https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/best-way-to-exclude-legitimate-behaviours/m-p/470492#M1606 <P>Hello In the second line above do you mean ' I add it as alert exclusion ' or ' I add it as alert exemption ' ?</P> Fri, 04 Mar 2022 10:55:47 GMT Balaraju 2022-03-04T10:55:47Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/best-way-to-exclude-legitimate-behaviours/m-p/352162#M337 <P>When it comes to excluding legitimate behaviours from BIOC rules, as far as I can see, there are 3 options:</P><OL><LI>Modify the BIOC rule itself adding "not equal to" logic.</LI><LI>Add BIOC rule exclusion at&nbsp;<A href="https://live.paloaltonetworks.com/" target="_blank">https://&lt;organisation&gt;.xdr.eu.paloaltonetworks.com/rules/exceptions</A></LI><LI>Add incident / alert exclusion at&nbsp;<A href="https://live.paloaltonetworks.com/" target="_self">https://&lt;organisation&gt;.xdr.eu.paloaltonetworks.com/exclusion</A></LI></OL><P>What is the recommended way and differences between these methods?</P><P>Thanks.</P> Fri, 25 Sep 2020 15:46:47 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/best-way-to-exclude-legitimate-behaviours/m-p/352162#M337 BenHooper 2020-09-25T15:46:47Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/best-way-to-exclude-legitimate-behaviours/m-p/359337#M366 <P>While I'm awaiting a reply, just so others know, a side effect of modifying an existing BIOC rules is that a significant number of its alerts / incidents get re-created.</P> Wed, 28 Oct 2020 11:35:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/best-way-to-exclude-legitimate-behaviours/m-p/359337#M366 BenHooper 2020-10-28T11:35:17Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/best-way-to-exclude-legitimate-behaviours/m-p/365196#M391 <P>BenHooper,</P><P>&nbsp;</P><P>I'm not saying this is the "recommended" way for excluding legitimate behaviors,&nbsp; but what I have done so far.</P><P>When an alert is created, and verifying that it is legitimate, I add it as an alert exclusion.</P><P>The thought being that the alert exclusion would be a smaller print versus excluding the whole BIOC rule.</P><P>&nbsp;</P><P>Hope that helps,</P><P>DJohnson84</P> Tue, 24 Nov 2020 13:05:58 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/best-way-to-exclude-legitimate-behaviours/m-p/365196#M391 DJohnson84 2020-11-24T13:05:58Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/best-way-to-exclude-legitimate-behaviours/m-p/470492#M1606 <P>Hello In the second line above do you mean ' I add it as alert exclusion ' or ' I add it as alert exemption ' ?</P> Fri, 04 Mar 2022 10:55:47 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/best-way-to-exclude-legitimate-behaviours/m-p/470492#M1606 Balaraju 2022-03-04T10:55:47Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/best-way-to-exclude-legitimate-behaviours/m-p/470807#M1621 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/210067">@Balaraju</a>&nbsp;both rule (alert) exceptions and alert exclusions exist in Cortex XDR.</P><P>When you exclude an alert, the alert will still be triggered by the agent and sent to XDR tenant. However, it will not be stitched into an incident. Here the action is performed by the XDR tenant. The alerts will appear in the Alerts table.</P><P>On the other hand,&nbsp;an alert exception will cause the alert not to be triggered by the agent. The action is performed by the agent.<BR /><BR /><BR /></P> Mon, 07 Mar 2022 05:47:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/best-way-to-exclude-legitimate-behaviours/m-p/470807#M1621 bbarmanroy 2022-03-07T05:47:17Z