- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-04-2022 05:19 AM
We are using Cortex XDR Prevent
1) I see many places the word 'rules' and 'rule exception' is used , I assume this option or feature is not available in Cortex XDR Prevent as I do not see it in the menus/blades .I guess its a 'Pro' edition feature . Please correct me .
2) In Cortex XDR Prevent , I had a legitimate batch file which was 'prevented' by Cortex , so I was looking at best way to allow it to run on the host next time , so I added all hashes from ' Key Assets and Artifacts ' for the Incident to Allow list . So fingers crossed . However I see I get one option when I right click on the individual alert ' Create Alert Exception ' , I did not find any documentation about this feature in the pdf admin guide , can anybody explain what this does and is this a better option . The alert source is ' XDR Agent ' and its a 'Behavioural threat '
Thanks in advance
03-05-2022 09:21 AM
Since this is a Behavioral Threat , you may consider to "Add a Global Behavioral Threat Protection (BTP) Rule Exception" if this is what you are trying to accomplish, more details can be found in here Add a Global Endpoint Policy Exception,
This will take you to the below steps:
Rather than creating global BTP rule exception, if you wish To configure module specific exceptions relevant for the selected profile platform, you still can do for the module you choose, which is in your case BTP and limit the scope to a specific profile as below:
Behavioral Threat Protection Rule Exception—When you view an alert for a Behavioral Threat event which you want to allow in your network from now on,
1- Right-click the alert and Create alert exception.
2- Cortex XDR displays the alert data (Platform and Rule name).
3- Select Exception Scope: Profile and select the exception profile name. Click Add.
Link for the above - configure module specific exceptions.
I hope this helps.
03-05-2022 09:57 AM
Thanks a lot for your response , this is very useful and thanks for all the explanation and URL Links .Appreciate it .
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!