You can dismiss one alert at a time or alerts in bulk.

When dismissing an alert, you have the option to automatically dismiss the alert on all devices in the future. The following note explains the details of what it means when you select that option.

Important: The If this alert occurs in the future, automatically dismiss it on all devices option is based on the threat_id, which is available via the Alerts API. The threat_id definition varies slightly across CB Analytics, Watchlists, and USB Device Control alert types:
  • CB Analytics: Combination of the primary threat actor (usuallythe SHA-256 hash of the threat actor) and the alert reason that is derived by the Endpoint Standard Analytics engine.
  • Watchlists: The report that triggered the Watchlist hit.
  • USB Device Control: Represents a unique USB device.

    If an alert is flagged for dismissal, any future alerts that contain the same threat_id are dismissed.

Note: Alerts can present different SHA-256 hashes. To dismiss an alert on multiple devices, the hash of the object must be the same.

Dismiss Alerts

You can use this procedure to dismiss a selected alerts.

Procedure

  1. On the left navigation pane, click Alerts.
  2. Turn Group Alerts to OFF to dismiss alerts on a single device; turn Group Alerts to ON to dismiss alerts on multiple devices.
  3. Select the alerts to dismiss.
  4. Click Dismiss Alert(s).
  5. To dismiss all future occurrences of an alert, select If this alert occurs in the future, automatically dismiss it on all devices.
    Important: The automatic alert dismissal expires after one (1) year.
    Note: Instead of dismissing all future occurrences of an alert, you should consider tuning the watchlist from the alerts panel, including turning off alerting for the watchlist or disabling the report or IOC.
  6. Select a reason for the dismissal and use the open text box to include notes for the audit log entry. Click Dismiss.

Bulk Dismissal of Alerts

Use this procedure to dismiss alerts in bulk.

Procedure

  1. Select the check box in the top-left corner of the Alerts table to select all alerts listed on the page.
  2. Click select all in the header prompt to select all alerts across all pages.
  3. Click Dismiss Alert(s).
  4. To dismiss all future occurrences of an alert, select If this alert occurs in the future, automatically dismiss it on all devices.
    Important: The automatic alert dismissal expires after one (1) year.
    Note: Instead of dismissing all future occurrences of an alert, you should consider tuning the watchlist from the alerts panel, including turning off alerting for the watchlist or disabling the report or IOC.
  5. Select a reason for the dismissal and use the open text box to include notes for the audit log entry. Click Dismiss.