12-02-2024 09:06 AM
We have created a disable prevention rule for a few Cortex XDR agent-blocked alerts because they were false-positive.
However, we recently received 2 new alerts with the same fields as the ones for which we created the disable prevention rule.
I only observed that the sha256 value is different for the new alerts.
So is it because of the different sha value the alerts were triggered even though there is a disable prevention rule in place without the new sha values?
12-03-2024 01:28 AM
Hi @Kavurisowmya
Thanks for your query on LC!
Yes, Change in sha256 value would be the reason for new alerts.
You may need to validate the Rule conditions defined for this rule and keep the SHA256 blank if this value is changing OR to generally allow all values.
Give it a like & mark as solution if this helped your query!
Best,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
