Hello dear community,
Since some days, my alert exclusions do not work anymore and the alerts are popping up. Now i noticed the quotes in the target process cmd.
powershell.exe -command --> before
"powershell.exe" -command --> from now
What has happened? The automation task wasn't changed, but maybe a behaviour change from PA?
Hi @RFeyertag ,
Backwards scan is a logic which runs on the Cortex XDR console for querying past events from the date a rule has been created( IOC/BIOC) and also for alert exclusions when you want to exclude the existing alerts. If the exclusion rules were edited and checked in for exclude existing alerts, there will be a backwards scan running in. Till the time, the backwards scan is running, exclusions will not work for old alerts and only the new alerts will be excluded.
However, if you are saying that it is not working for you. I recommend opening a TAC case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!