https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/about-behavioral-threat-protection-btp-rules/m-p/401545#M688 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/112774">@gjenkins</a>&nbsp;Any idea if the alert repo will be made public at a future state? Thinking it would save time and effort for engineers attempting to work through false positives.&nbsp;</P> Fri, 23 Apr 2021 16:51:11 GMT efriend 2021-04-23T16:51:11Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/about-behavioral-threat-protection-btp-rules/m-p/395977#M649 <P>Hi Everyone：</P><P>Does anyone know where I can find Behavioral Threat Protection (BTP) rules?<BR />For example, a behavioral threat is detected (rule: pp.epm_for_malware_behavior_j01)<BR />or Behavior threat detected (rule: bioc.pp.ransom_prevention_final)</P><P>What do these two rules mean?</P><P><BR />Thank you</P><P>&nbsp;</P><P>Richard</P> Tue, 06 Apr 2021 09:16:08 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/about-behavioral-threat-protection-btp-rules/m-p/395977#M649 RichardChou 2021-04-06T09:16:08Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/about-behavioral-threat-protection-btp-rules/m-p/396058#M653 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/10081">@RichardChou</a>,</P><P>&nbsp;</P><P>The protection rule database is not publicly accessible at this time. To get information regarding the rules, why they were triggered, and recommendations on the next steps, please <A href="https://support.paloaltonetworks.com/" target="_self">open a support case</A>. They will likely need the Alert data to perform further analysis as well. That can be collected using the following instructions.</P><P>&nbsp;</P><P>Steps to collect Alert Data from Cortex XDR Console:</P><P>1. Got to the Alerts table.<BR />2. Right-click on your target alert<BR />3. Select "Retrieve Additional Data," then "Retrieve alert data."<BR />3. Navigate to Response &gt; Action Center<BR />5. Locate the alert data retrieval job that you created.<BR />6. Right-click on your target job<BR />7. Select "Additional Data."<BR />8. Right-click on the resulting action<BR />9. Select "Download Files."</P> Tue, 06 Apr 2021 16:29:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/about-behavioral-threat-protection-btp-rules/m-p/396058#M653 gjenkins 2021-04-06T16:29:26Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/about-behavioral-threat-protection-btp-rules/m-p/397392#M661 <P><FONT color="#000000">Hi&nbsp;<SPAN>&nbsp;Gjenkins</SPAN></FONT></P><P>&nbsp;</P><P>Thanks for your reply.<BR />I understand.</P><P>&nbsp;</P><P>Richard</P><P>&nbsp;</P> Tue, 13 Apr 2021 01:27:44 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/about-behavioral-threat-protection-btp-rules/m-p/397392#M661 RichardChou 2021-04-13T01:27:44Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/about-behavioral-threat-protection-btp-rules/m-p/401545#M688 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/112774">@gjenkins</a>&nbsp;Any idea if the alert repo will be made public at a future state? Thinking it would save time and effort for engineers attempting to work through false positives.&nbsp;</P> Fri, 23 Apr 2021 16:51:11 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/about-behavioral-threat-protection-btp-rules/m-p/401545#M688 efriend 2021-04-23T16:51:11Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/about-behavioral-threat-protection-btp-rules/m-p/402035#M691 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/179591">@efriend</a>&nbsp;wrote:<BR /><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/112774">@gjenkins</a>&nbsp;Any idea if the alert repo will be made public at a future state? Thinking it would save time and effort for engineers attempting to work through false positives.&nbsp;</P><HR /></BLOCKQUOTE><P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/179591">@efriend</a>,</P><P>&nbsp;</P><P>At this moment in time, I'm unaware of it becoming public. As always, if you have a false positive, opening a case with our Support team is the best next step as we would likely need to refine the rules involved. Having the opportunity to do so will improve accuracy, efficiency, and ultimately the protection offered by the Cortex XDR agent.</P> Mon, 26 Apr 2021 21:50:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/about-behavioral-threat-protection-btp-rules/m-p/402035#M691 gjenkins 2021-04-26T21:50:46Z