Alerts on Cortex XDR Console

Shashanksinha — Wed, 01 Feb 2023 11:52:47 GMT

Hello,

What is the importance of alerts in cortex XDR? Do we need to work on all the alerts, as we get overwhelmed by the number of alerts.

What is the best practice to fine-tune the alerts so that no important alerts are missed.Is there any documentation available for related to the handling of alerts in Cortex XDR.

Re: Alerts on Cortex XDR Console

mavraham — Wed, 01 Feb 2023 14:04:54 GMT

Hi @Shashanksinha

Thanks for writing to Live Community.

Alert tuning is an important process as part of managing XDR, and should be done on a concurrent basis. The way to properly address alert tuning would be depending on the alert source.

In general, alert tuning in XDR several alert tuning mechanisms:

Agent exceptions
Detection rule exceptions
Utilizing the global hash allowlist
Prevention Module based allow lists
Support exceptions

For example, if through the process of reviewing an incident you want to suppress future alerts from similar sources you need to create an Alert Exclusion policy based on the alerts in said incident.

You can also build alert rules from scratch and use existing alert values to populate your exclusion criteria.

If the alert is IOC/BIOC you might want to take action on specific behavior but exclude some of the indicators.

Starting with version 3.5, you can also manage exceptions from a central location by adding Legacy Exception rules.

We have a great Alert Tuning Video Series over on Live Community which should help you get started on understanding the different sources of alerts and how to address them.

Hope this helps!

topic Alerts on Cortex XDR Console in Cortex XDR Discussions

Alerts on Cortex XDR Console

Re: Alerts on Cortex XDR Console