Skip to main content
All CollectionsManage detections
Exclude a user from a detection
Exclude a user from a detection

Don’t send user activity alerts for particular users.

Rachel Robins avatar
Written by Rachel Robins
Updated over 2 months ago

We send an alert when certain activities happen in your organization, such as when a policy is changed or a large number of pages are exported. While these activities may be suspicious, often they are just someone doing their job.

To reduce noise and allow your team to focus on the most important alerts, you can choose to exclude some user accounts from user activity detections. For example, you might exclude the admins who manage requests for new Marketplace apps from the Marketplace app install and removal detection so that an alert isn’t generated every time they install an app as part of their day-to-day work.

You can’t exclude groups, teams, or roles.

Exclude a user from the alert

If you’ve investigated an alert and determined that it’s a false positive, you can choose to exclude the actor so that the detection won’t generate alerts for that person in future.

To exclude a page from an alert:

  1. In Guard Detect, select the alert.

  2. In the recommended remediation steps, select Exclude user.

  3. Confirm the details, and select Exclude user.

The user will be added to the list of excluded users for that detection. You can remove someone from the list of excluded users at any time.

If the activity was performed by an Admin API key when you select Exclude user, we’ll exclude the Admin API key from that alert.

Exclude a user from the detection

If you know in advance that a user should not generate user activity alerts, you can choose to exclude them from the detection itself. This is particularly useful for teams that are responsible for performing organization and product administration tasks on a regular basis.

To exclude a user from the detection:

  1. In Guard Detect, select Detections > User activity from the header.

  2. Select the detection you want to add an exclusion for.

  3. Select View exclusions.

  4. Select Exclude user.

  5. Search for the user, then select Exclude user.

The user will be added to the list of excluded users for that detection. You can remove someone from the list of excluded users at any time.

List of users excluded from marketplace app user activity detection

Remove an exclusion

At any time you can remove people and admin API keys from the list of excluded users.

To remove an exclusion:

  1. In Guard Detect, select Detections > User activity from the header.

  2. Select the detection you want to view exclusions for.

  3. Select View exclusions.

  4. Select Remove next to the user you want to remove.

The user will be removed from the list of excluded users. This means alerts will be generated when this user performs an action.

Did this answer your question?