topic Re: Ignore all authentication requests alerts from a particular IP in Cortex XDR Discussions

Ignore all authentication requests alerts from a particular IP

CGirouard — Fri, 15 Oct 2021 19:14:34 GMT

We use a vulnerability scanner internally to test all endpoints for any known vulnerabilities or leaked credentials.

Cortex has been alerting to this, but since we know this is intentional traffic, is there a way to ignore certain authentication requests via lsass.exe from a remote host?

The remote host IP is coming up in the emailed alert as "action_local_ip", but I'm not sure where I can apply this exclusion to the BIOC Analysis rules using this as a filter.

Re: Ignore all authentication requests alerts from a particular IP

tvilas — Mon, 18 Oct 2021 16:40:41 GMT

Hello, you can create an alert exclusion.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoint-alerts/alert-exclusions/add-an-alert-exclusion.html

Re: Ignore all authentication requests alerts from a particular IP

CGirouard — Mon, 18 Oct 2021 17:19:36 GMT

...yes. Of course. But that isn't the question.

How can I create an exclusion based upon the action_local_ip field?

I don't see a way to do so.

Re: Ignore all authentication requests alerts from a particular IP

tvilas — Tue, 19 Oct 2021 00:16:42 GMT

Hello,

I'm assuming you are referring action_local_ip field from xdr_data, for alerting exclusion you must use the fields on your alert details, you can check this in your Alert table. In this case, most likely will be "Local IP" Nonetheless, the best way is to look at your alerts and check which field the IP you want to exclude encounters, and then move forward with an alert exclusion rule.