06-29-2023 05:51 AM
Hello Team,
How can we create exception for XDR Analytics BIOC incidents?
06-29-2023 06:09 AM - edited 06-29-2023 06:15 AM
Hi @RamyashreeMada ,
Thank you for writing to live community!
Exceptions in Cortex XDR can be created only for events related to prevention by Cortex XDR agent. XDR analytics and analytics BIOC alerts are detect only. As a result, we cannot create exceptions for them. Alerts from XDR analytics and analytics BIOC are trainable as they are generated out of machine learning algorithms on pattern detection and profiling. If you have a use case of a false positive, you can resolve the alerts as false positives or create automation rules for analytics alerts generating incidents in a balanced and a granularly stable fashion to auto resolve them.
If the above also does not work, you can create alert exclusions from the same and XDR analytics and XDR analytics BIOC incidents will not be generated for such FP events. Please make sure, you keep the exclusion rule balanced enough to prevent the event of suppressing actual true positive events.
You can also search in live community for responses on previous related discussions on the same:
Hope this helps!
10-01-2023 10:35 PM
Hello,
We have created a automation rule for one of the the XDR analytics incidents.
The rule is alerts will be closed as false positive as it is legitimate.
The incidents are getting closed in XDR console automatically, but we are montitoring these incidents through SIEM tool and it is triggering the incidents over there.
Can you provide us the solution that resolved alerts should not be forwarded to SIEM.
10-01-2023 10:54 PM
Hi @RamyashreeMada ,
For use cases where you have SIEM tools, you would not need to create simple automation rules at all because in that circumstance, you can leverage automation from your SIEM tool itself to trigger automation rules to close the False Positives(as you might have been doing for other alerts).
However, if you still want XDR automation to exist and not SIEM not fetch it, you might have to opt for a not so recommended solution is to pull the alerts at higher intervals for status only for new and under investigation(which is risky as there can be some alerts which will never reach your SIEM if it falls within the gap interval).
As a result, in scenarios like this, where automations exists on SIEM tool, the option should be using the automation on SIEM level itself. The XDR automations are for those scenarios where the customers do not have a SOC so large to include a SIEM but would want some native scenarios to be automated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
