- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-19-2021 03:29 PM - edited 05-05-2021 01:29 PM
Ask your questions from April 27 - May 3 as Cortex XDR experts will be available in a Q&A session for an opportunity to learn, join in, ask questions, and meet our experts! The Ask Me Anything (AMA) Event will be focused on alerts, including alert prioritization.
Ask questions from Tuesday, April 27 to Monday, May 3, 2021.
Come back on May 4 from 8am to 10am PT to join the event as our experts answer your questions!
To participate in this event, please use the Reply button below to ask your questions.
Please be sure to click Like if a post is helpful to you and to "Accept as Solution" to let everyone know that the answer to your question hits the mark!
Want to learn more details about the event? Check out this article.
05-04-2021 08:44 AM
@nhussaini wrote:What's the difference between an exclusion and an exception?
Hi @nhussaini,
An (alert) exclusion is used to suppress alerts that are of no value, while a (rule) exception is used to tune rules in protection modules that detect, prevent, and generate alerts within Cortex XDR.
05-04-2021 08:45 AM
@nhussaini wrote:What happens to alerts that are caught by exclusions?
Hi @nhussaini,
Alerts caught by exclusions are prevented from being created in the Cortex XDR tenant, keeping it from being seen in the alert table or being attached in an incident. The data for the alert is still available in the QueryBuilder.
05-04-2021 08:46 AM
@MP18 wrote:Hi Team,
Can Alerts that are filtered by exclusions be retrieved?
Regards
Hi @MP18,
No, alerts that are filtered by exclusions cannot be recovered within the Cortex XDR tenant. Depending on your version of the Cortex XDR Agent, you can look at the events tab in the console to see recent alerts, however.
05-04-2021 08:47 AM
@MP18 wrote:Hi Team,
Can you create an exclusion rule from an alert?
Regards
Hi @MP18,
No, any alert you exclude from the quick menu in the alert will only create exclusion by alert id.
05-04-2021 08:48 AM
@MP18 wrote:Hi Team,
Should we use exclusion with all alert sources as first response?
Regards
Hi @MP18,
No, as a recommendation, if there is a way to fine-tune the alert without exclusion, that will be preferred. For example, BIOC/IOC - Rules tunning, Malware/Exploit - Support exception or profile tunning.
04-27-2021 08:09 AM
Replies are now open!
Please feel free to post your Cortex XDR related questions below!
04-27-2021 09:28 AM
Looking forward to seeing all the great questions.
04-27-2021 11:33 AM
Looking forward to seeing all the great questions.
04-29-2021 01:45 PM
What's the difference between an exclusion and an exception?
04-30-2021 07:42 AM
What happens to alerts that are caught by exclusions?
05-02-2021 03:22 PM
Hi Team,
Can Alerts that are filtered by exclusions be retrieved?
Regards
05-02-2021 03:22 PM
Hi Team,
Can you create an exclusion rule from an alert?
Regards
05-02-2021 03:27 PM
Hi Team,
Should we use exclusion with all alert sources as first response?
Regards
05-04-2021 01:47 AM
Happening TODAY at 8AM PDT - the LIVEcommunity Ask Me Anything (AMA) Q&A event.
Join us, ask questions and learn about Cortex XDR Alerts. Please be sure to click Like if a post is helpful to you and to "Accept as Solution" to let everyone know that the answer to your question hits the mark!
Cheers !
-Kiwi.
05-04-2021 08:44 AM
@nhussaini wrote:What's the difference between an exclusion and an exception?
Hi @nhussaini,
An (alert) exclusion is used to suppress alerts that are of no value, while a (rule) exception is used to tune rules in protection modules that detect, prevent, and generate alerts within Cortex XDR.
05-04-2021 08:45 AM
@nhussaini wrote:What happens to alerts that are caught by exclusions?
Hi @nhussaini,
Alerts caught by exclusions are prevented from being created in the Cortex XDR tenant, keeping it from being seen in the alert table or being attached in an incident. The data for the alert is still available in the QueryBuilder.
05-04-2021 08:46 AM
@MP18 wrote:Hi Team,
Can Alerts that are filtered by exclusions be retrieved?
Regards
Hi @MP18,
No, alerts that are filtered by exclusions cannot be recovered within the Cortex XDR tenant. Depending on your version of the Cortex XDR Agent, you can look at the events tab in the console to see recent alerts, however.
05-04-2021 08:47 AM
@MP18 wrote:Hi Team,
Can you create an exclusion rule from an alert?
Regards
Hi @MP18,
No, any alert you exclude from the quick menu in the alert will only create exclusion by alert id.
05-04-2021 08:48 AM
@MP18 wrote:Hi Team,
Should we use exclusion with all alert sources as first response?
Regards
Hi @MP18,
No, as a recommendation, if there is a way to fine-tune the alert without exclusion, that will be preferred. For example, BIOC/IOC - Rules tunning, Malware/Exploit - Support exception or profile tunning.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!