https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/some-alert-exclusions-don-t-work-anymore/m-p/528142#M3439 <P>Hi&nbsp;</P> <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>&nbsp;</P> <P>&nbsp;</P> <P>Thank you for reaching out to live community!</P> <P>&nbsp;</P> <P>Possibly there is A recalculation on your tenant for your exclusion policy. Possible that there was an edit on the policy because of an edit and there is a backwards scan running. Please check backwards scan status</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 23 Jan 2023 08:17:05 GMT neelrohit 2023-01-23T08:17:05Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/some-alert-exclusions-don-t-work-anymore/m-p/528021#M3431 <P>Hello dear community,</P> <P>&nbsp;</P> <P>Since some days, my alert exclusions do not work anymore and the alerts are popping up. Now i noticed the quotes in the target process cmd.</P> <P>&nbsp;</P> <P>powershell.exe -command --&gt; before</P> <P>"powershell.exe" -command --&gt; from now</P> <P>&nbsp;</P> <P>What has happened? The automation task wasn't changed, but maybe a behaviour change from PA?</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Fri, 20 Jan 2023 20:52:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/some-alert-exclusions-don-t-work-anymore/m-p/528021#M3431 RFeyertag 2023-01-20T20:52:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/some-alert-exclusions-don-t-work-anymore/m-p/528142#M3439 <P>Hi&nbsp;</P> <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>&nbsp;</P> <P>&nbsp;</P> <P>Thank you for reaching out to live community!</P> <P>&nbsp;</P> <P>Possibly there is A recalculation on your tenant for your exclusion policy. Possible that there was an edit on the policy because of an edit and there is a backwards scan running. Please check backwards scan status</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 23 Jan 2023 08:17:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/some-alert-exclusions-don-t-work-anymore/m-p/528142#M3439 neelrohit 2023-01-23T08:17:05Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/some-alert-exclusions-don-t-work-anymore/m-p/528173#M3440 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/142551">@neelrohit</a>,&nbsp;</P> <P>&nbsp;</P> <P>what is an backward scan status? And why do I have to do this? Isn't there any information why this quotes suddenly appearing? And day by day I have more not working exclusions.&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Mon, 23 Jan 2023 13:49:16 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/some-alert-exclusions-don-t-work-anymore/m-p/528173#M3440 RFeyertag 2023-01-23T13:49:16Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/some-alert-exclusions-don-t-work-anymore/m-p/528300#M3445 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>&nbsp;,</P> <P>&nbsp;</P> <P>Backwards scan is a logic which runs on the Cortex XDR console for querying past events from the date a rule has been created( IOC/BIOC) and also for alert exclusions when you want to exclude the existing alerts. If the exclusion rules were edited and checked in for exclude existing alerts, there will be a backwards scan running in. Till the time, the backwards scan is running, exclusions will not work for old alerts and only the new alerts will be excluded.</P> <P>&nbsp;</P> <P>However, if you are saying that it is not working for you. I recommend opening a TAC case.&nbsp;</P> Tue, 24 Jan 2023 08:37:58 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/some-alert-exclusions-don-t-work-anymore/m-p/528300#M3445 neelrohit 2023-01-24T08:37:58Z