When a user adds a whitelist rule on a case or incident, the following occurs:
- That case or incident is whitelisted. The whitelisted field is set to true (whitelisted:true) in case and incident. The whitelisted field is set to true (whitelisted:true) in the cases's or incident's MainEvent.
- Any forthcoming events (scored-events) matching the whitelist rule do not become an IOA or case-event.
- Existing cases and incidents are reviewed, and any that match the whitelist rule are whitelisted.
Use Case #1
If a case or incident does not have all its IOAs whitelisted (whitelisted:true), then that case or incident will not be whitelisted. In the following case, all the IOAs associated with this incident are whitelisted and hence the incident is whitelisted
Use Case #2
In this case, the incident does not have all its IOAs whitelisted and hence this incident will not be whitelisted.