Cortex XDR: False Positive detection of LimaCharlie sensor (EDR agent)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR: False Positive detection of LimaCharlie sensor (EDR agent)

L0 Member

A number of our customers are complaining about our domains being flagged and, in some cases, blocked by Cortex XDR.

 

The domains in question are:

 

limacharlie.io
9157798c50af372c.lc.limacharlie.io
70182cf634c346bd.lc.limacharlie.io
4d897015b0815621.lc.limacharlie.io
b76093c3662d5b4f.lc.limacharlie.io
aae67d7e76570ec1.lc.limacharlie.io

 


Other than asking customers to add these domains to the Cortex XDR Allow List, how can we get these domains reviewed and added to the appropriate lists to help our customers avoid getting these false positives?

 

The domains are part of our security infrastructure solution, including an endpoint agent for EDR functionality.

 

Thank you.



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
1 REPLY 1

Cyber Elite
Cyber Elite

Hi @tilegar ,

Let me clarify few points here:

- From the screenshot you can see that the source of the alert is Analytic BIOC (behavior indicators of compromise) rule. Behavior rules are basically queries for specific behavior indicators against the EDR logs that your agents have uploaded to XDR cloud. XDR agent have allowed the process/event to execute, after that during the periodic log upload agent have uploaded the event logs to the cloud. Which means BIOC rule are always in detection only. That is because the alert have been triggered after analysing the uploaded endpoint logs, so the action has already took place. This means that XDR does not cause any false positive prevention (not blocking anything related to your domain), it only trigger false positive detection  - create an alert in the cloud console for suspicious event that already have happened.  (based on the description probably this is the exact abioc rule - Globally uncommon root domain from a signed process • analytics_documentation.json • Reader • Palo A...)

- Another important note - the source is not just BIOC rule, but Analytic BIOC rule. Analytic rule are looking for anomalies - rare or uncommon events. XDR console is constantly analysing agent logs and create a base line (for example, it says that it is normal for xxx user to generate X failed login events for Y month of time, analytic BIOC will trigger only if the failed login for that user increase above this base line). If you look at the description you can see that alert is triggered, not because the URL/domain is categorized as suspicious, but because the root domain is uncommon for the organization. And by "root-domain" I believe the alert refer to the .io, which means the customer organization doesn't usually connect to URLs/domains in .io, or at least until now. So for me it sounds that the problem is not in your domain, but in the top/root domain you are using.

- Cortex Allow and Block list are used to override the verdict generated by WildFire or Local Analysis, which means those list accept only file hashes. With allow and block list you can tell the XDR agent to always block or always allow a file/process during the pre-execution inspection. Don't confuse Allow/Block list with IOC as well.

 

Having all this in mind I want to summarize:

- XDR does not block any traffic to your domain, it only trigger an alert.

- XDR is not flagging your domain as suspicious, but rather consider the top domain as rarely used for the organization

 

Now I would expect to see such alert only in the beginning your customers that using your product. The regular traffic generated to your domain will create new base line, so I don't expect such events to trigger in the future. But if you prefer you can create Alert Exclusion Alert Exclusions • Cortex XDR Prevent Administrator Guide • Reader • Palo Alto Networks documentatio...

Basically tell the console to not generate alert when specific filter is matched, this way you can suppress these alerts when the destination is one of your domains.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!