Manage Excluded Domains
Alerts are triggered when threats pass through the Alert Profiler and match the criteria of active rules. By default, the Phishing Domain - Default Detection Rule is active, and when the detection algorithm detects a potential phishing domain, a phishing domain alert is triggered and is shown on the Alerts page.
In some cases, you may prefer that certain found domains no longer trigger phishing domain alerts, for example, if the domain is creating irrelevant alerts (is “noisy”). You can use these methods to ensure that those domains don’t trigger alerts.
- Use the Alert Profiler “Domain name does not contain Regex list" condition to skip those domains
You would need to add this condition to every rule.
- Exclude those domains
If an excluded domain is part of the threat, then no future alerts will be triggered, completely bypassing the Alert Profiler.
Excluding a domain is the best practice solution to exclude a specific domain as its effect applies to every phishing domain threat, without needing to be added to specific rules. (If you want to use regex to exclude multiple matching domains, then you can still use the Domain name does not contain Regex list condition.)
You can exclude domains either from the alert header (show picture) or by adding the domain from the Alert Profiler.
Excluding a domain from the Alert header is described in Exclude Irrelevant Domains.
You can use the Alert Profiler Manage Excluded Domains to view, remove, or to add domains to the exclude list.
To view, remove, or add domains to the exclude list:
- From the Alert Profiler Phishing Domains page, click View Excluded Domains.
- Previously excluded domains are displayed.