You can adjust the scope baseline of Kubernetes runtime policies for alerts that indicate false positive workloads behavior. To do so, you can close alerts or add egress traffic destinations to the scope baseline.

You generally review alerts after you enable or update a Kubernetes runtime policy and after the learning period completes. You can reduce the number of alerts by resolving the issues or by closing the alerts.

Closing alerts is only recommended for excluding specific workloads that exhibit known behaviors from the alerts list.


  1. On the left navigation pane, select Alerts.
  2. Locate and select the alerts of interest and do one of the following:
    • On the Actions dropdown menu, click Add to baseline. Click OK to confirm.
    • On the Actions dropdown menu, click Close.

      Close Alert dialog box

      1. In the Close as dropdown menu, select a reason for closing the alert, for example, Resolved - Benign/Known.
      2. Optionally select the check box to close all existing alerts that have the same threat ID.
      3. Optionally automatically close all future alerts that have this threat ID.
      4. Enter an optional note about the reason for closing the alert.
      5. Click Close Alert.