https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-alert-from-vulnerability-scanner-how-to-allow-scans/m-p/456271#M1409 <P>We use an on-site vulnerability scanner that started triggering behavioral alerts on Cortex endpoints on Monday.&nbsp; These scans were disabled since they were very disruptive with some endpoints just reporting the issue and others blocking the scan.&nbsp; All endpoints received the pop-up alerting them to danger.&nbsp; These scans have been running since before we adopted Cortex and I am going to guess that an update from the scanning vendor added a detection for something new that triggers this alert since Palo updates come out on Wednesday. The behavior alert references "<SPAN>heuristic.b.205", but I am not sure where you find out more info about what that means.&nbsp; I can see the IP address in the alert that shows what system (i.e. the vulnerability scanner) initiated the string of events that triggered the alert.</SPAN></P><P>&nbsp;</P><P>I reviewed the documentation and see where you can add an exception for a behavioral alert.&nbsp; I can see on the console where I could add the initiator to the allow list.&nbsp; But I don't think I want to do this since this these Microsoft binaries could be used for dangerous activities.&nbsp; Instead I would want to allow this activity only when initiated by this IP address.&nbsp; Going one step further I think we may just need to setup Cortex so we do not block activities from this specific IP address.&nbsp; I do not see any info in the documentation or this forum on how you might have an allow list that applies to an IP address.&nbsp; Any suggestions?</P> Fri, 31 Dec 2021 20:45:10 GMT EddieRowe 2021-12-31T20:45:10Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-alert-from-vulnerability-scanner-how-to-allow-scans/m-p/456271#M1409 <P>We use an on-site vulnerability scanner that started triggering behavioral alerts on Cortex endpoints on Monday.&nbsp; These scans were disabled since they were very disruptive with some endpoints just reporting the issue and others blocking the scan.&nbsp; All endpoints received the pop-up alerting them to danger.&nbsp; These scans have been running since before we adopted Cortex and I am going to guess that an update from the scanning vendor added a detection for something new that triggers this alert since Palo updates come out on Wednesday. The behavior alert references "<SPAN>heuristic.b.205", but I am not sure where you find out more info about what that means.&nbsp; I can see the IP address in the alert that shows what system (i.e. the vulnerability scanner) initiated the string of events that triggered the alert.</SPAN></P><P>&nbsp;</P><P>I reviewed the documentation and see where you can add an exception for a behavioral alert.&nbsp; I can see on the console where I could add the initiator to the allow list.&nbsp; But I don't think I want to do this since this these Microsoft binaries could be used for dangerous activities.&nbsp; Instead I would want to allow this activity only when initiated by this IP address.&nbsp; Going one step further I think we may just need to setup Cortex so we do not block activities from this specific IP address.&nbsp; I do not see any info in the documentation or this forum on how you might have an allow list that applies to an IP address.&nbsp; Any suggestions?</P> Fri, 31 Dec 2021 20:45:10 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-alert-from-vulnerability-scanner-how-to-allow-scans/m-p/456271#M1409 EddieRowe 2021-12-31T20:45:10Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-alert-from-vulnerability-scanner-how-to-allow-scans/m-p/456272#M1410 <P><SPAN>As luck would have it I cannot duplicate the issue now that I am back in town on test systems.&nbsp;&nbsp;</SPAN>I did add the IP address to the malware profile under "<SPAN>Respond to Malicious Causality Chains", but I am not sure if this will resolve this issue.&nbsp; &nbsp; The Action Center does not show the IP address of the security scanner as being blocked, but I don't know if that resets after some period of time.</SPAN></P><P>&nbsp;</P><P><SPAN>Respond to Malicious Causality Chains</SPAN></P> Fri, 31 Dec 2021 20:54:45 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-alert-from-vulnerability-scanner-how-to-allow-scans/m-p/456272#M1410 EddieRowe 2021-12-31T20:54:45Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-alert-from-vulnerability-scanner-how-to-allow-scans/m-p/456374#M1411 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/159609">@EddieRowe</a>&nbsp;</P><P><SPAN>heuristic.b.205 - POWERSHELL DOWNLOAD CRADLES.</SPAN></P><P><SPAN>What do you mean by "&nbsp;Instead I would want to allow this activity only when initiated by this IP address"? Do you want to allow/block this BTP from a specific group of endpoints?</SPAN></P><P>&nbsp;</P> Mon, 03 Jan 2022 09:33:01 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-alert-from-vulnerability-scanner-how-to-allow-scans/m-p/456374#M1411 epalcev 2022-01-03T09:33:01Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-alert-from-vulnerability-scanner-how-to-allow-scans/m-p/456454#M1412 <P>Content Update version 320-79444 seems to fix this False-Positive alert.</P> Mon, 03 Jan 2022 18:13:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-alert-from-vulnerability-scanner-how-to-allow-scans/m-p/456454#M1412 IonPuscasu 2022-01-03T18:13:17Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-alert-from-vulnerability-scanner-how-to-allow-scans/m-p/457591#M1428 <P>I was looking for a way to exclude behavior protection from the IP address that is used by the scanner.</P> Fri, 07 Jan 2022 21:16:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-alert-from-vulnerability-scanner-how-to-allow-scans/m-p/457591#M1428 EddieRowe 2022-01-07T21:16:22Z