May 05 2020 11:43 AM
Hello All,
Is there a way when you block a URL in ATP to not to generate an alert or incident. For example blocking a url where people keep trying it will generate lots of alerts. If i want to turn off the IOC it looks like it will turn off other things. or am I missing something?
Also I can't seem to find any log of actions taken on a single page by everyone. This would be handy for when you want to check on file downloads you have initiated etc. Is it just I am missing something or is this a feature request? 🙂
May 05 2020 12:48 PM - edited May 05 2020 01:14 PM
Hi,
Based on your question you want to detect mentioned URL accessed and not to block it. (Without generating alerts which cause noise)
from WDATP prospective, It can be achieved if you created "detection rule" in the Advance Hunting
USE THE QUERY BELOW TO GENERATE DETECTION RULE (DROPBOX AS EXAMPLE OF IOC FOR TESTING)
// THIS QUERY WILL IDENTIFY IF THERE WAS HIT TO IOC DOMAIN FOR LAST 7 DAYS WITH COUNT OF 3 OR MORE.
But I will highly recommend to use your company DNS solution or Web Proxy instead for this requirement.
To detect the way I see it you can meet your requirement with support of your SIEM.
1- If WDATP Integrated, you can easily create dashboard/reporting for the accessed websites.
2- If not, you can achieve the same with proxy/dns logs.
I hope that will help you.
May 06 2020 02:32 PM
@_UAEx Hello, we would like to block and not generate the alert. It causes a lot of noise in the dashboard as people keep trying a URL that is blocked.
May 07 2020 12:00 AM
Does a suppression rule not meet your needs?
May 07 2020 09:00 AM
Solution@PhilTappUK I was trying to do it from the Alert, not the page. Just saw you can do it in a better fashion on the page. Thank you.
May 07 2020 09:00 AM
Solution@PhilTappUK I was trying to do it from the Alert, not the page. Just saw you can do it in a better fashion on the page. Thank you.