Creating disable prevention rule for Alerts with different sha256 but all other values were same

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Creating disable prevention rule for Alerts with different sha256 but all other values were same

L1 Bithead

We have created a disable prevention rule for a few Cortex XDR agent-blocked alerts because they were false-positive.

However, we recently received 2 new alerts with the same fields as the ones for which we created the disable prevention rule.

I only observed that the sha256 value is different for the new alerts.

So is it because of the different sha value the alerts were triggered even though there is a disable prevention rule in place without the new sha values?

 

 

1 REPLY 1

L3 Networker

Hi @Kavurisowmya 

Thanks for your query on LC!

Yes, Change in sha256 value would be the reason for new alerts.

You may need to validate the Rule conditions defined for this rule and keep the SHA256 blank if this value is changing OR to generally allow all values.

Give it a like & mark as solution if this helped your query!

Best,

  • 231 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!