Issue:
WithSecure Elements Endpoint Detection and Response (EDR) detects a safe application (e.g. an in-house application). How to whitelist the detection?
Resolution:
You can close the Broad Context Detection (BCD) as "Accepted behavior", to create suppression rule that can accept the behavior of a user or a process. To do this, you need to follow these steps:
- Log in to the Elements Security Center at https://elements.withsecure.com
- Expand the EVENTS category on the left pane
- Select the Broad Context Detections option
- Click on the respective Broad Context Detection to open the details page for this detection
- Click on the drop-down menu in the top left corner
- Select Closed from the drop-down menu, then select the reason as Accepted behavior
- Click on the Create rule button and follow the on-screen instructions
After this, you can review the suppression rule by following these steps:
- Expand the Security Configurations category on the left pane
- Select the Automated actions option
- Select Suppression rules
You can find more information regarding this feature in the following community article:
https://community.withsecure.com/en/kb/articles/31324-elements-edr-new-feature-accepted-behavior
If you encounter any issue in creating the suppression rules (such as having more than 5 key detections in the BCD), you can close the BCD as "Accepted behavior" by following these steps:
- Log in to the Elements Security Center at https://elements.withsecure.com.
- Expand the EVENTS category on left pane
- Select Broad Context Detections option.
- Select the BCD ID that require whitelisting.
- Click "Update status" option at bottom page.
- Select "Closed" from drop down menu, then select reason as "False positive"
- Click "Update" option.
Once you have at least 1 incident that is identical to the incident, and there is no identical incident where status is closed as confirmed, the false positive handling in WithSecure Elements Endpoint Detection and Response (EDR) will close the false-positive automatically.
Broad context detections can be closed as Auto false positive automatically when they are identical to previously closed false alarms. For WithSecure Elements Endpoint Detection and Response to close a broad context detection as Auto false positive, the following criteria must be met:
- Incident has to be New / Unconfirmed,
- you must have closed an identical incident in the same organization as False positive, and
- no identical incidents in the same organization have been Confirmed.
More information about automatic handling of incidents can be found here.
In the event that this has been completed multiple times and the file still gets detected, make a whitelist request for the False Positive event in the Elements Security Center by doing the following:
- Select Support
- Select Request for allowlisting
- Verify that the following fields are populated correctly:
- Problem Category -> Threat/Malware
- Problem Subcategory -> False Positive
- Product Name -> Elements Endpoint Detection & Response
- Language -> English
- Under Describe the problem in detail, provide 3-5 example Broad Context Detection ID (BCD-ID), a reason for why this content should be whitelisted and the scope (single host, company level, etc.)
- Fill in the rest of the required case information. Correct and complete information helps us to identify you and provide you with the proper service level
- Click Submit to open the support ticket
Article no: 000008622