In an effort to reduce the false positives triggered by algorithms, IP addresses and portions of host names can be excluded from them. This feature can be found by visiting Admin tab > Settings > Flow Analytics Exclusions. Most exclusions are added when viewing an individual event for an alarm.

Exclusion Types

There are two ways to exclude hosts from triggering algorithms.

  1. IP Address: Exclude one or more IP addresses from an individual algorithm by:

    • IP Address
    • IP Range
    • IP Subnet
    • Child: A child group is defined in IP Groups.
  2. Reverse DNS Name: A portion of or all of a DNS resolved name can be entered. Entries are created when false positives occur. Use this interface to manage all of the entries.

Visit the alarms tab and drill in on an alarm to see the individual events. To add an exclusion, click the Down Arrow Menu icon on the far left and select:

  • Exclude IP x.x.x.x from this algorithm
  • Exclude a portion of the reverse DNS name from this algorithm

The user can then use this interface to manage all of the the entries that will be made over time.