02-01-2023 03:52 AM
What is the importance of alerts in cortex XDR? Do we need to work on all the alerts, as we get overwhelmed by the number of alerts.
What is the best practice to fine-tune the alerts so that no important alerts are missed.Is there any documentation available for related to the handling of alerts in Cortex XDR.
02-01-2023 06:04 AM
Thanks for writing to Live Community.
Alert tuning is an important process as part of managing XDR, and should be done on a concurrent basis. The way to properly address alert tuning would be depending on the alert source.
In general, alert tuning in XDR several alert tuning mechanisms:
For example, if through the process of reviewing an incident you want to suppress future alerts from similar sources you need to create an Alert Exclusion policy based on the alerts in said incident.
You can also build alert rules from scratch and use existing alert values to populate your exclusion criteria.
If the alert is IOC/BIOC you might want to take action on specific behavior but exclude some of the indicators.
Starting with version 3.5, you can also manage exceptions from a central location by adding Legacy Exception rules.
We have a great Alert Tuning Video Series over on Live Community which should help you get started on understanding the different sources of alerts and how to address them.
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!