Alert Exclusions - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Product
Cortex XDR
License
Prevent
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

From theCortex XDR management console, you can review and manage all alert exclusions.

The Settings Exception ConfigurationAlert Exclusions page displays all the alert exclusion rules in Cortex XDR.

An Alert Exclusion is a rule that contains a set of alert match criteria that you want to suppress from Cortex XDR. You can add an Alert Exclusion rule from scratch or base the exclusion on alerts you investigate in an incident. After you create an exclusion rule, Cortex XDR excludes and no longer saves any of the future alerts that match the criteria from incidents and search query results. If you select to apply the policy to historic results as well as future alerts, Cortex XDR identifies the historic alerts as grayed out.

Note

The agent continues to raise excluded alerts on the endpoint, but they are not saved or displayed in Cortex XDR. Configuring an Alert Exclusion does not remove or delete any of the logs that would have triggered the alert.

Note

You can also set up alert exceptions by creating Global Endpoint Policy exceptions.

The following table describes both the default fields and additional optional fields that you can add to the alert exclusions table and lists the fields in alphabetical order.

Field

Description

check-box.png

Checkbox to select one or more alert exclusions on which you want to perform actions.

BACKWARD SCAN STATUS

Exclusion policy status for historic data, either enabled if you want to apply the policy to previous alerts or disabled if you don’t want to apply the policy to previous alerts.

COMMENT

Administrator-provided comment that identifies the purpose or reason for the exclusion policy.

DESCRIPTION

Text summary of the policy that displays the match criteria.

MODIFICATION DATE

Date and time when the exclusion policy was created or modified.

NAME

Descriptive name provided to identify the exclusion policy.

POLICY ID

Unique ID assigned to the exclusion policy.

STATUS

Exclusion policy status, either enabled or disabled.

USER

User that last modified the exclusion policy.

USER EMAIL

Email associated with the administrative user.