File Activity Anomaly - false alert

Hi @Avior 

I do not believe that individual files can be whitelisted, but we can prevent these files from generating the alert. Can you try the following:

-In the Console → Alerts → File Anomaly Alert → Edit →Select step 3:

See below for the changes to the criteria:

Change the description to “does not contain” and add the paths to the files you wish to whitelist, separate the files with the “pipe” | character. This should prevent the detection of these files from triggering the alert.

Let me know how this goes or if you have questions. Thanks

You only have the option via an additional setting to disable the functionality → DisableFileIOMonitor. Not sure if you run the latest feature release, but development is continuously enhancing this feature to reduce the amount of false positives.

Hi

thanks for your replies 

unfortunately its not works

@Matt Medvedeff  - i added the paths, but still received alert on them - u can see that in the picture that i added…

@Onno van den Berg  - if i will add this additional settings, that mean that nothing will be alerted anymore? or just make it more accurate ?

@Avior it will disable the file anomaly feature on the client hence it will not return any results so it will stop the message from being generated. 

Can you also share the version number you are running and a screenshot of the screen that Matt added which shows the configured exclusions?

@Onno van den Berg   -  version 11.24.52

screenshot: 

@Scott Moseman  - i added this key today..thank you 
will monitor it and update :)