We use an on-site vulnerability scanner that started triggering behavioral alerts on Cortex endpoints on Monday. These scans were disabled since they were very disruptive with some endpoints just reporting the issue and others blocking the scan. All endpoints received the pop-up alerting them to danger. These scans have been running since before we adopted Cortex and I am going to guess that an update from the scanning vendor added a detection for something new that triggers this alert since Palo updates come out on Wednesday. The behavior alert references "heuristic.b.205", but I am not sure where you find out more info about what that means. I can see the IP address in the alert that shows what system (i.e. the vulnerability scanner) initiated the string of events that triggered the alert.
I reviewed the documentation and see where you can add an exception for a behavioral alert. I can see on the console where I could add the initiator to the allow list. But I don't think I want to do this since this these Microsoft binaries could be used for dangerous activities. Instead I would want to allow this activity only when initiated by this IP address. Going one step further I think we may just need to setup Cortex so we do not block activities from this specific IP address. I do not see any info in the documentation or this forum on how you might have an allow list that applies to an IP address. Any suggestions?
As luck would have it I cannot duplicate the issue now that I am back in town on test systems. I did add the IP address to the malware profile under "Respond to Malicious Causality Chains", but I am not sure if this will resolve this issue. The Action Center does not show the IP address of the security scanner as being blocked, but I don't know if that resets after some period of time.
Respond to Malicious Causality Chains
heuristic.b.205 - POWERSHELL DOWNLOAD CRADLES.
What do you mean by " Instead I would want to allow this activity only when initiated by this IP address"? Do you want to allow/block this BTP from a specific group of endpoints?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!