You can dismiss one alert at a time or alerts in bulk.
When dismissing an alert, you have the option to automatically dismiss the alert on all devices in the future. The following note explains the details of what it means when you select that option.
Important: The
If this alert occurs in the future, automatically dismiss it on all devices option is based on the
threat_id, which is available via the
Alerts API. The threat_id definition varies slightly across CB Analytics, Watchlists, and USB Device Control alert types:
- CB Analytics: Combination of the primary threat actor (usuallythe SHA-256 hash of the threat actor) and the alert reason that is derived by the Endpoint Standard Analytics engine.
- Watchlists: The report that triggered the Watchlist hit.
- USB Device Control: Represents a unique USB device.
If an alert is flagged for dismissal, any future alerts that contain the same threat_id are dismissed.
Note: Alerts can present different SHA-256 hashes. To dismiss an alert on multiple devices, the hash of the object must be the same.
Dismiss Alerts
You can use this procedure to dismiss a selected alerts.
Procedure
Bulk Dismissal of Alerts
Use this procedure to dismiss alerts in bulk.