I work for an organization that requires "low" events to be blocked. While tuning is going great thus far, there is so much noise that I've already accounted for. Is there a way to craft a query that would NOT show events that I've already created exceptions for? I'm using ePO 4.5 Patch 3 with HIPS v7.
why would you not want to see events for an exception you've created an exception for? you shouldnt be seeing the events any longer.
if you are talking about not seeing past events, then do what I do, and create the exception, create a monitor for that signature and threat source process name, wait a few days, then delete all the events for that query. by that time, all the systems have had time to receive the new policy with the exclusion, and stop producing events. you can leave that dashboard up for a period of time to see if any new events come through, but they shouldnt. if there are any new events that means that system may need HIPS re-installed, is just coming back online, or other circumstances that warrant investigation.