topic Re: When to use policy changes or alert exceptions in Cortex XDR Discussions

When to use policy changes or alert exceptions

Aiman_Fathima — Thu, 08 Sep 2022 17:06:54 GMT

Hello,

When a BTP rule is blocking a process,

When do we create a policy change and allow the process, and when do we create an alerts exception to allow the process.

Re: When to use policy changes or alert exceptions

neelrohit — Thu, 08 Sep 2022 17:55:31 GMT

Hi @Aiman_Fathima ,

thank you for reaching out to live community!

When a BTP rule is blocking a process and you consider this activity as a false positive, you can create alert exception for the change without changing any configurations in the policy itself. Right click on the alert> Manage alert> Create Alert exception. You can choose a list of parameters by checking the boxes (like SHA256, signer, cgo, cgo cmdline params etc.) to make a logical granular condition. Choose the exception scope(profile for specific set of endpoints using that profile in a policy or global for all endpoints).

This in turn disables the rule within the BTP module triggering the alert and cripples it for the execution of parameters and endpoints you defined above. If this behaviour is expected for larger set of endpoints in your environment and not one off events, you can retrieve the alert data and please reach out to our Palo Alto Networks Technical Assistance Center for content whitelisting or support based exceptions.

Once the engineering team determines the event as a false positive and globally applicable, they would release the fix in a content update and you can disable the alert exception created once you ensure your endpoints get the content version with the fix.

Hope this helps!

Best regards.

Re: When to use policy changes or alert exceptions

RFeyertag — Thu, 08 Sep 2022 21:01:23 GMT

Hello Neelrohit,

thank you for your information. Maybe this informations could find a way to the documentation with a nice cheat sheet?

We are a little bit confused about the broad possibilites to exclude alerts, processes, etc.

Rob

Re: When to use policy changes or alert exceptions

Aiman_Fathima — Fri, 09 Sep 2022 06:19:28 GMT

Hi,

Thanks for the clarification.

Could you please give us more idea about when to use "Malware" profile based whitelisting and when to use "Exception" profile based whitelisting.

Re: When to use policy changes or alert exceptions

neelrohit — Fri, 09 Sep 2022 06:54:55 GMT

@Aiman_Fathima and @RFeyertag ,

This indeed is a broad question as Cortex XDR umpteen number of malware alert categories that can trigger and those can be treated by using methodologies(exceptions and file path whitelists)in different used cases. I would suggest to kindly reach out to you Professional Services Consultant/Customer Success Architect or SE for detailed discussion on the same to outline the used cases and their recommended practice mechanisms.

Best Regards.

Re: When to use policy changes or alert exceptions

neelrohit — Fri, 09 Sep 2022 06:58:00 GMT

Hi @RFeyertag ,

Thank you for reaching out to us and for your suggestions! Please see my response below to the question. We will try to see if that is possible or not as exposing operations mechanisms for security tool on open forum could turn out to be a security issue. However, we will try our best for future line up.

For now I would recommend to kindly reach out to you Professional Services Consultant/Customer Success Team/ SE for the same.

Regards