Behavioral Alert from Vulnerability Scanner - How to Allow Scans WITHOUT alerts from IP address?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Behavioral Alert from Vulnerability Scanner - How to Allow Scans WITHOUT alerts from IP address?

L2 Linker

We use an on-site vulnerability scanner that started triggering behavioral alerts on Cortex endpoints on Monday.  These scans were disabled since they were very disruptive with some endpoints just reporting the issue and others blocking the scan.  All endpoints received the pop-up alerting them to danger.  These scans have been running since before we adopted Cortex and I am going to guess that an update from the scanning vendor added a detection for something new that triggers this alert since Palo updates come out on Wednesday. The behavior alert references "heuristic.b.205", but I am not sure where you find out more info about what that means.  I can see the IP address in the alert that shows what system (i.e. the vulnerability scanner) initiated the string of events that triggered the alert.

 

I reviewed the documentation and see where you can add an exception for a behavioral alert.  I can see on the console where I could add the initiator to the allow list.  But I don't think I want to do this since this these Microsoft binaries could be used for dangerous activities.  Instead I would want to allow this activity only when initiated by this IP address.  Going one step further I think we may just need to setup Cortex so we do not block activities from this specific IP address.  I do not see any info in the documentation or this forum on how you might have an allow list that applies to an IP address.  Any suggestions?

1 accepted solution

Accepted Solutions

L0 Member

Content Update version 320-79444 seems to fix this False-Positive alert.

View solution in original post

4 REPLIES 4

L2 Linker

As luck would have it I cannot duplicate the issue now that I am back in town on test systems.  I did add the IP address to the malware profile under "Respond to Malicious Causality Chains", but I am not sure if this will resolve this issue.    The Action Center does not show the IP address of the security scanner as being blocked, but I don't know if that resets after some period of time.

 

Respond to Malicious Causality Chains

L1 Bithead

Hi @EddieRowe 

heuristic.b.205 - POWERSHELL DOWNLOAD CRADLES.

What do you mean by " Instead I would want to allow this activity only when initiated by this IP address"? Do you want to allow/block this BTP from a specific group of endpoints?

 

Evgeny (Eugene) Palcev | Senior Customer Success Architect, Cortex

L0 Member

Content Update version 320-79444 seems to fix this False-Positive alert.

I was looking for a way to exclude behavior protection from the IP address that is used by the scanner.

  • 1 accepted solution
  • 4510 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!