What happens to events when IOA exclusions are applied?

When IOA (Indicators of Attack) exclusions are applied, events that match the exclusion criteria are still logged for auditing purposes. This ensures that there is a record of these events, allowing administrators to review and analyze any activity that was excluded from triggering an action. Logging these events is crucial for maintaining visibility and accountability, facilitating security audits, and helping to understand the context of the exclusions in relation to overall security posture.

The decision to log while applying exclusions is fundamental to promoting a balance between preventing false positives and ensuring comprehensive security monitoring. Keeping a record allows for potential future investigations and helps improve the threat detection mechanisms by allowing administrators to learn from past events.

Other options do not capture the importance of logging for auditing. For instance, not logging the events would risk losing important information that could be valuable for understanding patterns and ensuring no critical threats have been overlooked. Quarantining events would indicate a response rather than exclusion, and sending them to cloud storage does not accurately reflect the function of IOA exclusions, which primarily concerns logging and not altering the state of the events.