Regarding SIEM exclusions in Google SecOps:Does an exclusion only suppress the creation of an alert (meaning the detection event itself is still created/triggered and visible), or does it prevent the detection event from triggering altogether?If an exclusion is applied to a specific broad detection rule, will that exclusion also prevent other high-ranking or more precise rules from matching the detection events of the broad rule?

Solved

How do SIEM exclusions work?

Forum|Forum|1 month ago
November 12, 2025
1 reply
43 views

+8

ar3diu
Silver 2

Regarding SIEM exclusions in Google SecOps:

Does an exclusion only suppress the creation of an alert (meaning the detection event itself is still created/triggered and visible), or does it prevent the detection event from triggering altogether?

If an exclusion is applied to a specific broad detection rule, will that exclusion also prevent other high-ranking or more precise rules from matching the detection events of the broad rule?

Best answer by kentphelps

I think this might help. Check out this section in a doc: Tune alerts from rule sets

It mentions “A rule exclusion specifies criteria that prevent certain events from being evaluated by a rule or rule set” which sounds like the detection event is prevented from triggering.

+11

kentphelps
Staff
Answer
Forum|Forum|26 days ago
November 19, 2025

I think this might help. Check out this section in a doc: Tune alerts from rule sets

It mentions “A rule exclusion specifies criteria that prevent certain events from being evaluated by a rule or rule set” which sounds like the detection event is prevented from triggering.

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded