One week ago I added an artifact (hash) to the allow list. This hash was deteced (reported) by the XDR Agent.
Today, I have a new incident, only related with the same artifact(hash) (different host).
I was expecting of not seing any incident related with this artifact if it is the ONLY related to.
Which is the behaviour then of the Allow List functionality?
There are two parts to consider in your scenario. The first is file execution (is the file being block / allow on the endpoint) and the second is the cause for alert. The allow/ block list is manage file execution. XDR has multiple layers of protection. I suggest to triage the full context of the alert to understand the cause for the alert. The XDR agent has additional Alert Names associated with the XDR agent alert source. For example, in a Behavioral Threat alert you may need analyze and confirm the initiating process and observed behaviors before making the determination of which process needs to be add to an allow list. In the case of BTP Allow list. The processes on the BTP allow list will not be terminated by the agent when are part of a malicious causality chain. Alerts will be triggered regardless. Reference the Behavioral Threat Protection module within the Malware endpoint security profile:
If you want to exclude alerts for the process in question within the context of BTP, then you will need to create a support ticket in order to obtain a support exception. I hope this information provides you with a path forward.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!