Excluding Pentera Box

I.Schisel — Mon, 30 Jun 2025 19:23:42 GMT

I am looking to make an exclusion or suppression of some sort for alerts generated by our Pentera Security Validation Tool. I have a SSL certificate loaded into Pentera so I can filter by that certificate if I can. However for the Vulnerability Scans with Pentera I cant use the SSL cert or any other identifier. Just trying to keep down the noise in Cortex.

Re: Excluding Pentera Box

OMI_RLI — Tue, 01 Jul 2025 10:05:06 GMT

With Cortex XDR Pro you can automate the Alerts via Rules (AutomationRules). I do this with an automation that auto-closes (with subject "pentest") all the alert when I detect the CGO is from the Pentera MainNode IP (or the RANs, if any). IMHO this is much easier than the possibilities you have with signing the payload and or using pre/post-fixes within pentera.
With this the alerts/incidents from the pentest are staying visible in the Cortex backend (they are not excluded, just closed...) but do not fill your active incidents/alerts table.
BTW: this perfectly works also well for Detects out from a Vulnerability Assessment only - port scans for instance...

topic Excluding Pentera Box in Cortex XDR Discussions

Excluding Pentera Box

Re: Excluding Pentera Box