Custom RQL recommended to exclude cloud account, cloud account group, and cloud region in RQL? Why?

Reply
Highlighted
RetiredOnMars
Not applicable

Custom RQL recommended to exclude cloud account, cloud account group, and cloud region in RQL? Why?

Based on some feedback from support I received the following:

 

When you create a custom policy the following Items disregard at policy level:
1.Cloud Account
2.Cloud Account Group
3.Cloud Region
I recommend creating a new alert rule just for this policy and just select the regions you want to get alert for from there.(Alert>Alert Rule> At Target in Step 2 please enable advanced settings and select the regions)
 
Why is it recommended "when creating a custom policy, as a best practice do not include cloud.account, cloud.account.group or cloud.region attributes in the RQL query. If you have a saved search that includes these attributes, make sure to edit the RQL before you create a custom policy. While these attributes are useful to filter the results you see on the 
Investigate tab, they are ignored when used in a custom policy."
 
Is there some negative effects to adding filters like this in an RQL policy?  Why even have those as RQLs that can be used in policies.
 
I understand that Alert Rules are leveraged to create some of these exclusions but what if you cannot or don't want to manage alert rules and prefer to use RQL?
 
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!