Learn how to create a policy to exclude certain criteria from raising alerts in Cortex Xpanse.
Through the process of triaging alerts or resolving an incident, you may determine whether a specific alert does not indicate a threat. If you do not want Cortex Xpanse to display alerts that match certain criteria, you can create an alert exclusion policy.
After you create an exclusion policy, Cortex Xpanse hides any future alerts that match the criteria, and excludes the alerts from incidents and search query results. If you choose to apply the policy to historic results as well as future alerts, the app identifies any historic alerts as grayed out.
Note
If an incident contains only alerts with exclusions, Cortex Xpanse changes the incident status to Resolved - False Positive and sends an email notification to the incident assignee (if set).
Build an Alert Exclusion Policy
Build your own alert exclusion policy.
Select → .
Select + Add Exclusion.
Enter a Policy Name to identify the exclusion policy.
Enter any comments to explain the purpose or intent behind the policy.
Define the exclusion criteria.
Use either the filters at the top to build your exclusion criteria. Or, to use existing alert values to populate your exclusion criteria, right-click the value, and select Add rows with <value> to policy.
As you define the criteria, the app filters the results to display matches.
Review the results.
The alerts in the table will be excluded from appearing in the app after the policy is created and optionally, any existing alert matches will be grayed out.
Caution
This action is irreversible: All historically excluded alerts will remain excluded if you disable or delete the policy.
Create and then select Yes to confirm the alert exception policy.