@ rapidfs wrote: Hello all, Exclusions versus Exceptions, why is excluding an alert so much easier than creating an exception when it should be the opposite? According to Palo Alto, " If you do not want Cortex XDR to display alerts that match certain criteria, you can create an alert exclusion policy. After you create an exclusion policy, Cortex XDR hides any future alerts that match the criteria, and excludes the alerts from incidents and search query results." In regards to alert exceptions, PA states "In some cases, you may need to override the applied security policy to change whether Traps allows a process or file to run on an endpoint." In practically all cases I am going to need to override the security policy that is blocking a homegrown PE that allows a department the ability to control their TV with their coffee cup. Do I want to just ignore (exclude) the action, and allow the Cortex agent to continue blocking the coffee cup from changing the channel? NO! The department is going to be irate with me because I can't even see the blocking action. Within Cortex XDR it is easy to create an exclusion, you can right-click, exclude, you're done. For an exception, you need to pull your exception attributes from the alert, open the exception page, and input attributes where they are needed. Why can't I right-click a hash, process, description, etc., and add as an exception? Take it a step further, would you like to add this hash or whatever as a global exception or apply to a specific policy? As a security analyst, I'm not going to suppress an alert but still allow it to continue blocking the file, process, etc. I need to see all that is happening and suppressing an alert but allow the blocking action to happen is probably the last thing I'm going to do. This exclusion action can be buried deep in the Cortex realm of dark actions that never get used. The reason the process is a different for an exception is because we want to allow the granularity of choosing who gets this exception. You can do it by profile + policy, hence only some machines get it (so according to your example, in some sections of the company a coffee cup will be able to change channels and in other it won't) or apply it to all endpoint as a global exception.
... View more
XDR Analytics BIOC - These are analytics alerts based (mainly) on single events. They are similar to BIOCs, except they also account for a profile of how common or rare something is. Examples are "Uncommon local scheduled task creation via schtasks.exe", "Microsoft Office Process Spawning a Suspicious One-Liner" and "Uncommon user management via net.exe". They are single event (execution of something) that is rarely seen in the environment. XDR BIOC - These are behavioral IOCs, looking for abnormal behavior but not with specific hashes, IPs or domains. An example is " Binary file being created to disk with a double extension" - this rule is not looking at who created the file or what the file is, it's looking for the fact that a file was created with this attribute. Another example is "PowerShell runs base64-encoded commands", "Windows certificate management tool makes a network connection" and "Script file added to startup-related Registry keys". NGFW - These are alerts generated by Palo Alto Network Next Gen Firewall as traffic is going through it. XDR IOC - These are simple IOC matches, including hashes, IPs, domains, files, etc. XDR Analytics - There alerts are similar to Analytics BIOCs, however they are multi-event. An example can be "Random-Looking Domain Names" - this alert groups multiple DNS queries that seem random and alerts when it sees several of them. Additional examples are "Recurring Rare Domain Access", "Failed Connections" and "DNS Tunneling". XDR Managed Threat Hunting - These are alert generated by our Managed Service. XDR Agent - These are alerts generated by the agent itself on the machines. All other alert type above (expect the FW) are generated using the telemetry XDR collects in the cloud, but this one is done by the agent locally when it sees suspicious behavior in real time. Alerts can be malware related, restrictions, exploits and more.
... View more