Add an alert exclusion rule - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-09
Category
Administrator Guide
Abstract

Learn how to create a rule to exclude certain criteria from raising alerts in Cortex XDR.

Through the process of triaging alerts or resolving an incident, you may determine whether a specific alert does not indicate a threat. If you do not want Cortex XDR to display alerts that match certain criteria, you can create an alert exclusion rule.

After you create an exclusion rule, Cortex XDR hides any future alerts that match the criteria, and excludes the alerts from incidents and search query results. If you choose to apply the rule to historic results as well as future alerts, the app identifies any historic alerts as grayed out.

Note

If an incident contains only alerts with exclusions, Cortex XDR changes the incident status to Resolved - False Positive and sends an email notification to the incident assignee (if set).

There are two ways to create an exclusion rule. You can define the exclusion criteria when you investigate an incident or you can create an alert exclusion from scratch.

Note

You can also set up alert exceptions by creating global endpoint policy exceptions. For more information, see Add a global endpoint policy exception.

Alert exclusions support Scope-Based Access Control (SBAC). For more information, see Manage user scope.

The following parameters are considered when editing a rule:

  • If Scoped Server Access is enabled and set to restrictive mode, you can edit a rule if you are scoped to all tags in the rule.

  • If Scoped Server Access is enabled and set to permissive mode, you can edit a rule if you are scoped to at least one tag listed in the rule.

  • If a rule was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.

If after reviewing the incident details, you want to suppress one or more alerts from appearing in the future, create an exclusion policy based on the alerts in the incident. When you create an incident from the incident view, you can define the criteria based on the alerts in the incident. If desired, you can also create an Alert Exclusion Policy from scratch.

  1. In Incident ResponseIncidents, from the Incident view, click the menu icon and, select Create Exclusion.

  2. Enter a rule name to identify your alert exclusion.

  3. Enter a description that specifies the reason or purpose of the alert exclusion rule.

  4. Use the alert filters to add any match criteria for the alert exclusion policy.

    You can also right-click a specific value in the alert to add it as match criteria. The app refreshes to show you which alerts in the incident would be excluded. To see all matching alerts including those not related to the incident, clear the option to Show only alerts in the named incident.

  5. Create the exclusion policy and confirm the action.

    If you later need to make changes, you can view, modify, or delete the exclusion policy from the SettingsException ConfigurationAlert Exclusions page.

Build your own alert exclusion rule.

  1. Select SettingsException ConfigurationAlert Exclusions.

  2. Select + Add an Alert Exclusion Rule.

  3. Specify a rule name to identify the exclusion rule.

  4. Describe the reason or purpose of the rule.

  5. Define the exclusion criteria.

    • Use the filters at the top of the table to build your exclusion criteria.

    • Use existing alert values to populate your exclusion criteria. To do so, right-click the column value on which you want to base your rule and select Add alerts with <value> to configuration.

    As you define the criteria, the app filters the results to display matches.

  6. Review the results.

    The alerts in the table will be excluded from appearing in the app after the rule is created and optionally, any existing alert matches will be grayed out.

    Caution

    This action is irreversible. All historically excluded alerts will remain excluded if you disable or delete the rule.

  7. Create the alert exception rule.