Exception and exclusion tips & trick / best practices

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exception and exclusion tips & trick / best practices

L1 Bithead

Hello, 

I'm looking for best practices or guides on how to add exceptions and exlusions in Cortex XDR.

All I found was this LIVEcommunity video - https://www.youtube.com/watch?v=dlbxibEtxR8, but it was added before Disable Prevention Rules was available. It think this feature changes a lot regarding this topic. 

 

What do you recommend using and why? 

From my understanding when we use Legacy Exeptions then no alert is generated when certain event happens. 
On the other hand using Disable Prevention Rules still will generate the alert and then as a additional action we can exclude this alert using Exclusion Rules to not show in XDR console. 

 

What are the use cases for using one or another?

I think this topic is tricky 🙂 

2 REPLIES 2

L2 Linker

Hi @xdrxdrxdr ,

 

Thank you for reaching out to Palo Alto Networks live community.

 

Alert exclusion rules do not alter the XDR agent's behavior in any way; instead, they conceal alerts and prevent them from being included in incidents. Additionally, if you choose to apply the exclusion to past alerts when creating an alert exclusion policy, any alerts that currently match the rule requirements will be grayed out in the alerts table. An current incident will automatically resolve if all of its alerts are excluded.

For more information refer:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Add-an-...

 

However, the XDR agent's behavior DOES change when an exception rule is created. Cortex XDR will stop responding to matching traffic and will not issue an alert if you set an alert exception.

For more information refer:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Add-a-L...

 

As an example:

An warning for behavioral threat prevention was blocked for you. Since you believe the connected traffic to be legitimate business-related traffic, you don't want to receive future alerts about it.

Since only an alert exclusion was configured, the agent would continue to block the matching traffic even if you created an alert exclusion policy to match this traffic. You would not see any matching alerts in the future, and they would not be included in any incidents.
You must define an exception if you want the XDR agent to stop blocking this traffic in the future.

 

For both Exclusions and Exceptions, best practice is to define your rules as specific as possible in order to best tune out noise without degrading the ability to alert/prevent malicious activity.

 

Hope I was able to make you understand the difference and this will be helpful in order to take the decision which rule to be use during which scenario as per your environment.

 

Please mark the response as "Accept as Solution" if it answers your query.

L1 Bithead

The difference between exceptions and exclusion is simple. 

What I mention is Legacy Agent Exceptions vs Disable Prevention Rules 🙂 

  • 5914 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!