Creating an Exception Rule for a PT Automation System

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Creating an Exception Rule for a PT Automation System

L3 Networker

I have recently encountered a unique use case; we are working with a PT Automation System in which PT attacks are simulated on endpoints within the organization. This is causing quite a ruckus on the XDR tenant as expected in terms of alerts. Is there a concrete solution to create an exception rule for actions performed by this host ? 

We have encountered a problem with Disable Prevention Rules due to the fact that a combination of Behavioural Threats alongside Malware Categoried have been identified therefore, we cannot target each individual action due to the fact it is not a specific threat file. The only data we can identify that is rellevantr is "Initiated by" which is the remote host PT System. 

Does anyone have solution for this use case, to create an exception and stop prevention on it's actions? 

Many thanks 

Cortex XDR 

4 REPLIES 4

L4 Transporter

Hello @michaelsysec242 

 

Thanks for reaching out to LiveCommunity.

 

If you simply want to ignore the alerts generated or want them to handled automatically then you can use remote IP(PT system) field along with alert source and any other distinguished field to create "Alert Exclusion". Second option is to create automation rule to auto resolve these alerts with predefined remarks, here again you can filter alerts based on remote IP. 

If XDR is doing prevention on this desired activity that you want to perform and you want XDR to not prevent it, then you may need to raise a support case(assuming that there is no particular executable/process behind these alerts).

L3 Networker

Hello @nsinghvirk ,

thanks for your response! Unfortunately, the issue we have is to do with the Prevention Capabilities. I have opened a support ticket in the past yet I am not likely there is a concrete solution for this. How would I go about preventing the alerts generated by the PT Systems' actions? 

Many thanks

L3 Networker

In addition the solution you suggested regardin creating an Automation Rule. I have two options that appear somewhat relevant. 

Auto-Resolving the alert or reducing the severity to low. Can you suggest other suitable solution along this train of thought. 

L4 Transporter

Hello @michaelsysec242 

 

Since XDR is a security tool which is designed to prevent malicious activities which are very similar to what you are trying to achieve through PT system. Disabling prevention capabilities will expose particular system to risk of infection. Hence automation rules will be the effective solution without exposing the system to risk. Please disable these automations rules once your PT activity is finished.

  • 901 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!