cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Cortex XDR Exclusions vs Exceptions

L1 Bithead

Hello all,

 

Exclusions versus Exceptions, why is excluding an alert so much easier than creating an exception when it should be the opposite? 

 

According to Palo Alto, "If you do not want Cortex XDR to display alerts that match certain criteria, you can create an alert exclusion policy. After you create an exclusion policy, Cortex XDR hides any future alerts that match the criteria, and excludes the alerts from incidents and search query results." In regards to alert exceptions, PA states "In some cases, you may need to override the applied security policy to change whether Traps allows a process or file to run on an endpoint." In practically all cases I am going to need to override the security policy that is blocking a homegrown PE that allows a department the ability to control their TV with their coffee cup. Do I want to just ignore (exclude) the action, and allow the Cortex agent to continue blocking the coffee cup from changing the channel? NO! The department is going to be irate with me because I can't even see the blocking action.

 

Within Cortex XDR it is easy to create an exclusion, you can right-click, exclude, you're done.  For an exception, you need to pull your exception attributes from the alert, open the exception page, and input attributes where they are needed.  Why can't I right-click a hash, process, description, etc., and add as an exception?  Take it a step further, would you like to add this hash or whatever as a global exception or apply to a specific policy? 

 

As a security analyst, I'm not going to suppress an alert but still allow it to continue blocking the file, process, etc.  I need to see all that is happening and suppressing an alert but allow the blocking action to happen is probably the last thing I'm going to do. This exclusion action can be buried deep in the Cortex realm of dark actions that never get used.

Who rated this post