Based on some feedback from support I received the following:
When you create a custom policy the following Items disregard at policy level:
1.Cloud Account
2.Cloud Account Group
3.Cloud Region
I recommend creating a new alert rule just for this policy and just select the regions you want to get alert for from there.(Alert>Alert Rule> At Target in Step 2 please enable advanced settings and select the regions)
Why is it recommended "when creating a custom policy, as a best practice do not include cloud.account, cloud.account.group or cloud.region attributes in the RQL query. If you have a saved search that includes these attributes, make sure to edit the RQL before you create a custom policy. While these attributes are useful to filter the results you see on the Investigate tab, they are ignored when used in a custom policy."
Is there some negative effects to adding filters like this in an RQL policy? Why even have those as RQLs that can be used in policies.
I understand that Alert Rules are leveraged to create some of these exclusions but what if you cannot or don't want to manage alert rules and prefer to use RQL?
