Hello all, Exclusions versus Exceptions, why is excluding an alert so much easier than creating an exception when it should be the opposite? According to Palo Alto, " If you do not want Cortex XDR to display alerts that match certain criteria, you can create an alert exclusion policy. After you create an exclusion policy, Cortex XDR hides any future alerts that match the criteria, and excludes the alerts from incidents and search query results." In regards to alert exceptions, PA states "In some cases, you may need to override the applied security policy to change whether Traps allows a process or file to run on an endpoint." In practically all cases I am going to need to override the security policy that is blocking a homegrown PE that allows a department the ability to control their TV with their coffee cup. Do I want to just ignore (exclude) the action, and allow the Cortex agent to continue blocking the coffee cup from changing the channel? NO! The department is going to be irate with me because I can't even see the blocking action. Within Cortex XDR it is easy to create an exclusion, you can right-click, exclude, you're done. For an exception, you need to pull your exception attributes from the alert, open the exception page, and input attributes where they are needed. Why can't I right-click a hash, process, description, etc., and add as an exception? Take it a step further, would you like to add this hash or whatever as a global exception or apply to a specific policy? As a security analyst, I'm not going to suppress an alert but still allow it to continue blocking the file, process, etc. I need to see all that is happening and suppressing an alert but allow the blocking action to happen is probably the last thing I'm going to do. This exclusion action can be buried deep in the Cortex realm of dark actions that never get used.
... View more
Believe PA is listing this file as malicious incorrectly. Link to File analysis in VT: https://www.virustotal.com/gui/file/4de1e1cc7b1e7f38aee80b70073f98042d3757e3ebc3b9f7839d764263b8a22f/detection File Details: MD5 1764b482430e82a76bb44b620c0169ed SHA-1 35c7ec64995a02e66ba54ad6382b37b4fc2fd7ac SHA-256 4de1e1cc7b1e7f38aee80b70073f98042d3757e3ebc3b9f7839d764263b8a22f Vhash 115056651d15151az39!z Authentihash 3ad67eb9e82b3f36e1cc4a70e7034a9686b6ad590889367ad70ff97331adb9f1 Imphash b15f50e3f2711e0feb9b6d0b6f0258b5 SSDEEP 768:gyb3gtJgH5dm1L0f2KXTO2rYDTxmBhB2DJWTFLshEGjpRpifDILOm:gbJgH5dm1Lq2/BDTxK329gFIBjB4mOm File type Win32 DLL Magic PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit File size 140.00 KB (143360 bytes) PEiD packer Microsoft Visual C++ v7.1 DLL
... View more