https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-allow-list-in-prevention-profile-quot-malware-quot/m-p/551022#M4828 <P>Hello <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Is there any solution to export the <SPAN class="header-context-info"><SPAN class="grid-header-left-side ng-star-inserted"><SPAN class="grid-header-name-text ng-star-inserted" title="Prevention Profiles">allow list in prevention profiles? </SPAN></SPAN></SPAN></P> <P><SPAN class="header-context-info"><SPAN class="grid-header-left-side ng-star-inserted"><SPAN class="grid-header-name-text ng-star-inserted" title="Prevention Profiles">For an example the malware profile?</SPAN></SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="header-context-info"><SPAN class="grid-header-left-side ng-star-inserted"><SPAN class="grid-header-name-text ng-star-inserted" title="Prevention Profiles">I already checked in XQL. <BR />Found no dataset where these informations could be exist.</SPAN></SPAN></SPAN></P> <P>&nbsp;</P> <P>Anyone any suggestions?<BR /><BR />Cheers <BR />Tobias</P> Wed, 26 Jul 2023 07:34:56 GMT Tobias_Bartsch 2023-07-26T07:34:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-allow-list-in-prevention-profile-quot-malware-quot/m-p/551022#M4828 <P>Hello <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Is there any solution to export the <SPAN class="header-context-info"><SPAN class="grid-header-left-side ng-star-inserted"><SPAN class="grid-header-name-text ng-star-inserted" title="Prevention Profiles">allow list in prevention profiles? </SPAN></SPAN></SPAN></P> <P><SPAN class="header-context-info"><SPAN class="grid-header-left-side ng-star-inserted"><SPAN class="grid-header-name-text ng-star-inserted" title="Prevention Profiles">For an example the malware profile?</SPAN></SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="header-context-info"><SPAN class="grid-header-left-side ng-star-inserted"><SPAN class="grid-header-name-text ng-star-inserted" title="Prevention Profiles">I already checked in XQL. <BR />Found no dataset where these informations could be exist.</SPAN></SPAN></SPAN></P> <P>&nbsp;</P> <P>Anyone any suggestions?<BR /><BR />Cheers <BR />Tobias</P> Wed, 26 Jul 2023 07:34:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-allow-list-in-prevention-profile-quot-malware-quot/m-p/551022#M4828 Tobias_Bartsch 2023-07-26T07:34:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-allow-list-in-prevention-profile-quot-malware-quot/m-p/551274#M4834 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/217204">@Tobias_Bartsch</a>&nbsp;</P> <P>&nbsp;</P> <P>Thank you for writing to live community!</P> <P>&nbsp;</P> <P><SPAN>Unfortunately, there is no option to export allow-list within malware profile in Cortex XDR at this point. However if idea is to use this allow list&nbsp;in new malware profile in the same Cortex XDR tenant/management console then you may try this workaround.<BR /><BR />1. Export the Malware profile whose allow-list you would want to be used in new Malware profile.</SPAN></P> <P><SPAN>2. Rename the above malware profile which has been exported to avoid same profile name conflict.</SPAN></P> <P><SPAN>3. Import the Malware profile which was exported at Step 1 and you will have same allow list&nbsp;in this profile. Now you may edit/update the profile name as desired.&nbsp;</SPAN></P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>&nbsp;</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> <P>&nbsp;</P> <P><SPAN>Thank You</SPAN></P> Thu, 27 Jul 2023 07:09:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-allow-list-in-prevention-profile-quot-malware-quot/m-p/551274#M4834 PiyushKohli 2023-07-27T07:09:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-allow-list-in-prevention-profile-quot-malware-quot/m-p/551275#M4835 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/276269">@PiyushKohli</a>,</P> <P>&nbsp;</P> <P>first of all: thanks for you reply <span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span> <span class="lia-unicode-emoji" title=":handshake:">🤝</span></P> <P>I already knew the export / import feature. That´s not new to me.</P> <P>But unfortunately this is not the solution to my problem.<BR /><BR />We would like to control / check the exceptions at regular intervals and document them in our internal documentation.<BR />The exceptions must be stored somewhere in the tenant, so that a retrieval via XQL or API should be possible. <BR />The export of the profiles does not help at all, because this is <BR />1. is encrypted and <BR />2. does not contain the exceptions.<BR /><BR />Are there any other ideas?</P> Thu, 27 Jul 2023 07:11:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-allow-list-in-prevention-profile-quot-malware-quot/m-p/551275#M4835 Tobias_Bartsch 2023-07-27T07:11:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-allow-list-in-prevention-profile-quot-malware-quot/m-p/551284#M4837 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/217204">@Tobias_Bartsch</a>&nbsp;for sharing additional details i.e. "<SPAN>We would like to control / check the exceptions at regular intervals and document them in our internal documentation."</SPAN></P> <P>&nbsp;</P> <P><SPAN>Since your use case here is to capture allow list&nbsp;for internal documentation then you may try the following workaround - i.e. to capture response in browser developer tools by editing the profile. Now from the response you may extract the allowlist value as shared in below screenshot.</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PiyushKohli_1-1690444413350.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52248i8A049305000BD0DB/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="PiyushKohli_1-1690444413350.png" alt="PiyushKohli_1-1690444413350.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Hope this helps!</P> Thu, 27 Jul 2023 07:57:08 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-allow-list-in-prevention-profile-quot-malware-quot/m-p/551284#M4837 PiyushKohli 2023-07-27T07:57:08Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-allow-list-in-prevention-profile-quot-malware-quot/m-p/551285#M4838 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/276269">@PiyushKohli</a>,</P> <P>&nbsp;</P> <P>many thanks for this advice <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Works perfectly <span class="lia-unicode-emoji" title=":raising_hands:">🙌</span></P> <P>&nbsp;</P> <P>Many thanks and kind regards <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Cheers</P> <P>Tobias</P> Thu, 27 Jul 2023 08:04:08 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-allow-list-in-prevention-profile-quot-malware-quot/m-p/551285#M4838 Tobias_Bartsch 2023-07-27T08:04:08Z