Best Practice to Ignore or Exclude a list of Domains

cmcneil3 — Thu, 13 Apr 2023 22:09:58 GMT

I am looking for the "Best Practice" method to prevent emailed links from our Security Awareness tool being run through various sandboxes or detonations.

I need to be able to create a list of domains/subdomains and then reference the list of domains so that any playbooks or incidents are automatically closed without analysis being performed on the URLs.

So far I have the following ideas, but I'm not sure which one is the "best" or least likely to cause problems/false positives.

Pre-process Rule
Exclusion List
Various Playbooks
- The one that pulls in emails from our phishing mailbox
- The playbook that processes the emails
- The Phishing playbook
- The playbooks that do domain enrichment or URL detonation

The list of domains is pretty static, but I like the option of referencing a list in case a domain is added or removed from the vendor platform in the future.

Re: Best Practice to Ignore or Exclude a list of Domains

jfernandes1 — Fri, 14 Apr 2023 02:31:19 GMT

Hi @cmcneil3,

I would recommend the basic list feature. (https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Administrator-Guide/Work-With-Lists)

It can be used in both a pre-processor and a playbook task. Screenshots showing the usage below.

Pre-processor Rule

Playbook Task

topic Re: Best Practice to Ignore or Exclude a list of Domains in Cortex XSOAR Discussions

Best Practice to Ignore or Exclude a list of Domains

Re: Best Practice to Ignore or Exclude a list of Domains