Alert Exclusions
From the Cortex XDR management console, you can review
and manage all alert exclusions.
The page
displays all alert exclusion policies in
Cortex
XDR
.An alert exclusion is a policy that contains a set
of alert match criteria that you want to suppress from
Cortex
XDR
. You can Add an Alert Exclusion Policy from scratch
or you can base the exclusion off of alerts that you investigate
in an incident. After you create an exclusion policy, Cortex
XDR
excludes and no longer saves any of
the future alerts that match the criteria from incidents and search
query results. If you choose to apply the policy to historic results
as well as future alerts, the app identifies the historic alerts
as grayed out. The following table describes both the default fields and additional
optional fields that you can add to the alert exclusions table and
lists the fields in alphabetical order.
Field | Description |
|---|---|
| Check box to select one or more alert exclusions
on which you want to perform actions. |
BACKWARD SCAN STATUS | Exclusion policy status for historic data,
either enabled if you want to apply the policy to previous alerts
or disabled if you don’t want to apply the policy to previous alerts. |
COMMENT | Administrator-provided comment that identifies
the purpose or reason for the exclusion policy. |
DESCRIPTION | Text summary of the policy that displays the
match criteria. |
MODIFICATION DATE | Date and time when the exclusion policy was
created or modified. |
NAME | Descriptive name provided to identify the exclusion
policy. |
POLICY ID | Unique ID assigned to the exclusion policy. |
STATUS | Exclusion policy status, either enabled or
disabled. |
USER | User that last modified the exclusion policy. |
USER EMAIL | Email associated with the administrative user. |
