Processes to be fed into XDR as legitimate activities without whitelisting

NivedaR — Fri, 30 Sep 2022 12:09:22 GMT

Hello,

I understand that XDR has its own analytics or process to generate alerts. Is there way to feed in a process to the analytics so it knows its a legitimate activity without making any exception or whitelist etc.

E.g. A host is observing multiple connections to other hosts but its a legitimate activity. Cortex analytics keeps on throwing alerts/incidents for it . Now we don't want to whitelist this activity because it could be considered as lateral movement also in case of TP's .

Re: Processes to be fed into XDR as legitimate activities without whitelisting

anlynch — Fri, 30 Sep 2022 21:47:02 GMT

@NivedaR

Thanks for reaching out!

In this scenario I recommend creating an exclusion for the alerts since you’re not wanting to be alerted of the false positives, but still want true positives to be handled accordingly. The action will still be blocked, but it won’t produce any alerts/incidents. You can read more about alert exclusions here: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoint-alerts/alert-exclusions

Unfortunately, there is no way to create exceptions for Analytics-based alerts. If the above is not suitable you could submit the alert data to TAC and request a support exclusion. This would require you to raise this issue with support to create a case: https://www.paloaltonetworks.com/company/contact-support

topic Re: Processes to be fed into XDR as legitimate activities without whitelisting in Cortex XDR Discussions

Processes to be fed into XDR as legitimate activities without whitelisting

Re: Processes to be fed into XDR as legitimate activities without whitelisting