE: Use extreme caution and consider the potential security risks before creating sensor visibility exclusions. Malware or other attacks will not be recorded, detected, or prevented. For more info, see Sensor Visibility Exclusions.
- Go to Configuration > Detections Management > Exclusions, and then go to the Sensor Visibility Exclusions tab.
- Click Create exclusion.
- In Create sensor visibility exclusion, select the host groups that the exclusion will apply to, or select all hosts.
- In the Exclusion pattern field, enter an exclusion pattern in glob syntax.
- (Optional) Under Pattern test, test the exclusion pattern:
- Type a file path, and then click Test pattern.
- Check the confirmation message to see whether your test pattern matches the syntax.
-
(Recommended) Enter a comment to include in the audit log.
-
(Optional) If you want to add another exclusion pattern after this one, select Create another exclusion with these hosts after saving.
-
Click Create exclusion, carefully review the summary of expected changes, and then click Confirm and Create.
Editing sensor visibility exclusions
Modify an existing sensor visibility exclusion.
- Go to Configuration > Detections Management > Exclusions, and then go to the Sensor Visibility Exclusions tab.
- In the Actions column for the exclusion that you want to modify, click Edit.
- In Edit sensor visibility exclusion, select the host groups that the exclusion will apply to, or select all hosts.
- In the Exclusion pattern field, enter an exclusion pattern in glob syntax.
- (Optional) Under Pattern test, test the exclusion pattern:
- Type a file path, and then click Test pattern.
- Check the confirmation message to see whether your test pattern matches the syntax.
-
(Recommended) Enter a comment to include in the audit log.
-
(Optional) If you want to add another exclusion pattern after this one, select Create another exclusion with these hosts after saving.
-
Click Update, carefully review the summary of expected changes, and then click Confirm and Update.
Deleting sensor visibility exclusions
Delete exclusions with caution. A deleted exclusion cannot be recovered.
-
Go to Configuration > Detections Management > Exclusions, and then go to the Sensor Visibility Exclusions tab.
-
In the Actions column for the exclusion that you want to delete, click Delete.
-
In Delete sensor visibility exclusion, review the list of changes that would apply if the exclusion were deleted.
-
(Recommended) Enter a comment to include in the audit log.
-
Click Delete exclusion.
Viewing exclusions audit logs
View the history of changes to your exclusions.
-
On the applicable exclusions tab, click See audit log.
-
Sort the columns to adjust your view of the log. In the Action column, logged revisions are defined as Created, Updated, or Deleted.
-
Click any revision to see its Details summary.
Glob syntax
Glob syntax allows you to create exclusion patterns to easily exclude files and folders. Our glob syntax supports standard ASCII characters. All alphabetical characters are not case-sensitive.
Examples
Windows:
When setting the path, with the one exception noted below, start with the root folder in the full path. Do not include the drive letter, \device\harddiskvolx
, or leading asterisks or backslashes (\
).
Similarly, there's no facility for including network share or MUP info. They're irrelevant to the exclusion, which is solely based on path or executable info as noted below.
NOTE: If the path includes any spaces, your exclusion must include those same spaces. Replicate the actual folder name.
Program Files (x86)\MySoftware\* |
Excludes everything in the folder, but not subfolders |
Program Files (x86)\MySoftware\** |
Excludes everything in the folder, including subfolders |
Program Files (x86)\MySoftware\SampleSoftware.exe |
Excludes |
Users\*\Desktop\RunMe.exe |
Excludes "RunMe.exe" within any user folders |
**\RunMe.exe |
(The exception) Globally excludes "RunMe.exe" in any location |
macOS:
When setting the path, with the one exception noted below, prefix folders with a leading slash (/
) and then continue with the root folder in the full path.
/Applications/MySoftware/* |
Excludes everything in the folder, but not subfolders |
/Applications/MySoftware/** |
Excludes everything in the folder, including subfolders |
/Applications/MySoftware/MyProcess |
Excludes MyProcess if it's in |
/Users/*/Documents/MyProcess |
Excludes |
**/MyApplication |
(The exception) Globally excludes |
Linux:
When setting the path, with the one exception noted below, prefix folders with a leading slash (/
) and then continue with the root folder in the full path.
/home/user/Downloads/* |
Excludes everything in the folder, but not subfolders |
/home/user/Downloads/** |
Excludes everything in the folder, including subfolders |
/home/user/Downloads/myprocess |
Excludes |
/home/*/Downloads/myprocess |
Excludes |
**/myprocess |
(The exception) Globally excludes |
Wildcards
In addition to standard ASCII characters, our glob syntax supports these wildcards:
* |
Match any number of characters, including none. Does not include separator characters, such as \ or /, which separate portions of a file path. |
Crowd* |
CrowdStrike, Crowd |
CrowdStrike/Document1.ps1 |
** |
Match any number of characters, including none. Does include separator characters, such as \ or /. |
Crowd** |
CrowdStrike, Crowd/Strike.ps1, CrowdStrike/Document1.ps1 |
BigCrowd, Crow, wd |
? |
Match any single character. |
DO? |
DOC, DOS, DOs |
doc, docs, DO |
[abc] |
Match any single character given in square brackets. |
version[a1] |
versiona, version1 |
version, version2 |
[!abc] |
Match any single character not given in square brackets. |
do[!ck] |
dot |
doc, dok, do |
[a-z] |
Match any single character in the range given in square brackets. Ranges must be low-to-high: [1-9], not [9-1] |
Version[0-9].bat |
Version1.bat, Version 8.bat |
Version10.bat |
[!a-z] |
Match any single character not in the range given in square brackets. Ranges must be low-to-high: [1-9], not [9-1] |
Program[!2-4].exe |
Program1.exe, Program5.exe, Programs.exe |
Program2.exe, Program3.exe, Program4.exe |