Automatic response is triggered unexpectedly when using the 'Does Not' comparison with the 'OR' operator
Last Modified: 2023-07-18 09:57:13 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Automatic response is triggered unexpectedly when using the 'Does Not' comparison with the 'OR' operator
Technical Articles ID:
KB82771
Last Modified: 2023-07-18 09:57:13 Etc/GMT EnvironmentePolicy Orchestrator (ePO) 5.x
Summary
The automatic response might not seem to work as expected in the following scenarios:
Trigger the event if either of the following applies:
A common goal with this filter criteria is to trigger the response for every event unless the threat name contains any of the specified patterns. For example, a threat name of
There's a common misconception that the response evaluates all comparisons as a whole when using the OR operator. The expected result is that an event with a threat name of
Instead, the response evaluates against each of the criteria individually. If any of the comparisons evaluates to True, the entire comparison evaluates to True and the response triggers.
In this example, when an event is received with a threat name of
Because the threat name doesn't contain PatternB, the entire Threat Name comparison evaluates to True.
This behavior is expected. Usually, if there are multiple threat names that you do not want to trigger the response, use the AND operator as follows: The event is triggered when the following applies:
Affected ProductsLanguages:This article is available in the following languages: |
|