https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-analytics-specific-exceptions-and-vendor-exceptions/m-p/512786#M2672 <P>Hello all,</P> <P>I have encountered multiple occurrences in which a specific process raise many of the same BIOC Analytics Alert. I understand that engine is based on server side and as a customer we are not privy to see what calculations are done on our behalf. In regards to Exclusion, exclusion can only be carried out for the entire alert.</P> <P>1) Is there a way to individually exclude certain processes that are causing many of the same BIOC Analytics alerts ?&nbsp;</P> <P>2) Is it possible to define on the XDR Tenant that you use an additional security product by a different vendor and that no alerts should be raised by their behaviour including BIOC Analytics?</P> <P>&nbsp;</P> <P>In my experience the BIOC Analytics Mechanism is very powerful yet lacks this fundamental flexibility.&nbsp;</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Wed, 24 Aug 2022 06:41:46 GMT michaelsysec242 2022-08-24T06:41:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-analytics-specific-exceptions-and-vendor-exceptions/m-p/512786#M2672 <P>Hello all,</P> <P>I have encountered multiple occurrences in which a specific process raise many of the same BIOC Analytics Alert. I understand that engine is based on server side and as a customer we are not privy to see what calculations are done on our behalf. In regards to Exclusion, exclusion can only be carried out for the entire alert.</P> <P>1) Is there a way to individually exclude certain processes that are causing many of the same BIOC Analytics alerts ?&nbsp;</P> <P>2) Is it possible to define on the XDR Tenant that you use an additional security product by a different vendor and that no alerts should be raised by their behaviour including BIOC Analytics?</P> <P>&nbsp;</P> <P>In my experience the BIOC Analytics Mechanism is very powerful yet lacks this fundamental flexibility.&nbsp;</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Wed, 24 Aug 2022 06:41:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-analytics-specific-exceptions-and-vendor-exceptions/m-p/512786#M2672 michaelsysec242 2022-08-24T06:41:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-analytics-specific-exceptions-and-vendor-exceptions/m-p/512854#M2688 <P>Hi Michaelsysec242,</P> <P>&nbsp;</P> <P>1. If you are wanting to exclude Analytic BIOC alerts based on process, you can do this through an Exclusion Policy. Navigate to Incident Response &gt; Incident Configuration &gt; Alert Exclusions &gt; +Add Alert Exclusions. Here you can define a policy to exclude alerts based on any combination of criteria using the table filters. For example I could filter on <EM>Alert Source = XDR Analytics BIOC and Initiated By = someGoodProcess.exe</EM>. This would Exclude any Analytic BIOC alert that is initiated by the defined process. Keep in mind, Exclusion policies do not change XDR behavior, they only exclude these alerts from being viewable or generating Incidents, So if you create Exclusion policies for alerts generated from the XDR agent, there is the risk of excluding traffic that could still be blocked.</P> <P>&nbsp;</P> <P>2. There is no capability to universally allow specific software in the platform. For any agent side detections such as the Malware and Exploit protection modules, you would need to ensure each module is set to allow the specific processes, then for all other alert types such as Analytics, BIOC, IOC etc. you can create Exclusion policies as mentioned above.</P> <P>&nbsp;</P> <P>Regards,<BR />Ben<BR />&nbsp;</P> Wed, 24 Aug 2022 14:50:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-analytics-specific-exceptions-and-vendor-exceptions/m-p/512854#M2688 bbucao 2022-08-24T14:50:05Z