About Behavioral Threat Protection (BTP) rules

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

About Behavioral Threat Protection (BTP) rules

L1 Bithead

Hi Everyone:

Does anyone know where I can find Behavioral Threat Protection (BTP) rules?
For example, a behavioral threat is detected (rule: pp.epm_for_malware_behavior_j01)
or Behavior threat detected (rule: bioc.pp.ransom_prevention_final)

What do these two rules mean?


Thank you

 

Richard

1 accepted solution

Accepted Solutions

L4 Transporter

Hi @RichardChou,

 

The protection rule database is not publicly accessible at this time. To get information regarding the rules, why they were triggered, and recommendations on the next steps, please open a support case. They will likely need the Alert data to perform further analysis as well. That can be collected using the following instructions.

 

Steps to collect Alert Data from Cortex XDR Console:

1. Got to the Alerts table.
2. Right-click on your target alert
3. Select "Retrieve Additional Data," then "Retrieve alert data."
3. Navigate to Response > Action Center
5. Locate the alert data retrieval job that you created.
6. Right-click on your target job
7. Select "Additional Data."
8. Right-click on the resulting action
9. Select "Download Files."

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

View solution in original post

4 REPLIES 4

L4 Transporter

Hi @RichardChou,

 

The protection rule database is not publicly accessible at this time. To get information regarding the rules, why they were triggered, and recommendations on the next steps, please open a support case. They will likely need the Alert data to perform further analysis as well. That can be collected using the following instructions.

 

Steps to collect Alert Data from Cortex XDR Console:

1. Got to the Alerts table.
2. Right-click on your target alert
3. Select "Retrieve Additional Data," then "Retrieve alert data."
3. Navigate to Response > Action Center
5. Locate the alert data retrieval job that you created.
6. Right-click on your target job
7. Select "Additional Data."
8. Right-click on the resulting action
9. Select "Download Files."

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

Hi  Gjenkins

 

Thanks for your reply.
I understand.

 

Richard

 

L0 Member

@gjenkins Any idea if the alert repo will be made public at a future state? Thinking it would save time and effort for engineers attempting to work through false positives. 


@efriend wrote:

@gjenkins Any idea if the alert repo will be made public at a future state? Thinking it would save time and effort for engineers attempting to work through false positives. 


Hi @efriend,

 

At this moment in time, I'm unaware of it becoming public. As always, if you have a false positive, opening a case with our Support team is the best next step as we would likely need to refine the rules involved. Having the opportunity to do so will improve accuracy, efficiency, and ultimately the protection offered by the Cortex XDR agent.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw
  • 1 accepted solution
  • 5403 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!