Create a rule to exclude certain criteria from raising or reopening alerts in Cortex Xpanse.
Through the process of remediating alerts, you may determine that a specific type of alert does not indicate a threat. If you do not want Cortex Xpanse to reopen or create alerts that match certain criteria, you can create an alert exclusion rule. After you create an exclusion rule, Cortex Xpanse will not create alerts when the alert match criteria are met. If you choose to apply the rule to historic results in addition to future alerts, historic alerts are grayed out in the UI.
Note
If an incident contains only historic alerts with exclusions, Cortex Xpanse changes the incident status to Resolved
and sends an email notification to the incident assignee (if set).
Create an alert exclusion rule
Create a new alert exclusion rule.
Go to
→ .Select + Add Alert Exclusion Rule.
Enter a Rule Name to identify the exclusion policy.
(Optional) Enter any comments to explain the purpose the rule or provide additional context.
Define the exclusion criteria.
Use either the filters at the top of the table to build your exclusion criteria.
Use existing alert values to populate your exclusion criteria. To do so, right-click the column value on which you want to base your rule and select Add alerts with <value> to configuration.
As you define the criteria, the table is filtered to display matching alerts.
Review the results.
The alerts in the table will be grayed out and Cortex Xpanse will note create new alerts matching the criteria.
Caution
This action is irreversible: All historically excluded alerts will remain excluded if you disable or delete the policy.
Create and then select Yes to confirm the alert exclusion rule.