Add an Alert Exclusion Policy - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Learn how to create a policy to exclude certain criteria from raising alerts in Cortex Xpanse.

Through the process of triaging alerts or resolving an incident, you may determine whether a specific alert does not indicate a threat. If you do not want Cortex Xpanse to display alerts that match certain criteria, you can create an alert exclusion policy.

After you create an exclusion policy, Cortex Xpanse hides any future alerts that match the criteria, and excludes the alerts from incidents and search query results. If you choose to apply the policy to historic results as well as future alerts, the app identifies any historic alerts as grayed out.


If an incident contains only alerts with exclusions, Cortex Xpanse changes the incident status to Resolved - False Positive and sends an email notification to the incident assignee (if set).

Build an Alert Exclusion Policy

Build your own alert exclusion policy.

  1. Select Policies and RulesAlert Exclusions.

  2. Select + Add Exclusion.

  3. Enter a Policy Name to identify the exclusion policy.

  4. Enter any comments to explain the purpose or intent behind the policy.

  5. Define the exclusion criteria.

    Use either the filters at the top to build your exclusion criteria. Or, to use existing alert values to populate your exclusion criteria, right-click the value, and select Add rows with <value> to policy.

    As you define the criteria, the app filters the results to display matches.

  6. Review the results.

    The alerts in the table will be excluded from appearing in the app after the policy is created and optionally, any existing alert matches will be grayed out.


    This action is irreversible: All historically excluded alerts will remain excluded if you disable or delete the policy.

  7. Create and then select Yes to confirm the alert exception policy.