Creating identity exclusion searches
To exclude certain events from providing asset data to the asset database, you can create an IBM® QRadar® identity exclusion search.
About this task
The filters that you create for the search must match events that you want to exclude, not the events that you want to keep.
You might find it helpful to run the search against events that are already in the system. However, when you save the search, you must select Real Time (streaming) in the Timespan options. If you do not choose this setting, the search does not match any results when it runs against the live stream of events that are coming into QRadar.
When you update the saved identity exclusion search without changing the name, the identity exclusion list that is used by the Asset Profiler is updated. For example, you might edit the search to add more filtering of the asset data that you want to exclude. The new values are included and the asset exclusion starts immediately after the search is saved.