Learn how to create a rule to exclude certain criteria from raising alerts in Cortex XDR.
Through the process of triaging alerts or resolving an incident, you may determine whether a specific alert does not indicate a threat. If you do not want Cortex XDR to display alerts that match certain criteria, you can create an alert exclusion rule.
After you create an exclusion rule, Cortex XDR hides any future alerts that match the criteria, and excludes the alerts from incidents and search query results. If you choose to apply the rule to historic results as well as future alerts, the app identifies any historic alerts as grayed out.
Note
If an incident contains only alerts with exclusions, Cortex XDR changes the incident status to Resolved - False Positive and sends an email notification to the incident assignee (if set).
There are two ways to create an exclusion rule. You can define the exclusion criteria when you investigate an incident or you can create an alert exclusion from scratch.
Note
You can also set up alert exceptions by creating global endpoint policy exceptions. For more information, see Add a global endpoint policy exception.
Alert exclusions support Scope-Based Access Control (SBAC). For more information, see Manage user scope.
The following parameters are considered when editing a rule:
If Scoped Server Access is enabled and set to restrictive mode, you can edit a rule if you are scoped to all tags in the rule.
If Scoped Server Access is enabled and set to permissive mode, you can edit a rule if you are scoped to at least one tag listed in the rule.
If a rule was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.