(Ended) Join the discussion for AMA May 4, 2021: Cortex Customer Success - XDR Alerts

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

(Ended) Join the discussion for AMA May 4, 2021: Cortex Customer Success - XDR Alerts

Community Manager
Community Manager

Ask your questions from April 27 - May 3 as Cortex XDR experts will be available in a Q&A session for an opportunity to learn, join in, ask questions, and meet our experts! The Ask Me Anything (AMA) Event will be focused on alerts, including alert prioritization.

 

Ask questions from Tuesday, April 27 to Monday, May 3, 2021. 

 

Come back on May 4 from 8am to 10am PT  to join the event as our experts answer your questions!  

 

To participate in this event, please use the Reply button below to ask your questions.

 

Please be sure to click Like if a post is helpful to you and to "Accept as Solution" to let everyone know that the answer to your question hits the mark!

 

Want to learn more details about the event? Check out this article.

Crasmussen - LIVEcommunity Manager 
Remember to click LIKE if a post is helpful to you | Stay Engaged!
5 accepted solutions

Accepted Solutions


@nhussaini wrote:

What's the difference between an exclusion and an exception?


Hi @nhussaini,

An (alert) exclusion is used to suppress alerts that are of no value, while a (rule) exception is used to tune rules in protection modules that detect, prevent, and generate alerts within Cortex XDR.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

View solution in original post


@nhussaini wrote:

What happens to alerts that are caught by exclusions?


Hi @nhussaini,

 

Alerts caught by exclusions are prevented from being created in the Cortex XDR tenant, keeping it from being seen in the alert table or being attached in an incident. The data for the alert is still available in the QueryBuilder.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

View solution in original post


@MP18 wrote:

Hi Team,

 

Can Alerts that are filtered by exclusions be retrieved?

 

Regards


Hi @MP18

 

No, alerts that are filtered by exclusions cannot be recovered within the Cortex XDR tenant. Depending on your version of the Cortex XDR Agent, you can look at the events tab in the console to see recent alerts, however.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

View solution in original post


@MP18 wrote:

Hi Team,

 

Can you create an exclusion rule from an alert?

 

Regards


Hi @MP18

 

No, any alert you exclude from the quick menu in the alert will only create exclusion by alert id.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

View solution in original post


@MP18 wrote:

Hi Team,

 

Should we use exclusion with all alert sources as first response?

 

Regards


Hi @MP18

 

No, as a recommendation, if there is a way to fine-tune the alert without exclusion, that will be preferred. For example, BIOC/IOC - Rules tunning, Malware/Exploit - Support exception or profile tunning.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

View solution in original post

14 REPLIES 14

L7 Applicator

Replies are now open! 
Please feel free to post your Cortex XDR related questions below! 

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

L4 Transporter

Looking forward to seeing all the great questions.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

L1 Bithead

Looking forward to seeing all the great questions.

L4 Transporter

What's the difference between an exclusion and an exception?

L4 Transporter

What happens to alerts that are caught by exclusions?

Cyber Elite
Cyber Elite

Hi Team,

 

Can Alerts that are filtered by exclusions be retrieved?

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hi Team,

 

Can you create an exclusion rule from an alert?

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hi Team,

 

Should we use exclusion with all alert sources as first response?

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

Community Team Member

Happening TODAY at 8AM PDT - the LIVEcommunity Ask Me Anything (AMA) Q&A event.

 

Join us, ask questions and learn about Cortex XDR Alerts. Please be sure to click Like if a post is helpful to you and to "Accept as Solution" to let everyone know that the answer to your question hits the mark!

 

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.


@nhussaini wrote:

What's the difference between an exclusion and an exception?


Hi @nhussaini,

An (alert) exclusion is used to suppress alerts that are of no value, while a (rule) exception is used to tune rules in protection modules that detect, prevent, and generate alerts within Cortex XDR.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw


@nhussaini wrote:

What happens to alerts that are caught by exclusions?


Hi @nhussaini,

 

Alerts caught by exclusions are prevented from being created in the Cortex XDR tenant, keeping it from being seen in the alert table or being attached in an incident. The data for the alert is still available in the QueryBuilder.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw


@MP18 wrote:

Hi Team,

 

Can Alerts that are filtered by exclusions be retrieved?

 

Regards


Hi @MP18

 

No, alerts that are filtered by exclusions cannot be recovered within the Cortex XDR tenant. Depending on your version of the Cortex XDR Agent, you can look at the events tab in the console to see recent alerts, however.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw


@MP18 wrote:

Hi Team,

 

Can you create an exclusion rule from an alert?

 

Regards


Hi @MP18

 

No, any alert you exclude from the quick menu in the alert will only create exclusion by alert id.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw


@MP18 wrote:

Hi Team,

 

Should we use exclusion with all alert sources as first response?

 

Regards


Hi @MP18

 

No, as a recommendation, if there is a way to fine-tune the alert without exclusion, that will be preferred. For example, BIOC/IOC - Rules tunning, Malware/Exploit - Support exception or profile tunning.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw
  • 5 accepted solutions
  • 18994 Views
  • 14 replies
  • 7 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!