Allowlisting Detection & Response (XDR) Stories

This article discusses how to create an allowlist rule for known benign traffic so that the Detection & Response engines do not generate a story for that traffic.

Overview of Detection & Response Allowlisting

The Detection & Response correlation engines analyze traffic data to find matches for potential threats, and create stories for the threats which you can then review in the Stories Workbench. The Detection & Response Allow List lets you define traffic from a trusted resource is then excluded from the stories. Allowlisting traffic that you recognize as benign reduces the generation of false positive stories, and helps you focus your analysis on actual potential threats.

There are two ways to add Allow List rules:

  • Create a rule in the Detection & Response page

  • Create a rule from a story in the Stories Workbench. This method is helpful when you notice specific traffic in a story that you know is benign

Items in a Detection & Response Allow List Rule

The following table explains the items that you can use to define the settings for a Detection & Response Allow List rule. When you configure multiple objects in a setting, there is an OR relationship between them. For example, if there is a rule configured with sources including a Site and a User, the rule is applied when the traffic matches either the Site or the User.

Item

Description

Indication ID

The identifier for the indication used by the Detection & Response engines. Each Indication ID is associated with a Detection & Response engine query that identifies specific traffic parameters.

If you define an Indication ID, the rule only excludes traffic from stories generated by the specific engine query associated with that Indication ID.

If no Indication ID is defined, the traffic is excluded from all engine queries that match the rule settings.

For more about Indications, see Using the Indications Catalog.

Engine

The Detection & Response engine or engines the rule applies to. For more about these engines and the types of stories they detect, see Using the Indications Catalog.

Expiration Date

Select the date when the rule expires and the traffic is no longer excluded, or select Unlimited for the rule to continue to apply without expiration.

When an expiration date is set, the rule expires at the beginning of that date, in the time zone configured in the user profile settings in the Cato Management Application.

Setting an expiration date is a recommended best practice for maintaining an effective security posture.

Direction

Define the direction of the traffic flow that the rule applies to. Directions include:

  • Inbound - Traffic to your network originating at an external source

  • Outbound - Traffic from your network to an external source

  • WANbound - Traffic from your network to another site on your network

  • All of the above

Source

Source of the traffic for this rule.

You can select one or more of the following Source types:

  • Site

  • SDP User

  • User

  • IP

  • IP Range

  • Any

Device

The type of device the rule applies to, defined by operating system.

Destination

Destination of the traffic for this rule.

You can select one or more of the following Destination types:

  • IP

  • URL

  • Domain

  • FQDN

  • Application

  • Any

In addition to the above settings, the following information is shown for each rule in the Allow List:

  • Author - The user name of the user who created the rule.

  • Created At - Date the rule was created.

Showing the Detection & Response Allow List Rulebase

To show the Detection & Response Allow List rulebase:

  1. From the navigation menu, click Security > Detection & Response.

Detection_Response_Allow_List.png

Creating an Allow List Rule in the Detection & Response Page

Add a new Allow List rule and configure the settings that define the traffic to be disregarded by the Detection & Response engines.

Detection_Response_Allow_List_Add_to_Allowlist.png

To create a Detection & Response Allow List rule:

  1. From the navigation menu, click Security > Detection & Response.

  2. Click New. The Add to Allow List panel opens.

  3. Configure the settings for the rule as described above.

  4. Click Save. The rule is added to the Allow List rulebase.

Creating an Allow List Rule from a Story

View the story drill-down in the Stories Workbench and use the Story Actions panel to create an Allow List rule.

To create an Allow List rule from a story:

  1. From the navigation menu, click Monitoring> Stories Workbench.

  2. Click the story to open the drill-down page for the story.

  3. Click More_icon.png to open the Story Actions panel.

  4. Click Add to Allowlist. The Add to Allow List panel opens.

    Detection_Response_Allow_List_from_Story.png
  5. Configure the settings for the rule as described above.

  6. Click Save. The rule is added to the Allow List rulebase.

  7. To show the Detection & Response Allow List rulebase, from the navigation menu click Security > Detection & Response.

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment