When creating a custom exception set, add a new rule and select the Ignore for Telemetry exception type. The Ignore for drop-down menu will populate with the related telemetry ignore rules.
These custom exception types do not apply to the deprecated version of telemetry.
- Ignore for telemetry - Exec process
- This is for process execution (exec) events and is the target process being executed.
- Ignore for telemetry - Source process
- This is the process that caused the underlying activity being monitored and reported as a telemetry event.
- Ignore for telemetry - Source parent process
- This is the parent process that directly created the source process.
- Ignore for telemetry - Source responsible process
- This is the process that is responsible for the source process existing and is responsible for the chain of activity leading to its creation.
After selecting the desired custom ignore type for telemetry, configure the following subsequent ignore rules:
| Telemetry Ignore Rule | Ignore Rule Sub-field | Telemetry Message Field | Description |
|---|---|---|---|
| App Signing Info | Team ID | Exec process exceptions:
Source process exceptions:
| |
| App Signing Info | Signing ID | Exec process exceptions: Source process exceptions:
| |
| Team ID | Exec process exceptions:
Source process exceptions:
| ||
| Process Path | Exec process exceptions:
event.exec.target.executable.path
Source process exceptions:
| ||
| Platform Binary | Exec process exceptions: Source process exceptions:
| The event.exec.target.is_platform_binary or process.is_platform_binary fields must be true in the telemetry message. | |
| User | Exec process exceptions: Source process exceptions:
| The ID of the effective user will be checked for a match against the username provided in the ignore rule. | |
| Group | Exec process exceptions: Source process exceptions:
| The ID of the effective user group will be checked for a match against the user group name provided in the ignore rule. |