Learn how to create a rule to exclude certain criteria from displaying issue notifications in Cortex Cloud.
Through the process of triaging issues or resolving a case, you may determine that a specific issue does not indicate a threat. If you want Cortex Cloud to exclude the display of issues that match certain criteria, you can create an issue exclusion rule.
After you create an exclusion rule, Cortex Cloud hides any future issues that match the criteria, and excludes the issues from cases and search query results. If you choose to apply the rule to historic results as well as future issues, the app marks any historic issues as unavailable.
Note
If a case only contains issues with exclusions, Cortex Cloud changes the case status to Resolved - False Positive and sends an email notification to the issue assignee (if set).
There are two ways to create an exclusion rule. You can define the exclusion criteria when you investigate a case, or you can create an issue exclusion from scratch.
Note
You can also set up issue exceptions by creating global endpoint policy exceptions. For more information, see Add a global endpoint policy exception.
Issue exclusions support Scope-Based Access Control (SBAC). For more information, see Manage user scope.
The following parameters are considered when editing a rule:
If Scope-Based Access Control (SBAC) is enabled and Endpoint Scoping Mode is set to restrictive mode, you can edit a rule if you are scoped to all tags in the rule.
If Scope-Based Access Control (SBAC) is enabled and Endpoint Scoping Mode is set to permissive mode, you can edit a rule if you are scoped to at least one tag listed in the rule.
If a rule was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.