Question 71 - PCDRA discussion

If all alerts contained in a Cortex XDR incident have exclusions, the Cortex XDR console will automatically mark the incident as Resolved -- False Positive. This means that the incident was not a real threat, but a benign or legitimate activity that triggered an alert. By marking the incident as Resolved -- False Positive, the Cortex XDR console removes the incident from the list of unresolved incidents and does not count it towards the incident statistics.This helps the analyst to focus on the true positive incidents that require further investigation and response1.

An exclusion is a rule that hides an alert from the Cortex XDR console, based on certain criteria, such as the alert source, type, severity, or description. An exclusion does not change the security policy or prevent the alert from firing, it only suppresses the alert from the console.An exclusion is useful when the analyst wants to reduce the noise of false positive alerts that are not relevant or important2.

An exception, on the other hand, is a rule that overrides the security policy and allows or blocks a process or file from running on an endpoint, based on certain attributes, such as the file hash, path, name, or signer.An exception is useful when the analyst wants to prevent false negative alerts that are caused by malicious or unwanted files or processes that are not detected by the security policy3.

A BIOC rule is a rule that creates an alert based on a custom XQL query that defines a specific behavior of interest or concern.A BIOC rule is useful when the analyst wants to detect and alert on anomalous or suspicious activities that are not covered by the default Cortex XDR rules4.

Palo Alto Networks Cortex XDR Documentation, Resolve an Incident1

Palo Alto Networks Cortex XDR Documentation, Alert Exclusions2

Palo Alto Networks Cortex XDR Documentation, Exceptions3

Palo Alto Networks Cortex XDR Documentation, BIOC Rules4