About Adding Threat Intelligence Director Observables to the Do Not Block List
If you want to exempt an observable in a simple indicator from the specified Action (let the traffic pass without monitoring or blocking), you can add the observable to a Do Not Block list.
In a complex indicator, threat intelligence director ignores observables on the Do Not Block list when evaluating traffic, but other observables in that indicator are still evaluated. For example, if an indicator includes Observable 1 and Observable 2 linked by the AND operator, and you add Observable 1 to a Do Not Block list, threat intelligence director generates a fully realized incident when Observable 2 is seen.
By comparison, in the same complex indicator, if you disable publishing of Observable 1 instead of adding it to the Do Not Block list, threat intelligence director generates a partially-realized incident when Observable 2 is seen.
Note | If you add an observable to the Do Not Block list, this always takes precedence over the Action setting, whether the setting in the observable is an inherited or override value. |
Source updates do not affect the Do Not Block list setting for individual observables if the update contains the same observable.