06-27-2023 08:02 AM
I have recently encountered a unique use case; we are working with a PT Automation System in which PT attacks are simulated on endpoints within the organization. This is causing quite a ruckus on the XDR tenant as expected in terms of alerts. Is there a concrete solution to create an exception rule for actions performed by this host ?
We have encountered a problem with Disable Prevention Rules due to the fact that a combination of Behavioural Threats alongside Malware Categoried have been identified therefore, we cannot target each individual action due to the fact it is not a specific threat file. The only data we can identify that is rellevantr is "Initiated by" which is the remote host PT System.
Does anyone have solution for this use case, to create an exception and stop prevention on it's actions?
Many thanks
06-27-2023 10:24 AM
Hello @michaelsysec242
Thanks for reaching out to LiveCommunity.
If you simply want to ignore the alerts generated or want them to handled automatically then you can use remote IP(PT system) field along with alert source and any other distinguished field to create "Alert Exclusion". Second option is to create automation rule to auto resolve these alerts with predefined remarks, here again you can filter alerts based on remote IP.
If XDR is doing prevention on this desired activity that you want to perform and you want XDR to not prevent it, then you may need to raise a support case(assuming that there is no particular executable/process behind these alerts).
06-28-2023 03:37 AM
Hello @nsinghvirk ,
thanks for your response! Unfortunately, the issue we have is to do with the Prevention Capabilities. I have opened a support ticket in the past yet I am not likely there is a concrete solution for this. How would I go about preventing the alerts generated by the PT Systems' actions?
Many thanks
06-28-2023 03:40 AM
In addition the solution you suggested regardin creating an Automation Rule. I have two options that appear somewhat relevant.
Auto-Resolving the alert or reducing the severity to low. Can you suggest other suitable solution along this train of thought.
06-28-2023 05:03 AM
Hello @michaelsysec242
Since XDR is a security tool which is designed to prevent malicious activities which are very similar to what you are trying to achieve through PT system. Disabling prevention capabilities will expose particular system to risk of infection. Hence automation rules will be the effective solution without exposing the system to risk. Please disable these automations rules once your PT activity is finished.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
