Ask your questions from April 27 - May 3 as Cortex XDR experts will be available in a Q&A session for an opportunity to learn, join in, ask questions, and meet our experts! The Ask Me Anything (AMA) Event will be focused on alerts, including alert prioritization.
Ask questions from Tuesday, April 27 to Monday, May 3, 2021.
Come back on May 4 from 8am to 10am PT to join the event as our experts answer your questions!
To participate in this event, please use the Reply button below to ask your questions.
Please be sure to click Like if a post is helpful to you and to "Accept as Solution" to let everyone know that the answer to your question hits the mark!
Want to learn more details about the event? Check out this article.
What's the difference between an exclusion and an exception?
An (alert) exclusion is used to suppress alerts that are of no value, while a (rule) exception is used to tune rules in protection modules that detect, prevent, and generate alerts within Cortex XDR.
What happens to alerts that are caught by exclusions?
Alerts caught by exclusions are prevented from being created in the Cortex XDR tenant, keeping it from being seen in the alert table or being attached in an incident. The data for the alert is still available in the QueryBuilder.
Can Alerts that are filtered by exclusions be retrieved?
No, alerts that are filtered by exclusions cannot be recovered within the Cortex XDR tenant. Depending on your version of the Cortex XDR Agent, you can look at the events tab in the console to see recent alerts, however.
Should we use exclusion with all alert sources as first response?
No, as a recommendation, if there is a way to fine-tune the alert without exclusion, that will be preferred. For example, BIOC/IOC - Rules tunning, Malware/Exploit - Support exception or profile tunning.
Happening TODAY at 8AM PDT - the LIVEcommunity Ask Me Anything (AMA) Q&A event.
Join us, ask questions and learn about Cortex XDR Alerts. Please be sure to click Like if a post is helpful to you and to "Accept as Solution" to let everyone know that the answer to your question hits the mark!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!