https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exclusion-criteria-import/m-p/519488#M3058 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/196088">@RicardoWaffle</a> ,</P> <P>&nbsp;</P> <P>You could use an EDL -&gt; <A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list</A> with the 700 IP addresses and add them to a block security rule (source address) with logging disabled.&nbsp; The cool thing about an EDL is that updates are pushed to the security policy without the need for a commit.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Fri, 28 Oct 2022 01:01:38 GMT TomYoung 2022-10-28T01:01:38Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exclusion-criteria-import/m-p/519423#M3055 <P>Hi all.</P> <P>&nbsp;</P> <P>Does anyone know of a way - or a work around for the following situation.</P> <P>&nbsp;</P> <P>I have a long list (about 700) IPs that I want to create an alert exclusion from. These are external scanners that our firewall blocks and we get a large amount of alerts because of this. I would like to create an alert exclusion so we no longer have to deal with these cluttering up our console. Manually entering 700 IPs into the Remote IP criteria field is not an option. Is there a way to get all the IPs into that criteria, or a way to silence these alerts in another way? I would prefer not to use CIDR ranges as I need a little more granularity than that.</P> <P>&nbsp;</P> <P>Thanks!</P> Thu, 27 Oct 2022 16:31:36 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exclusion-criteria-import/m-p/519423#M3055 RicardoWaffle 2022-10-27T16:31:36Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exclusion-criteria-import/m-p/519488#M3058 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/196088">@RicardoWaffle</a> ,</P> <P>&nbsp;</P> <P>You could use an EDL -&gt; <A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list</A> with the 700 IP addresses and add them to a block security rule (source address) with logging disabled.&nbsp; The cool thing about an EDL is that updates are pushed to the security policy without the need for a commit.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Fri, 28 Oct 2022 01:01:38 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exclusion-criteria-import/m-p/519488#M3058 TomYoung 2022-10-28T01:01:38Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exclusion-criteria-import/m-p/519522#M3059 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/196088">@RicardoWaffle</a>&nbsp;there are a few workarounds to the ask</P> <P>1. import all IP addresses to IOC list, and create an exclusion policy for all alert sources as IOC, description containing IP addresses and action as Prevented (or variations of it, depending on how the firewall events are enumerated in XDR). This will exclude all alerts having the term IP in the description (including the ones that are not in the list of 700 IP's).</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bbarmanroy_0-1666947740797.png" style="width: 616px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44957iFFCC7A56921A0063/image-dimensions/616x134/is-moderation-mode/true?v=v2" width="616" height="134" role="button" title="bbarmanroy_0-1666947740797.png" alt="bbarmanroy_0-1666947740797.png" /></span></P> <P>&nbsp;</P> <P>2. a wider action would be exclude all blocked events from the firewall&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bbarmanroy_1-1666947849777.png" style="width: 598px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44958i0DCDC916BC7CBA0D/image-dimensions/598x181/is-moderation-mode/true?v=v2" width="598" height="181" role="button" title="bbarmanroy_1-1666947849777.png" alt="bbarmanroy_1-1666947849777.png" /></span></P> <P>&nbsp;</P> <P>Give either action a shot depending on your preference, and see what works best for your environment.</P> Fri, 28 Oct 2022 09:05:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exclusion-criteria-import/m-p/519522#M3059 bbarmanroy 2022-10-28T09:05:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exclusion-criteria-import/m-p/519689#M3071 <P>Thank you both for your replies. Very helpful!</P> <P>&nbsp;</P> <P>I'll look into each solution for our environment.</P> <P>&nbsp;</P> <P>Cheers!</P> Mon, 31 Oct 2022 15:20:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exclusion-criteria-import/m-p/519689#M3071 RicardoWaffle 2022-10-31T15:20:25Z