Skip to main content

Policy Exclusion Logic

Saved queries are used to define reusable exclusion criteria for policies.

When a policy with an applied exclusion is evaluated, an event must satisfy two conditions to be considered a final policy match:

  • It must first match the policy's inclusion criteria.
  • It must then not match any of the exclusion rules defined by the saved query.

Saved Queries Table Fields

The table displays all the saved queries with the following fields:

  • Name: The unique identifier for the saved query. This name is used when applying the query as an exclusion to policies.
  • Excluded from policies: Shows which policies currently use this saved query as an exclusion rule, displaying policy names or a count indicator.
  • Created at: Timestamp showing when the saved query was originally created.
  • Created by: The user who created the saved query (typically email address or username).
  • Last modified: Timestamp of the most recent modification to the saved query.
  • Last modified by: The user who last modified the saved query.
  • Actions: Provides options to edit, duplicate, delete, or view details of the saved query.