- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-03-2022 02:12 AM
I have witelistet choesity agent but i keeps trigger
PowerShell script executing with iex from suspicious script source - Behavioral threat detected (rule: dotnet_iex_suspicious_source)
Sep 30th 2022 16:04:40 SYSTEM powershell.exe 25384 29488 Process Start Process Start Command Line : powershell -nologo -noninteractive -executionpolicy bypass -encodedcommand
is ther anyway to whiteliste this to so cohesity agent do not keeps getting blockt
10-03-2022 02:32 AM
Hi @moversk ,
The reason this alert is persistent is because you have whitelisted the Cohesity SHA256 to the allow list. Cortex XDR Hash verdict and hash exception is a pre-execution detection and prevention mechanism, while the alert generated is a Behavioral Threat which is a post execution module. In order to allow the execution for the BTP events, the recommendation is to create alert exceptions for the same. I am listing down the practice steps for you down below:
Hope this answers your question.
10-03-2022 02:32 AM
Hi @moversk ,
The reason this alert is persistent is because you have whitelisted the Cohesity SHA256 to the allow list. Cortex XDR Hash verdict and hash exception is a pre-execution detection and prevention mechanism, while the alert generated is a Behavioral Threat which is a post execution module. In order to allow the execution for the BTP events, the recommendation is to create alert exceptions for the same. I am listing down the practice steps for you down below:
Hope this answers your question.
11-15-2022 05:05 AM
look like it still triggers even with exception profile
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!