Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

How to stop Duplicate incidents

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to stop Duplicate incidents

L2 Linker

Hi,

 

I am receiving lots of duplicate incidents on my Cortex XDR console. Can anyone please help on how to suppress or stop the duplicate incidents to trigger again and again?

 

Regards

2 accepted solutions

Accepted Solutions

Hi @RahulPrajapati Yes, the file continues to remain blocked after creating an exclusion. Exclusions do not influence any XDR agent actions.

 

Ref: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PO8MCAW

View solution in original post

L4 Transporter

Hi @RahulPrajapati ,

after creating the exclussion the malware will be still blocked. Alert exclussion just excludes the alert to create more incidents, but the alerts will be still created (you will be able to find them with xql queries) but wont create noise on your incidents table, just that. And you will still be in safe (malware will remain blocked).

Watch out do not confuse exclussion with exception, exception will make the malware to not to be blocked (alerts wont be created then). So make sure when you create an exception that you know what you are doing otherwise you might be allowing a malware to run and spread over your infrastructure and without being alerted.

On the actions for the malware profile you can choose different actions, try to put it in quarantine.

It will also be good to figure out why this malware is appearing again and again. This is something for you guys to investigate if somebody is downloading it repeatedly or something. So try to figure out the root cause of your infection to end it up for ever.

You can also choose to delete your malware file from all your infrastructure. 

 

Hope this helps,

Luis 

View solution in original post

5 REPLIES 5

L5 Sessionator

Hi @RahulPrajapati , an incident is an aggregation of alerts. You may have incidents with the same description if the actions that create the alert keeps occuring.


There are two items that you need to verify from your end:
1. Have you identified from the endpoint or event source if these actions are happening repeatedly to cause new incidents to get created?

2. Have you identified from the Incidents if the artefacts are the same for all duplicate Incidents, and if the actions are happening at the timestamps specified in the alerts grouped inside each Incident?

 

 

If you know that these incidents are benign in nature, you can consider creating one or more Alert Exclusions to suppress alerts.

Hi @bbarmanroy ,

 

Yes these action are occurring repeatedly and from same artefacts. The file on which we are receiving alerts is malicious in nature and we have blocked its hash. But still, it keeps appearing again even if it is in blocked state.

 

As per your suggestion to create an alert exclusion to suppress alerts. Will the file remain in blocked state after creating an exclusion? We want that file to remain in blocked state after creating an exclusion.

 

Regards

Hi @RahulPrajapati Yes, the file continues to remain blocked after creating an exclusion. Exclusions do not influence any XDR agent actions.

 

Ref: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PO8MCAW

L4 Transporter

Hi @RahulPrajapati ,

after creating the exclussion the malware will be still blocked. Alert exclussion just excludes the alert to create more incidents, but the alerts will be still created (you will be able to find them with xql queries) but wont create noise on your incidents table, just that. And you will still be in safe (malware will remain blocked).

Watch out do not confuse exclussion with exception, exception will make the malware to not to be blocked (alerts wont be created then). So make sure when you create an exception that you know what you are doing otherwise you might be allowing a malware to run and spread over your infrastructure and without being alerted.

On the actions for the malware profile you can choose different actions, try to put it in quarantine.

It will also be good to figure out why this malware is appearing again and again. This is something for you guys to investigate if somebody is downloading it repeatedly or something. So try to figure out the root cause of your infection to end it up for ever.

You can also choose to delete your malware file from all your infrastructure. 

 

Hope this helps,

Luis 

L2 Linker

Hi @bbarmanroy and @eluis ,

 

Thanks for the reply. My queries has been answered.

  • 2 accepted solutions
  • 4148 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!