topic Re: How to stop Duplicate incidents in Cortex XDR Discussions

How to stop Duplicate incidents

RahulPrajapati — Mon, 29 Nov 2021 08:12:02 GMT

Hi,

I am receiving lots of duplicate incidents on my Cortex XDR console. Can anyone please help on how to suppress or stop the duplicate incidents to trigger again and again?

Regards

Re: How to stop Duplicate incidents

bbarmanroy — Mon, 29 Nov 2021 09:45:30 GMT

Hi @RahulPrajapati , an incident is an aggregation of alerts. You may have incidents with the same description if the actions that create the alert keeps occuring.

There are two items that you need to verify from your end:
1. Have you identified from the endpoint or event source if these actions are happening repeatedly to cause new incidents to get created?

2. Have you identified from the Incidents if the artefacts are the same for all duplicate Incidents, and if the actions are happening at the timestamps specified in the alerts grouped inside each Incident?

If you know that these incidents are benign in nature, you can consider creating one or more Alert Exclusions to suppress alerts.

Re: How to stop Duplicate incidents

RahulPrajapati — Tue, 30 Nov 2021 05:18:05 GMT

Hi @bbarmanroy ,

Yes these action are occurring repeatedly and from same artefacts. The file on which we are receiving alerts is malicious in nature and we have blocked its hash. But still, it keeps appearing again even if it is in blocked state.

As per your suggestion to create an alert exclusion to suppress alerts. Will the file remain in blocked state after creating an exclusion? We want that file to remain in blocked state after creating an exclusion.

Regards

Re: How to stop Duplicate incidents

bbarmanroy — Tue, 30 Nov 2021 09:38:08 GMT

Hi @RahulPrajapati Yes, the file continues to remain blocked after creating an exclusion. Exclusions do not influence any XDR agent actions.

Ref: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PO8MCAW

Re: How to stop Duplicate incidents

eluis — Tue, 30 Nov 2021 09:41:36 GMT

Hi @RahulPrajapati ,

after creating the exclussion the malware will be still blocked. Alert exclussion just excludes the alert to create more incidents, but the alerts will be still created (you will be able to find them with xql queries) but wont create noise on your incidents table, just that. And you will still be in safe (malware will remain blocked).

Watch out do not confuse exclussion with exception, exception will make the malware to not to be blocked (alerts wont be created then). So make sure when you create an exception that you know what you are doing otherwise you might be allowing a malware to run and spread over your infrastructure and without being alerted.

On the actions for the malware profile you can choose different actions, try to put it in quarantine.

It will also be good to figure out why this malware is appearing again and again. This is something for you guys to investigate if somebody is downloading it repeatedly or something. So try to figure out the root cause of your infection to end it up for ever.

You can also choose to delete your malware file from all your infrastructure.

Hope this helps,

Luis

Re: How to stop Duplicate incidents

RahulPrajapati — Tue, 30 Nov 2021 13:26:31 GMT

Hi @bbarmanroy and @eluis ,

Thanks for the reply. My queries has been answered.