Add an Alert Exclusion Policy

Create a query to exclude certain criteria from raising alerts in Cortex XDR.
Through the process of triaging alerts or resolving an incident, you can determine a specific alert does not indicate a threat. If you do not want Cortex XDR to display alerts that match certain criteria, you can create an alert exclusion policy. After you create an exclusion policy, Cortex XDR hides any future alerts that match the criteria, and excludes the alerts from incidents and search query results. If you choose to apply the policy to historic results as well as future alerts, the app identifies any historic alerts as grayed out.
If an incident contains only alerts with exclusions, Cortex XDR changes the incident status to
Resolved - False Positive
and sends an email notification to the incident assignee (if set).
There are two ways to create an exclusion policy. You can define the exclusion criteria when you investigate an incident or you can create an alert exclusion from scratch.

Build an Alert Exclusion Policy from Alerts in an Incident

If after reviewing the incident details, if you want to suppress one or more alerts from appearing in the future, create an exclusion policy based on the alerts in the incident. When you create an incident from the incident view, you can define the criteria based on the alerts in the incident. If desired, you can also Create Alert Exclusions from scratch.
  1. From the Incident view in Cortex XDR, select
    Actions
    Create Exclusion Policy
    .
  2. Enter a
    POLICY NAME
    to identify your alert exclusion.
  3. Enter a descriptive
    COMMENT
    that identifies the reason or purpose of the alert exclusion policy.
  4. Use the alert filters to add any the match criteria for the alert exclusion policy.
    You can also right-click a specific value in the alert to add it as match criteria. The app refreshes to show you which alerts in the incident would be excluded. To see all matching alerts including those not related to the incident, clear the option to
    Show only alerts
    in the named incident.
    incident-alert-exclusion-example.png
  5. Create
    the exclusion policy and confirm the action.
    If you later need to make changes, you can view, modify, or delete the exclusion policy from the
    Incidents
    Alert Exclusions
    page.

Build an Alert Exclusion Policy from Scratch

  1. Select
    Incidents
    Exclusions
    .
  2. Select
    + Add Exclusion Policy
    .
  3. Enter a
    Policy Name
    to identify the exclusion policy.
  4. Enter any comments to explain the purpose or intent behind the policy.
  5. Define the exclusion criteria.
    Use either the filters at the top to build your exclusion criteria. Or, to use existing alert values to populate your exclusion criteria, right click the value, and select
    Add rows with <value> to policy
    .
    As you define the criteria, the app filters the results to display matches.
  6. Review the results.
    The alerts in the table will be excluded from appearing in the app after the policy is created and optionally, any existing alert matches will be grayed out.
    This action is irreversible: All historic excluded alerts will remain excluded if you disable or delete the policy.
  7. Create
    and then select
    Yes
    to confirm the alert exception policy.

Recommended For You