03-08-2023 12:14 AM
How to fine-tune the incidents similar incidents. We have added the hash and file path of such incidents on allow list and used the feature to exclude alerts. Still, we see incidents getting triggered.
03-08-2023 12:35 AM - edited 03-08-2023 12:36 AM
Hi @Shashanksinha , and thank you for writing to live community
first of all let me clarify something for all readers.
Exclusions: The only action taken is that the alert wont produce an incident. The alert will be produced and marked as excluded, and actually you can look for it and see it in the alerts table "marked as excluded". No other action will be taken apart from not creating an Incident. So things will be still block if they should be blocked by the agent even you wont be notified in an Incident.
Exceptions: will prevent the blocking in the agent if your conditions are met, and so no alerts will be produced (neither Incidents). So you need to be pretty sure of what you are doing here because the prevention action will be just "not done".
If your conditions for exception of alerts are met (or exclusions) you should not get incidents. Please review the alert and the conditions you have set to not to be notified and if you are sure that conditions are as they should be, please feel free to open a TAC support case in case you have a bug or something similar.
I hope this helps, and if this is a solution to your issue please mark it as such in the green button "Accept as Solution", it will also help others
KR,
EeLuis
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
