08-23-2022 11:41 PM
Hello all,
I have encountered multiple occurrences in which a specific process raise many of the same BIOC Analytics Alert. I understand that engine is based on server side and as a customer we are not privy to see what calculations are done on our behalf. In regards to Exclusion, exclusion can only be carried out for the entire alert.
1) Is there a way to individually exclude certain processes that are causing many of the same BIOC Analytics alerts ?
2) Is it possible to define on the XDR Tenant that you use an additional security product by a different vendor and that no alerts should be raised by their behaviour including BIOC Analytics?
In my experience the BIOC Analytics Mechanism is very powerful yet lacks this fundamental flexibility.
08-24-2022 07:50 AM
Hi Michaelsysec242,
1. If you are wanting to exclude Analytic BIOC alerts based on process, you can do this through an Exclusion Policy. Navigate to Incident Response > Incident Configuration > Alert Exclusions > +Add Alert Exclusions. Here you can define a policy to exclude alerts based on any combination of criteria using the table filters. For example I could filter on Alert Source = XDR Analytics BIOC and Initiated By = someGoodProcess.exe. This would Exclude any Analytic BIOC alert that is initiated by the defined process. Keep in mind, Exclusion policies do not change XDR behavior, they only exclude these alerts from being viewable or generating Incidents, So if you create Exclusion policies for alerts generated from the XDR agent, there is the risk of excluding traffic that could still be blocked.
2. There is no capability to universally allow specific software in the platform. For any agent side detections such as the Malware and Exploit protection modules, you would need to ensure each module is set to allow the specific processes, then for all other alert types such as Analytics, BIOC, IOC etc. you can create Exclusion policies as mentioned above.
Regards,
Ben
08-24-2022 07:50 AM
Hi Michaelsysec242,
1. If you are wanting to exclude Analytic BIOC alerts based on process, you can do this through an Exclusion Policy. Navigate to Incident Response > Incident Configuration > Alert Exclusions > +Add Alert Exclusions. Here you can define a policy to exclude alerts based on any combination of criteria using the table filters. For example I could filter on Alert Source = XDR Analytics BIOC and Initiated By = someGoodProcess.exe. This would Exclude any Analytic BIOC alert that is initiated by the defined process. Keep in mind, Exclusion policies do not change XDR behavior, they only exclude these alerts from being viewable or generating Incidents, So if you create Exclusion policies for alerts generated from the XDR agent, there is the risk of excluding traffic that could still be blocked.
2. There is no capability to universally allow specific software in the platform. For any agent side detections such as the Malware and Exploit protection modules, you would need to ensure each module is set to allow the specific processes, then for all other alert types such as Analytics, BIOC, IOC etc. you can create Exclusion policies as mentioned above.
Regards,
Ben
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
