- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-06-2021 02:16 AM
Hi Everyone:
Does anyone know where I can find Behavioral Threat Protection (BTP) rules?
For example, a behavioral threat is detected (rule: pp.epm_for_malware_behavior_j01)
or Behavior threat detected (rule: bioc.pp.ransom_prevention_final)
What do these two rules mean?
Thank you
Richard
04-06-2021 09:29 AM
Hi @RichardChou,
The protection rule database is not publicly accessible at this time. To get information regarding the rules, why they were triggered, and recommendations on the next steps, please open a support case. They will likely need the Alert data to perform further analysis as well. That can be collected using the following instructions.
Steps to collect Alert Data from Cortex XDR Console:
1. Got to the Alerts table.
2. Right-click on your target alert
3. Select "Retrieve Additional Data," then "Retrieve alert data."
3. Navigate to Response > Action Center
5. Locate the alert data retrieval job that you created.
6. Right-click on your target job
7. Select "Additional Data."
8. Right-click on the resulting action
9. Select "Download Files."
04-06-2021 09:29 AM
Hi @RichardChou,
The protection rule database is not publicly accessible at this time. To get information regarding the rules, why they were triggered, and recommendations on the next steps, please open a support case. They will likely need the Alert data to perform further analysis as well. That can be collected using the following instructions.
Steps to collect Alert Data from Cortex XDR Console:
1. Got to the Alerts table.
2. Right-click on your target alert
3. Select "Retrieve Additional Data," then "Retrieve alert data."
3. Navigate to Response > Action Center
5. Locate the alert data retrieval job that you created.
6. Right-click on your target job
7. Select "Additional Data."
8. Right-click on the resulting action
9. Select "Download Files."
04-12-2021 06:27 PM
Hi Gjenkins
Thanks for your reply.
I understand.
Richard
04-23-2021 09:51 AM
@gjenkins Any idea if the alert repo will be made public at a future state? Thinking it would save time and effort for engineers attempting to work through false positives.
04-26-2021 02:50 PM
@efriend wrote:@gjenkins Any idea if the alert repo will be made public at a future state? Thinking it would save time and effort for engineers attempting to work through false positives.
Hi @efriend,
At this moment in time, I'm unaware of it becoming public. As always, if you have a false positive, opening a case with our Support team is the best next step as we would likely need to refine the rules involved. Having the opportunity to do so will improve accuracy, efficiency, and ultimately the protection offered by the Cortex XDR agent.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!