Cortex XDR: Allow list behaviour

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR: Allow list behaviour

L1 Bithead

Hi all,

 

One week ago I added an artifact (hash) to the allow list. This hash was deteced (reported) by the XDR Agent.

 

Today, I have a new incident, only related with the same artifact(hash) (different host). 

 

 

I was expecting of not seing any incident related with this artifact if it is the ONLY related to.

 

 

Which is the behaviour then of the Allow List functionality?

Thank you,

David. 

6 REPLIES 6

L3 Networker

Hi @david.hernandez,

 

When adding Hash256 values to the Hash Allow List, either via Action Center's "Add to allow list ", or directly from the Incident's Key Artifact, or from the Casualty View, it will be added to the Hash Allow List. This list is then shared among all the XDR agents during the checkin process. If you have added a hash to the Hash Allow list, no further alerting should be generated. 

 

Are you sure that you added the hash to the correct option? Which of the above-mentioned options did you use to add the hash to the allow list?

Hi @fmoixsante ,

I added it directly from the Incident's Key Artifact, which now has a grey tick button next to it.


Thank you.

L3 Networker

Hi @david.hernandez  The Allow List feature is to allow execution on the endpoint. In this scenario that you described, you should review the alert source (E.g. XDR BIOC, XDR agent...etc) to determine your next steps in the investigation. If XDR BIOC rule is the alert source, and your analysis indicates the process behavior is not a threat in your environment, then you may want to consider adding the process SHA256 to a Rule Exception (XDR App > Rules > Exceptions). Please note, there are two types of exceptions (Global / Profile) that you may leverage to manage the scope. 

The scenario is as follows: I get an incident from a key artifact from the alert Source XDR Agent. A few days later, I get another incident with the same key artifcat, which I added to the allow list. Maybe this is not the expected behaviour? Maybe I should use what you suggest, to use the Rule Exception?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!