https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-to-prevent-the-blocking-of-the-powershell-cmd-command/m-p/1066188#M7712 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/891267549">@Aristooo</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>You can try by creating a Disable Prevention Rule under Configuration - Exceptions Configuration.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_0-1736793263095.png" style="width: 753px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/65174i795EAE6FB723FA22/image-dimensions/753x761?v=v2" width="753" height="761" role="button" title="jmazzeo_0-1736793263095.png" alt="jmazzeo_0-1736793263095.png" /></span></P> <P>&nbsp;</P> <P>You can there enter the command that you need to create the exception, in the "Command line" field. Select the right module by choosing the one that is blocking the process in your case, I have selected BTP for the example which is the common one.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> <P>&nbsp;</P> Mon, 13 Jan 2025 18:37:40 GMT jmazzeo 2025-01-13T18:37:40Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-to-prevent-the-blocking-of-the-powershell-cmd-command/m-p/1000143#M7664 <P><SPAN>Hi. How can I create an exception to prevent specific PowerShell and CMD commands from being blocked by XDR? <BR /><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</SPAN></P> Mon, 06 Jan 2025 06:39:48 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-to-prevent-the-blocking-of-the-powershell-cmd-command/m-p/1000143#M7664 Aristooo 2025-01-06T06:39:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-to-prevent-the-blocking-of-the-powershell-cmd-command/m-p/1066188#M7712 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/891267549">@Aristooo</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>You can try by creating a Disable Prevention Rule under Configuration - Exceptions Configuration.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_0-1736793263095.png" style="width: 753px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/65174i795EAE6FB723FA22/image-dimensions/753x761?v=v2" width="753" height="761" role="button" title="jmazzeo_0-1736793263095.png" alt="jmazzeo_0-1736793263095.png" /></span></P> <P>&nbsp;</P> <P>You can there enter the command that you need to create the exception, in the "Command line" field. Select the right module by choosing the one that is blocking the process in your case, I have selected BTP for the example which is the common one.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> <P>&nbsp;</P> Mon, 13 Jan 2025 18:37:40 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-to-prevent-the-blocking-of-the-powershell-cmd-command/m-p/1066188#M7712 jmazzeo 2025-01-13T18:37:40Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-to-prevent-the-blocking-of-the-powershell-cmd-command/m-p/1066543#M7717 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/310428">@jmazzeo</a>&nbsp;,&nbsp; thanks for your response!<BR /><BR />In the CMD Line under Target Properties, can I replace some arguments with <CODE>*</CODE>? For example, to capture all arguments in that part of the command. Like replacing <CODE>"curl <A href="https://paloaltonetworks.com" target="_blank">https://paloaltonetworks.com</A> --show-error"</CODE> with <CODE>"curl https://* --show-error"</CODE>.</P> Tue, 14 Jan 2025 13:45:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-to-prevent-the-blocking-of-the-powershell-cmd-command/m-p/1066543#M7717 Aristooo 2025-01-14T13:45:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-to-prevent-the-blocking-of-the-powershell-cmd-command/m-p/1066550#M7718 <P>Yes, you can use the asterisk as a wildcard.</P> Tue, 14 Jan 2025 13:49:12 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-to-prevent-the-blocking-of-the-powershell-cmd-command/m-p/1066550#M7718 jmazzeo 2025-01-14T13:49:12Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-to-prevent-the-blocking-of-the-powershell-cmd-command/m-p/1066556#M7719 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/310428">@jmazzeo</a>&nbsp;thank you very much!</P> Tue, 14 Jan 2025 13:58:06 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-to-prevent-the-blocking-of-the-powershell-cmd-command/m-p/1066556#M7719 Aristooo 2025-01-14T13:58:06Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-to-prevent-the-blocking-of-the-powershell-cmd-command/m-p/1223860#M8055 <P data-start="136" data-end="160">Hi Cortex XDR Community,</P> <P data-start="162" data-end="378">I want to set up an alert in Cortex XDR that triggers whenever any user runs a PowerShell script. The alert should activate for any script or command executed in PowerShell, regardless of the user or specific script.</P> <P data-start="380" data-end="511">Is there an existing rule or method to create such an alert for PowerShell usage? Any suggestions or examples would be appreciated.</P> <P data-start="513" data-end="531">Thanks in advance!</P> <P data-start="513" data-end="531">&nbsp;</P> Fri, 14 Mar 2025 08:56:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-to-prevent-the-blocking-of-the-powershell-cmd-command/m-p/1223860#M8055 TurkanAsadova 2025-03-14T08:56:26Z