This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

XSIAM Dynamic filtering in exclusions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XSIAM Dynamic filtering in exclusions

DanNavilliat
L1 Bithead

‎02-02-2026 12:07 PM

Hi,

 

I was told by someone from our Palo team (cant remember who and we recently had a team change) that dynamic group exclusions would be a new feature in the 3.2 release. An example of this is retrieving a list of IPs and saving it to a table or dataset.  Then, for a specific issue exclusion (e.g. Abnormal amount of port scanning) we exclude the list of IPs found in the table or dataset.  Has anyone heard about this?  We were able to do this with our older SIEM and it seems like such a basic function to have.  
 

#Cortex XSIAM


0 Likes Likes
4 REPLIES 4

susekar
L4 Transporter

‎02-10-2026 05:55 AM

Hello @DanNavilliat ,

 

Greetings for the day.

 

In Cortex XSIAM version 3.2 (corresponding to Cortex Platform 1.2), there are several features and workflows that support dynamic exclusions based on IP lists or datasets.

The functionality of retrieving a list of IPs to a table and excluding them from specific issues is primarily handled through three mechanisms in this release:

 

1. Trusted Networks (New in 3.2)

The 3.2 release introduced the CNS Trusted Networks screen, which allows you to define and manage custom CIDR blocks directly within the platform. These defined blocks can be labeled as trusted, and can then be used to suppress or manage network-related issues.

 

2. Automation Exclusion Center and Lists

XSIAM uses the Automation Exclusion Center to prevent automated remediation actions (like blocking IPs) on critical assets.

  • Lists:
    You can create lists of IP addresses or domains. These lists are referenced by exclusion policies to ensure automated actions (such as blocking an IP) do not affect those assets.

  • Dynamic Filtering:
    Each list can be filtered by conditions such as Equals, Ends With, or Does Not Include to manage membership dynamically.

 

3. Dynamic IP Exclusion via XQL (Lookup Tables)

For SIEM-style workflows where incoming events are compared against a dynamic table of IPs (e.g., a list generated by another query), XSIAM uses Lookup Tables and the incidr() function.

To perform a dynamic exclusion in an XQL query, you typically perform a LEFT JOIN with your IP dataset and filter for null values where no match exists:

dataset = <your_event_data>
| join type = left (dataset = <your_ip_lookup_table>) as lookup on incidr(action_remote_ip, lookup.cidr_range)
| filter lookup.cidr_range = null

 

4. Issue Exclusions:

XSIAM allows Issue Exclusions (found under Settings > Exception Configuration > Issue Exclusions), which suppress the creation of incidents based on criteria such as Source IP or Alert Name.

While these rules have traditionally used static filters, version 3.2 added support for Dynamic Enums, allowing users to select from pre-populated lists of attributes for certain asset tables.

 

Summary of Release 3.2 Improvements

  • Trusted Networks: Custom CIDR management to label IP ranges as trusted.

  • Dynamic Enums: Pre-populated attribute lists for filtering asset-related tables.

  • SBAC Support: Granular scoping for assets and datasets, allowing exclusion logic to apply to specific organizational units.

  • Unified Data Sources: A consolidated page to manage all integrations and collection points in one place.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

 

 

0 Likes Likes

DanNavilliat
L1 Bithead

‎02-10-2026 09:42 AM

Hi
Can you point me to the documentation for  point 4, Issue Exclusions.   I think this would be the closest match for our use case.  To be clear, the IP exclusion was just an example. We could be excluding users, computer names, countries, etc.

0 Likes Likes

susekar
L4 Transporter
In response to DanNavilliat

‎02-10-2026 10:31 AM

Hello @DanNavilliat ,

 

Thank you for the response.

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-5.x-Documentation/Issue-exclusions

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes

DanNavilliat
L1 Bithead

‎02-10-2026 11:05 AM

Hi,

I still am not seeing documentation how to leverage this:  Dynamic Enums, allowing users to select from pre-populated lists of attributes for certain asset tables.

 

Can you explain how to apply a list (of users, for example) to a specific exclusion?

 

Thanks

 

0 Likes Likes
  • 360 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks