Managing Exclusion Rules

In many cases, you may want to filter out some of the results extracted by CTIE. For example, loopback IP addresses or valid URLs such as google.com should not be used as indicators.

Adding and Updating Exclusion Rules

Exclusion rules allows you to discard indicators found during the extraction process which may not have any useful value to you. The rules are regular expressions that will be applied to the resulting indicators and be use to filter out false positive or garbage data, such as benign URLs or local IP addresses for example.

To add a new exclusion rule, first open the Exclusion Rule Editor by clicking on the Exclusion List icon on the main windows.

_images/Tachikoma-Exclusion-Rules-Editor-Button.png

Open the Exclusion Rules Editor by pressing the highlighted button (1) in the Settings Bar.

The Exclusion Rules Editor will appear and display the rules currently used by CTIE. To add a new rule, simply enter the following information in the last, empty row of the table;

  1. A label uniquely identifying this rule.

Warning

The label cannot be empty and must be unique.

  1. The type of indicator to which this rule applies to. If a rule applies to multiple types, it will need to be entered multiple times.
  2. The regular expression describing this rule.

Warning

The regular expression cannot be empty and must be a valid C#-formatted regular expression. You can use an online regular expression tester such as RegexStorm

_images/Tachikoma-Exclusion-Rules-Editor.png

The Exclusion Rules Editor user interface.

Once you are done adding new rules, click the Save (5) button. Rules will not be saved in the CTIE database until the Save button is clicked. To cancel all modifications since the last save, simply click Close (4).