This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Cortex XDR: Allow list behaviour
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Security Operations
- Cortex XDR Discussions
- Cortex XDR: Allow list behaviour
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Cortex XDR: Allow list behaviour
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-14-2021 03:22 AM - edited 07-14-2021 03:22 AM
Hi all,
One week ago I added an artifact (hash) to the allow list. This hash was deteced (reported) by the XDR Agent.
Today, I have a new incident, only related with the same artifact(hash) (different host).
I was expecting of not seing any incident related with this artifact if it is the ONLY related to.
Which is the behaviour then of the Allow List functionality?
Thank you,
David.
6 REPLIES 6
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-20-2021 10:36 AM
There are two parts to consider in your scenario. The first is file execution (is the file being block / allow on the endpoint) and the second is the cause for alert. The allow/ block list is manage file execution. XDR has multiple layers of protection. I suggest to triage the full context of the alert to understand the cause for the alert. The XDR agent has additional Alert Names associated with the XDR agent alert source. For example, in a Behavioral Threat alert you may need analyze and confirm the initiating process and observed behaviors before making the determination of which process needs to be add to an allow list. In the case of BTP Allow list. The processes on the BTP allow list will not be terminated by the agent when are part of a malicious causality chain. Alerts will be triggered regardless. Reference the Behavioral Threat Protection module within the Malware endpoint security profile:
If you want to exclude alerts for the process in question within the context of BTP, then you will need to create a support ticket in order to obtain a support exception. I hope this information provides you with a path forward.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-22-2021 10:20 AM
Thank you for your help. I will try to investigate from there.
Related Content
- Cortex XDR malware scan in Cortex XDR Discussions
- Cortex XDR disabling itself in Cortex XDR Discussions
- IOC Upload automation in Cortex XDR in Cortex XDR Discussions
- Cortex XDR agent installation suggestions for a Proxmox host and its LXC containers in Cortex XDR Discussions
- Searching for multiple hashes on cortex XDR in Cortex XDR Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks