01-20-2023 12:52 PM
Hello dear community,
Since some days, my alert exclusions do not work anymore and the alerts are popping up. Now i noticed the quotes in the target process cmd.
powershell.exe -command --> before
"powershell.exe" -command --> from now
What has happened? The automation task wasn't changed, but maybe a behaviour change from PA?
BR
Rob
01-23-2023 12:16 AM - edited 01-23-2023 12:17 AM
Hi
Thank you for reaching out to live community!
Possibly there is A recalculation on your tenant for your exclusion policy. Possible that there was an edit on the policy because of an edit and there is a backwards scan running. Please check backwards scan status
01-23-2023 05:49 AM
Hello @neelrohit,
what is an backward scan status? And why do I have to do this? Isn't there any information why this quotes suddenly appearing? And day by day I have more not working exclusions.
BR
Rob
01-24-2023 12:37 AM
Hi @RFeyertag ,
Backwards scan is a logic which runs on the Cortex XDR console for querying past events from the date a rule has been created( IOC/BIOC) and also for alert exclusions when you want to exclude the existing alerts. If the exclusion rules were edited and checked in for exclude existing alerts, there will be a backwards scan running in. Till the time, the backwards scan is running, exclusions will not work for old alerts and only the new alerts will be excluded.
However, if you are saying that it is not working for you. I recommend opening a TAC case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
