BIOC Analytics Specific Exceptions and Vendor Exceptions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

BIOC Analytics Specific Exceptions and Vendor Exceptions

L3 Networker

Hello all,

I have encountered multiple occurrences in which a specific process raise many of the same BIOC Analytics Alert. I understand that engine is based on server side and as a customer we are not privy to see what calculations are done on our behalf. In regards to Exclusion, exclusion can only be carried out for the entire alert.

1) Is there a way to individually exclude certain processes that are causing many of the same BIOC Analytics alerts ? 

2) Is it possible to define on the XDR Tenant that you use an additional security product by a different vendor and that no alerts should be raised by their behaviour including BIOC Analytics?

 

In my experience the BIOC Analytics Mechanism is very powerful yet lacks this fundamental flexibility. 

Cortex XDR 

PCSAE
1 accepted solution

Accepted Solutions

L3 Networker

Hi Michaelsysec242,

 

1. If you are wanting to exclude Analytic BIOC alerts based on process, you can do this through an Exclusion Policy. Navigate to Incident Response > Incident Configuration > Alert Exclusions > +Add Alert Exclusions. Here you can define a policy to exclude alerts based on any combination of criteria using the table filters. For example I could filter on Alert Source = XDR Analytics BIOC and Initiated By = someGoodProcess.exe. This would Exclude any Analytic BIOC alert that is initiated by the defined process. Keep in mind, Exclusion policies do not change XDR behavior, they only exclude these alerts from being viewable or generating Incidents, So if you create Exclusion policies for alerts generated from the XDR agent, there is the risk of excluding traffic that could still be blocked.

 

2. There is no capability to universally allow specific software in the platform. For any agent side detections such as the Malware and Exploit protection modules, you would need to ensure each module is set to allow the specific processes, then for all other alert types such as Analytics, BIOC, IOC etc. you can create Exclusion policies as mentioned above.

 

Regards,
Ben
 

View solution in original post

1 REPLY 1

L3 Networker

Hi Michaelsysec242,

 

1. If you are wanting to exclude Analytic BIOC alerts based on process, you can do this through an Exclusion Policy. Navigate to Incident Response > Incident Configuration > Alert Exclusions > +Add Alert Exclusions. Here you can define a policy to exclude alerts based on any combination of criteria using the table filters. For example I could filter on Alert Source = XDR Analytics BIOC and Initiated By = someGoodProcess.exe. This would Exclude any Analytic BIOC alert that is initiated by the defined process. Keep in mind, Exclusion policies do not change XDR behavior, they only exclude these alerts from being viewable or generating Incidents, So if you create Exclusion policies for alerts generated from the XDR agent, there is the risk of excluding traffic that could still be blocked.

 

2. There is no capability to universally allow specific software in the platform. For any agent side detections such as the Malware and Exploit protection modules, you would need to ensure each module is set to allow the specific processes, then for all other alert types such as Analytics, BIOC, IOC etc. you can create Exclusion policies as mentioned above.

 

Regards,
Ben
 

  • 1 accepted solution
  • 2415 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!