Exclusions

You can select not to include specific findings that appear in the results of assessments, manually triggered compliance assessments, and Continuous Posture assessments.

With exclusions, you can control the finding and show only those applicable to you. After you create an exclusion, the findings that match the exclusion parameters do not appear in the calculation of the assessment result statistics. Not included findings are not sent as notification messages (by email, SNS, etc.) to external systems.

Some typical cases to make exclusions are:

Do not include findings from unrelated rules, for specific or for all environments. For example, when you use preconfigured CloudGuard rulesets, possibly, some rules do not apply to your environments you can create exclusions to adjust them.
Provide temporary correction for rules that require adjustments.
Stop generation of findings for specific entities.

Best Practice - Do not overuse exclusions. If it is necessary to have a large number of exclusions to control your assessment results, then perhaps make adjustments to your rulesets. As a result, the rulesets fit better the current state of your cloud environments.

In the CSPM > Exclusions page, use the Filter and Search toolbar to select parameters to filter out from the exclusion table. Only exclusions that match the parameters show up in the exclusion table.

You can use these preconfigured filters:

Platform - Select environment platform (Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®., AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services., GCP Google® Cloud Platform - a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, Google Drive, and YouTube.).
Environment/OU - Select one or more environments or organizational units.
Rulesets - Select from the available rulesets.
Rules - Select from the available rules.
Status - Select currently Active exclusions (in the Date Range) or Inactive exclusions (out of the Date Range).
Severity - Select from the available alert severity objects.

Creating an Exclusion

There are two methods to create an exclusion:

Full - Create a new empty exclusion and enter all the parameters.
Based on assessment results or findings - Some of the parameters exist, you can edit them and complete the missing parameters.

To create a new exclusion with the full procedure:

Navigate to CSPM > Exclusions.
Click Create New Exclusion, in the top right.
Select the Ruleset to which you apply the exclusion. This parameter is mandatory.
Enter your comment to distinguish between different exclusions. The comment is a mandatory parameter.

Select at least one characteristic which is not necessary to include in the finding:

Environment or Organization unit - Do not include findings that correspond to an asset from a specific environment or organization unit. The field shows only environments that match the platform of the selected ruleset.
Date range - Select during which time frame the exclusion takes effect. If you do not select the date range, the exclusion applies permanently.
Rule - Do not include findings that correspond to a specific rule. Select the rule from the list based on the selected ruleset. If you do not select a rule, the exclusion applies to all rules. The rule severity applies to the exclusion automatically, so you cannot configure it separately.
Entity - Do not include findings that correspond to specific entities. Enter the entity name or ID. You can include the wildcard '%' in the entity name, to include a group of entities. For example, %s3% matches all entities with 's3' in their name.
Account number - Do not include findings that correspond to an AWS account with a specific number.
Tags - Do not include findings that contain specific tags (key + value).
Alerts severity - Do not include findings that have specific severity. You cannot select a rule when you select the alert's severity, because each rule has its severity level.

Note - The exclusion characteristics apply to the AND logic. For example, if you set the date range, rule, and alerts severity, the finding is not included in the assessment if it matches all the parameters at the same time. That is, the configured ruleset and the specified date range and the specified rule and has the specified account number. To apply the characteristics with the OR logic, create more exclusions.

Click Save.

To create an exclusion based on existing parameters:

A more simple procedure to create an exclusion is to start the procedure directly from an assessment (Creating Exclusions, finding (Creating an exclusion for a finding), or GSL rules. In the Create New Exclusion window, some parameters appear configured as they are in your assessment or finding.