Learn how to review and manage alert exclusions.
The Cortex XSIAM.
→ → page displays the alert exclusion rules inAn Alert Exclusion is a rule that contains a set of alert match criteria that you want to suppress from Cortex XSIAM. You can add an Alert Exclusion rule from scratch or base the exclusion on alerts you investigate in an incident. After you create an exclusion rule, Cortex XSIAM excludes and no longer saves any of the future alerts that match the criteria from incidents and search query results. If you select to apply the policy to historic results as well as future alerts, Cortex XSIAM identifies the historic alerts as grayed out.
Note
The agent continues to raise excluded alerts on the endpoint, but they are neither saved nor displayed in Cortex XDR.
You can also set up alert exceptions by creating global endpoint policy exceptions. For more information, see Add a global endpoint policy exception.
The following table describes both the default fields and additional optional fields that you can add to the alert exclusions table and lists the fields in alphabetical order.
Field | Description | |
---|---|---|
Checkbox to select one or more alert exclusions on which you want to perform actions. | ||
Backward Scan Status | Exclusion policy status for historic data, either enabled if you want to apply the policy to previous alerts or disabled if you don’t want to apply the policy to previous alerts. | |
Comment | Administrator-provided comment that identifies the purpose or reason for the exclusion policy. | |
Description | Text summary of the policy that displays the match criteria. | |
Modification Date | Date and time when the exclusion policy was created or modified. | |
Name | Descriptive name provided to identify the exclusion policy. | |
Policy ID | Unique ID assigned to the exclusion policy. | |
Schedule Expire | Date and time that the exclusion rule expires. | |
Schedule Start | Date and time that the exclusion rule becomes valid. | |
Status | Exclusion policy status, either enabled or disabled. | |
User | User that last modified the exclusion policy. | |
User Email | Email associated with the administrative user. |