11-29-2021 12:12 AM
Hi,
I am receiving lots of duplicate incidents on my Cortex XDR console. Can anyone please help on how to suppress or stop the duplicate incidents to trigger again and again?
Regards
11-30-2021 01:38 AM
Hi @RahulPrajapati Yes, the file continues to remain blocked after creating an exclusion. Exclusions do not influence any XDR agent actions.
Ref: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PO8MCAW
11-30-2021 01:41 AM
Hi @RahulPrajapati ,
after creating the exclussion the malware will be still blocked. Alert exclussion just excludes the alert to create more incidents, but the alerts will be still created (you will be able to find them with xql queries) but wont create noise on your incidents table, just that. And you will still be in safe (malware will remain blocked).
Watch out do not confuse exclussion with exception, exception will make the malware to not to be blocked (alerts wont be created then). So make sure when you create an exception that you know what you are doing otherwise you might be allowing a malware to run and spread over your infrastructure and without being alerted.
On the actions for the malware profile you can choose different actions, try to put it in quarantine.
It will also be good to figure out why this malware is appearing again and again. This is something for you guys to investigate if somebody is downloading it repeatedly or something. So try to figure out the root cause of your infection to end it up for ever.
You can also choose to delete your malware file from all your infrastructure.
Hope this helps,
Luis
11-29-2021 01:45 AM
Hi @RahulPrajapati , an incident is an aggregation of alerts. You may have incidents with the same description if the actions that create the alert keeps occuring.
There are two items that you need to verify from your end:
1. Have you identified from the endpoint or event source if these actions are happening repeatedly to cause new incidents to get created?
2. Have you identified from the Incidents if the artefacts are the same for all duplicate Incidents, and if the actions are happening at the timestamps specified in the alerts grouped inside each Incident?
If you know that these incidents are benign in nature, you can consider creating one or more Alert Exclusions to suppress alerts.
11-29-2021 09:18 PM
Hi @bbarmanroy ,
Yes these action are occurring repeatedly and from same artefacts. The file on which we are receiving alerts is malicious in nature and we have blocked its hash. But still, it keeps appearing again even if it is in blocked state.
As per your suggestion to create an alert exclusion to suppress alerts. Will the file remain in blocked state after creating an exclusion? We want that file to remain in blocked state after creating an exclusion.
Regards
11-30-2021 01:38 AM
Hi @RahulPrajapati Yes, the file continues to remain blocked after creating an exclusion. Exclusions do not influence any XDR agent actions.
Ref: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PO8MCAW
11-30-2021 01:41 AM
Hi @RahulPrajapati ,
after creating the exclussion the malware will be still blocked. Alert exclussion just excludes the alert to create more incidents, but the alerts will be still created (you will be able to find them with xql queries) but wont create noise on your incidents table, just that. And you will still be in safe (malware will remain blocked).
Watch out do not confuse exclussion with exception, exception will make the malware to not to be blocked (alerts wont be created then). So make sure when you create an exception that you know what you are doing otherwise you might be allowing a malware to run and spread over your infrastructure and without being alerted.
On the actions for the malware profile you can choose different actions, try to put it in quarantine.
It will also be good to figure out why this malware is appearing again and again. This is something for you guys to investigate if somebody is downloading it repeatedly or something. So try to figure out the root cause of your infection to end it up for ever.
You can also choose to delete your malware file from all your infrastructure.
Hope this helps,
Luis
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
