Under certain circumstances, behavior that is interpreted as an attack can be a normal part of a user’s work routine. When this occurs, you can create an exception rule or create a trusted application rule for that behavior.
You can create event-based exceptions or trusted applications directly from an event to prevent the event from reoccurring, or you can create exceptions or trusted application without reference to any particular event. For the latter, refer to Exception Rules and Creating and applying Trusted Applications policies.
Creating exceptions and trusted applications allows you to weed out false positive alerts, and ensures that the notifications you receive are meaningful communications.