Alert exclusions - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-08-29
Last date published
2024-12-26
Category
User Guide
Solution
Cloud
Abstract

Create a rule to exclude certain criteria from raising or reopening alerts in Cortex Xpanse.

Through the process of remediating alerts, you may determine that a specific type of alert does not indicate a threat. If you do not want Cortex Xpanse to reopen or create alerts that match certain criteria, you can create an alert exclusion rule. After you create an exclusion rule, Cortex Xpanse will not create alerts when the alert match criteria are met. If you choose to apply the rule to historic results in addition to future alerts, historic alerts are grayed out in the UI.

Note

If an incident contains only historic alerts with exclusions, Cortex Xpanse changes the incident status to Resolved and sends an email notification to the incident assignee (if set).

Create an alert exclusion rule
Abstract

Create a new alert exclusion rule.

  1. Go to RulesAlert Exclusions.

  2. Select + Add Alert Exclusion Rule.

  3. Enter a Rule Name to identify the exclusion policy.

  4. (Optional) Enter any comments to explain the purpose the rule or provide additional context.

  5. Define the exclusion criteria.

    • Use either the filters at the top of the table to build your exclusion criteria.

    • Use existing alert values to populate your exclusion criteria. To do so, right-click the column value on which you want to base your rule and select Add alerts with <value> to configuration.

    As you define the criteria, the table is filtered to display matching alerts.

  6. Review the results.

    The alerts in the table will be grayed out and Cortex Xpanse will note create new alerts matching the criteria.

    Caution

    This action is irreversible: All historically excluded alerts will remain excluded if you disable or delete the policy.

  7. Create and then select Yes to confirm the alert exclusion rule.

The RulesAlert Exclusions page displays all alert exclusion policies in Cortex Xpanse .

The following table describes both the default fields and additional optional fields that you can add to the alert exclusions list view and lists the fields in alphabetical order.

Field

Description

check-box.png

Checkbox to select one or more alert exclusions on which you want to perform actions.

BACKWARD SCAN STATUS

Exclusion rule status for historic data, either enabled if you want to apply the policy to previous alerts or disabled if you don’t want to apply the policy to previous alerts.

COMMENT

Administrator-provided comment that identifies the purpose or reason for the exclusion policy.

DESCRIPTION

Text summary of the policy that displays the match criteria.

MODIFICATION DATE

Date and time when the exclusion policy was created or modified.

NAME

Descriptive name provided to identify the exclusion policy.

EXCLUSION ID

Unique ID assigned to the exclusion policy.

STATUS

Exclusion policy status, either enabled or disabled.

USER

User that last modified the exclusion rule.

USER EMAIL

Email associated with the administrative user.

You can exclude individual alerts from the Alerts page, without having to create a specific exclusion rule. In this case, the specific alert is grayed out and will not be reopened.

  1. Go to Incident ResponseAlerts.

  2. Right-click an alert in the table and select Manage AlertExclude Alert.