Endpoint Security, CrowdStrike, Exclusions

How and when to create exclusions within CrowdStrike Falcon.

Exclusion Determination

Knowing whether and how to create an exclusion is important to management of CrowdStrike in your environment. If CrowdStrike Falcon is generating detections for software that should be allowed to run, continue reading to understand what to do in response.

Exclusion Types

There are six types of exclusions available within the CrowdStrike Falcon console, each intended to serve a different purpose. They are as follows.

Exclusion TypeTargetScopeDescription
Quarantine ReleaseFile hashSingle hostWhen releasing a file from quarantine, the Falcon sensor excludes its hash from ML detections.
Hash-based ExclusionFile hashHost groups;
Entire instance
One or more file hashes are listed as allowed, excluding them from ML detections.
ML ExclusionFile pathHost groups;
Entire instance
A relative or absolute file path are specified as excluded from all ML detections and/or file analysis.
IOA ExclusionFile path &
Command line
Host groups;
Entire instance
A relative path and command line string are specified as excluded from detection on a particular IOA.
Sensor Visibility ExclusionFile pathHost groups;
Entire instance
A relative or absolute file path are specified as excluded from nearly all Falcon sensor activity. Avoid using if possible.
Support-Enacted ExclusionFile hash;
File path &
Command line
Entire instanceEither a file hash or a relative path and command line string are specified as excluded from detections of a given type.

Exclusion Selection Process

With the various types of exclusions, it can be tricky to know which type should be created. Follow the below process to determine which type of exclusion to create.

ExclusionCreationExclusion Selection Process

Process Outline in Detail

Start: Detection Alert

Choice 1: Was the detection a false positive?

Choice 2: Can you access the web console?

Choice 3: Was the detection quarantined?

Choice 4: Have the detections stopped?

Choice 5: Is this a Self-Managed instance?

Choice 6: Is an IOA name listed?

Choice 7: Is the tactic "Custom Intelligence"?

Choice 8: Is the triggering file likely to change?

Choice 9: Have the detections stopped?

Action Q: Release the quarantine

Action A: Analyze the detection

Action I: Create an IOA exclusion

Action H: Create a hash exclusion

Action M: Create an ML exclusion

Final Notes

Exclusions require care to create properly so that they do not become overly permissive. Malware allowed by an exclusion is much harder to detect by analysts. Please maintain a narrow scope for exclusions using the following tips: