XDR Analytics BIOC Alert exclusion

RFeyertag — Thu, 08 Sep 2022 21:55:58 GMT

Hello dear community members!

how would you exclude this? It is only popping up in one of our houses/domains.

Maybe this way?

Rob

Re: XDR Analytics BIOC Alert exclusion

timurphy — Fri, 09 Sep 2022 16:15:16 GMT

Hi @RFeyertag ,

Yes, you could take a similar approach as the link in your post to create an exclusion for these alerts.

If you wanted to only exclude these types of alerts for specific processes or domains, you could do the following:

Navigate to Detection Rules>BIOC>Analytics BIOC Rules
Edit your layout so that “Global Rule ID” is one of the columns that is displayed in your view
Copy the Rule ID for the BIOC rule you wish to create an exclusion for, in this case - “Recurring rare domain access from an unsigned process”
Navigate to Incident Response>Incident Configuration>Alert Exclusions and click “Add Alert Exclusions”
In your filter, select the “Rule ID” field, select the “=“ operator, and paste the Rule ID value you copied in step 3 as the value. Click “+AND” to add another expression to your filter and choose either the “Initiated By” field (to exclude by process name) or the “Remote Host” field (to exclude by destination domain), select the “=“ operator, and set the value equal to the name of the process or domain generating the alerts you would like to exclude.
Enter a Policy Name/Comment and click "Create" to finish creating the Alert Exclusion.

Regards,

Tim