https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-prevent-specific-questions/m-p/470700#M1609 <P>Since this is a&nbsp;Behavioral Threat , you may consider to "Add a Global Behavioral Threat Protection (BTP) Rule Exception" if this is what you are trying to accomplish, more details can be found in here &nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/exceptions-security-profiles/add-a-global-endpoint-policy-exception.html#:~:text=rules%20and%20policies.-,Add%20a%20Global%20Behavioral%20Threat%20Protection%20(BTP)%20Rule%20Exception,-When%20you%20view" target="_self">Add a Global Endpoint Policy Exception,</A></P><P>This will take you to the below steps:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zarnous_0-1646500454033.png" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/39499i05EA9271B924C0E0/image-dimensions/640x208/is-moderation-mode/true?v=v2" width="640" height="208" role="button" title="zarnous_0-1646500454033.png" alt="zarnous_0-1646500454033.png" /></span></P><P>&nbsp;</P><P>Rather than creating global BTP rule exception, if you wish&nbsp;To configure module specific exceptions relevant for the selected profile platform, you still can do for the module you choose, which is in your case BTP and limit the scope to a specific profile as below:<BR /><BR />Behavioral Threat Protection Rule Exception—When you view an alert for a Behavioral Threat event which you want to allow in your network from now on,<BR /><BR />1- Right-click the alert and Create alert exception.<BR />2- Cortex XDR displays the alert data (Platform and Rule name).<BR />3- Select Exception Scope: Profile and select the exception profile name. Click Add.<BR /><BR /></P><P>Link for the above -&nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/exceptions-security-profiles/add-exceptions-profile.html#:~:text=Behavioral%20Threat%20Protection%20Rule%20Exception" target="_self">configure module specific exceptions</A>.</P><P>&nbsp;</P><P>I hope this helps.</P><DIV><DIV>&nbsp;</DIV></DIV> Sat, 05 Mar 2022 17:21:32 GMT zarnous 2022-03-05T17:21:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-prevent-specific-questions/m-p/470522#M1607 <P>We are using Cortex XDR Prevent&nbsp;</P><P>&nbsp;</P><P>1) I see many places the word 'rules' and 'rule exception' is used , I assume this option or feature is not available in Cortex XDR Prevent as I do not see it in the menus/blades .I guess its a 'Pro' edition feature . Please correct me .</P><P>&nbsp;</P><P>2) In Cortex XDR Prevent , I had a legitimate batch file which was 'prevented' by Cortex , so I was looking at best way to allow it to run on the host next time , so I added all hashes from ' Key Assets and Artifacts ' for the Incident to Allow list . So fingers crossed . However I see I get one option when I right click on the individual alert ' Create Alert Exception ' , I did not find any documentation about this feature in the pdf admin guide&nbsp; , can anybody explain what this does and is this a better option . The alert source is ' XDR Agent ' and its a 'Behavioural threat '&nbsp;</P><P>&nbsp;</P><P>Thanks in advance&nbsp;</P> Fri, 04 Mar 2022 13:19:47 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-prevent-specific-questions/m-p/470522#M1607 Balaraju 2022-03-04T13:19:47Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-prevent-specific-questions/m-p/470700#M1609 <P>Since this is a&nbsp;Behavioral Threat , you may consider to "Add a Global Behavioral Threat Protection (BTP) Rule Exception" if this is what you are trying to accomplish, more details can be found in here &nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/exceptions-security-profiles/add-a-global-endpoint-policy-exception.html#:~:text=rules%20and%20policies.-,Add%20a%20Global%20Behavioral%20Threat%20Protection%20(BTP)%20Rule%20Exception,-When%20you%20view" target="_self">Add a Global Endpoint Policy Exception,</A></P><P>This will take you to the below steps:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zarnous_0-1646500454033.png" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/39499i05EA9271B924C0E0/image-dimensions/640x208/is-moderation-mode/true?v=v2" width="640" height="208" role="button" title="zarnous_0-1646500454033.png" alt="zarnous_0-1646500454033.png" /></span></P><P>&nbsp;</P><P>Rather than creating global BTP rule exception, if you wish&nbsp;To configure module specific exceptions relevant for the selected profile platform, you still can do for the module you choose, which is in your case BTP and limit the scope to a specific profile as below:<BR /><BR />Behavioral Threat Protection Rule Exception—When you view an alert for a Behavioral Threat event which you want to allow in your network from now on,<BR /><BR />1- Right-click the alert and Create alert exception.<BR />2- Cortex XDR displays the alert data (Platform and Rule name).<BR />3- Select Exception Scope: Profile and select the exception profile name. Click Add.<BR /><BR /></P><P>Link for the above -&nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/exceptions-security-profiles/add-exceptions-profile.html#:~:text=Behavioral%20Threat%20Protection%20Rule%20Exception" target="_self">configure module specific exceptions</A>.</P><P>&nbsp;</P><P>I hope this helps.</P><DIV><DIV>&nbsp;</DIV></DIV> Sat, 05 Mar 2022 17:21:32 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-prevent-specific-questions/m-p/470700#M1609 zarnous 2022-03-05T17:21:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-prevent-specific-questions/m-p/470716#M1611 <P>Thanks a lot for your response , this is very useful and thanks for all the explanation and URL Links .Appreciate it .</P> Sat, 05 Mar 2022 17:57:13 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-prevent-specific-questions/m-p/470716#M1611 Balaraju 2022-03-05T17:57:13Z