Alert Exclusion - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-11-07
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation

An alert exclusion is a rule that contains a set of alert match criteria that you want to suppress from Cortex XDR/Cortex XSIAM. You can add an Alert Exclusion rule from scratch or you can base the exclusion off of alerts that you investigate in an incident. After you create an exclusion rule, Cortex XDR/Cortex XSIAM excludes and no longer saves any of the future alerts that match the criteria from incidents and search query results. If you select to apply the policy to historic results as well as future alerts, Cortex XDR/Cortex XSIAM identifies the historic alerts as grayed out.