11-06-2024 01:14 AM
Hello,
The XDR Analytics BIOC alerts are created based on for example rare events that occur in your environment.
Is there a way to influence the backend system for example:
If I add a hash to the allow list will that make the process trusted and not create alerts for it even if its rare?
My question is how can these types of alerts be influenced rather than just creating exceptions.
11-06-2024 02:29 AM - edited 11-06-2024 02:30 AM
Hi @AvesterFahimipour
Thanks for your query on LC!
For this, I think we need more understanding on how different modules and protection flow work.
Creating an exception for a process based on hash will exempt the process in the initial stages of execution however if the sam process is ben caught by other modules like BTP or Analytics or BIOC with suspicious activity then the action will be terminated or reported based on the module.
Analytics behavioral indicators of compromise (BIOC)s. In contrast to standard Analytics alerts, Analytics BIOCs (ABIOCs)—indicate a single event of suspicious behavior with an identified chain of causality. To identify the context and chain of causality, ABIOCs leverage user, endpoint, and network profiles. The profile is generated by the Analytics Engine and can be based on a simple statistical profile or a more complex machine-learning profile. Cortex XDR tailors each ABIOC to your specific environment after analyzing your logs and data sources and continually tunes and delivers new ABIOCs with content updates.
Ref - https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Analytics-C...
Regards,
11-06-2024 02:29 AM - edited 11-06-2024 02:30 AM
Hi @AvesterFahimipour
Thanks for your query on LC!
For this, I think we need more understanding on how different modules and protection flow work.
Creating an exception for a process based on hash will exempt the process in the initial stages of execution however if the sam process is ben caught by other modules like BTP or Analytics or BIOC with suspicious activity then the action will be terminated or reported based on the module.
Analytics behavioral indicators of compromise (BIOC)s. In contrast to standard Analytics alerts, Analytics BIOCs (ABIOCs)—indicate a single event of suspicious behavior with an identified chain of causality. To identify the context and chain of causality, ABIOCs leverage user, endpoint, and network profiles. The profile is generated by the Analytics Engine and can be based on a simple statistical profile or a more complex machine-learning profile. Cortex XDR tailors each ABIOC to your specific environment after analyzing your logs and data sources and continually tunes and delivers new ABIOCs with content updates.
Ref - https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Analytics-C...
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
