Alert Exclusion - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-22
Category
Administrator Guide

An alert exclusion is a rule that contains a set of alert match criteria that you want to suppress from Cortex XDR/Cortex XSIAM. You can add an Alert Exclusion rule from scratch or you can base the exclusion off of alerts that you investigate in an incident. After you create an exclusion rule, Cortex XDR/Cortex XSIAM excludes and no longer saves any of the future alerts that match the criteria from incidents and search query results. If you select to apply the policy to historic results as well as future alerts, Cortex XDR/Cortex XSIAM identifies the historic alerts as grayed out.