https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-influence-the-xdr-analytics-bioc-and-the-backend-engine/m-p/616218#M7407 <P>Hello,</P> <P>&nbsp;</P> <P>The XDR Analytics BIOC alerts are created based on for example rare events that occur in your environment.</P> <P>&nbsp;</P> <P>Is there a way to influence the backend system for example:</P> <P>If I add a hash to the allow list will that make the process trusted and not create alerts for it even if its rare?<BR /><BR />My question is how can these types of alerts be influenced rather than just creating exceptions.</P> Wed, 06 Nov 2024 09:14:53 GMT AvesterFahimipour 2024-11-06T09:14:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-influence-the-xdr-analytics-bioc-and-the-backend-engine/m-p/616218#M7407 <P>Hello,</P> <P>&nbsp;</P> <P>The XDR Analytics BIOC alerts are created based on for example rare events that occur in your environment.</P> <P>&nbsp;</P> <P>Is there a way to influence the backend system for example:</P> <P>If I add a hash to the allow list will that make the process trusted and not create alerts for it even if its rare?<BR /><BR />My question is how can these types of alerts be influenced rather than just creating exceptions.</P> Wed, 06 Nov 2024 09:14:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-influence-the-xdr-analytics-bioc-and-the-backend-engine/m-p/616218#M7407 AvesterFahimipour 2024-11-06T09:14:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-influence-the-xdr-analytics-bioc-and-the-backend-engine/m-p/616226#M7408 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/325593">@AvesterFahimipour</a>&nbsp;<BR /><BR />Thanks for your query on LC!<BR /><BR />For this, I think we need more understanding on how different modules and protection flow work.<BR />Creating an exception for a process based on hash will exempt the process in the initial stages of execution however if the sam process is ben caught by other modules like BTP or Analytics or BIOC with suspicious activity then the action will be terminated or reported based on the module.<BR /><BR /><SPAN class="italic">Analytics behavioral indicators of compromise (BIOC)s</SPAN><SPAN>. In contrast to standard Analytics alerts, Analytics BIOCs (</SPAN><SPAN class="italic">ABIOCs</SPAN><SPAN>)—indicate a single event of suspicious behavior with an identified chain of causality. To identify the context and chain of causality, ABIOCs leverage user, endpoint, and network profiles. The profile is generated by the Analytics Engine and can be based on a simple statistical profile or a more complex machine-learning profile.&nbsp;</SPAN><SPAN class="phrase">Cortex XDR</SPAN><SPAN>&nbsp;tailors each ABIOC to your specific environment after analyzing your logs and data sources and continually tunes and delivers new ABIOCs with content updates.</SPAN><BR />Ref -&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Analytics-Concepts?section=UUID-7a3f4a9a-7a44-5523-ab5c-5310800e72af_UUID-c5195632-e53d-23ab-27f0-c8cda46d9dcc" target="_blank" rel="noopener">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Analytics-Concepts?section=UUID-7a3f4a9a-7a44-5523-ab5c-5310800e72af_UUID-c5195632-e53d-23ab-27f0-c8cda46d9dcc</A><BR /><BR />Regards,<BR /><BR /><BR /></P> Wed, 06 Nov 2024 10:30:44 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-influence-the-xdr-analytics-bioc-and-the-backend-engine/m-p/616226#M7408 nar 2024-11-06T10:30:44Z