An Exclusion is a set of MQL logic created to avoid alerting on phishing simulations and other benign messages.

Exclusions are evaluated before Detection or Triage Rules. If a message matches an Exclusion, no further analysis is conducted by Sublime and Detection and Triage Rules are not evaluated.

There's two kinds of Exclusions currently supported:

  1. Global Exclusions: messages matching a Global Exclusion are not analyzed by any Rules (Detection or Triage)
  2. Detection Rule Exclusions: messages matching a Detection Rule Exclusion are not analyzed by any Detection Rules (Triage Rules will still process)

There are three out-of-the-box Exclusions for Cofense, KnowBe4, and Hoxhunt that are inactive by default.

Exclusions are visible on impacted messages on the message list table and details page. You can view the Exclusion MQL on the message details page or head to the Exclusion details page.