How to influence the XDR Analytics BIOC and the backend engine

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.

How to influence the XDR Analytics BIOC and the backend engine

Hello,

 

The XDR Analytics BIOC alerts are created based on for example rare events that occur in your environment.

 

Is there a way to influence the backend system for example:

If I add a hash to the allow list will that make the process trusted and not create alerts for it even if its rare?

My question is how can these types of alerts be influenced rather than just creating exceptions.

1 accepted solution

Accepted Solutions

L3 Networker

Hi @AvesterFahimipour 

Thanks for your query on LC!

For this, I think we need more understanding on how different modules and protection flow work.
Creating an exception for a process based on hash will exempt the process in the initial stages of execution however if the sam process is ben caught by other modules like BTP or Analytics or BIOC with suspicious activity then the action will be terminated or reported based on the module.

Analytics behavioral indicators of compromise (BIOC)s. In contrast to standard Analytics alerts, Analytics BIOCs (ABIOCs)—indicate a single event of suspicious behavior with an identified chain of causality. To identify the context and chain of causality, ABIOCs leverage user, endpoint, and network profiles. The profile is generated by the Analytics Engine and can be based on a simple statistical profile or a more complex machine-learning profile. Cortex XDR tailors each ABIOC to your specific environment after analyzing your logs and data sources and continually tunes and delivers new ABIOCs with content updates.
Ref - https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Analytics-C...

Regards,


View solution in original post

1 REPLY 1

L3 Networker

Hi @AvesterFahimipour 

Thanks for your query on LC!

For this, I think we need more understanding on how different modules and protection flow work.
Creating an exception for a process based on hash will exempt the process in the initial stages of execution however if the sam process is ben caught by other modules like BTP or Analytics or BIOC with suspicious activity then the action will be terminated or reported based on the module.

Analytics behavioral indicators of compromise (BIOC)s. In contrast to standard Analytics alerts, Analytics BIOCs (ABIOCs)—indicate a single event of suspicious behavior with an identified chain of causality. To identify the context and chain of causality, ABIOCs leverage user, endpoint, and network profiles. The profile is generated by the Analytics Engine and can be based on a simple statistical profile or a more complex machine-learning profile. Cortex XDR tailors each ABIOC to your specific environment after analyzing your logs and data sources and continually tunes and delivers new ABIOCs with content updates.
Ref - https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Analytics-C...

Regards,


  • 1 accepted solution
  • 423 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!