This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Cortex XDR Prevent Specific Questions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR Prevent Specific Questions

Balaraju
L2 Linker

‎03-04-2022 05:19 AM

We are using Cortex XDR Prevent 

 

1) I see many places the word 'rules' and 'rule exception' is used , I assume this option or feature is not available in Cortex XDR Prevent as I do not see it in the menus/blades .I guess its a 'Pro' edition feature . Please correct me .

 

2) In Cortex XDR Prevent , I had a legitimate batch file which was 'prevented' by Cortex , so I was looking at best way to allow it to run on the host next time , so I added all hashes from ' Key Assets and Artifacts ' for the Incident to Allow list . So fingers crossed . However I see I get one option when I right click on the individual alert ' Create Alert Exception ' , I did not find any documentation about this feature in the pdf admin guide  , can anybody explain what this does and is this a better option . The alert source is ' XDR Agent ' and its a 'Behavioural threat ' 

 

Thanks in advance 

0 Likes Likes
2 REPLIES 2

zarnous
L2 Linker

‎03-05-2022 09:21 AM

Since this is a Behavioral Threat , you may consider to "Add a Global Behavioral Threat Protection (BTP) Rule Exception" if this is what you are trying to accomplish, more details can be found in here  Add a Global Endpoint Policy Exception,

This will take you to the below steps:

 

zarnous_0-1646500454033.png

 

Rather than creating global BTP rule exception, if you wish To configure module specific exceptions relevant for the selected profile platform, you still can do for the module you choose, which is in your case BTP and limit the scope to a specific profile as below:

Behavioral Threat Protection Rule Exception—When you view an alert for a Behavioral Threat event which you want to allow in your network from now on,

1- Right-click the alert and Create alert exception.
2- Cortex XDR displays the alert data (Platform and Rule name).
3- Select Exception Scope: Profile and select the exception profile name. Click Add.

Link for the above - configure module specific exceptions.

 

I hope this helps.

 
Z
(1)

Balaraju
L2 Linker
In response to zarnous

‎03-05-2022 09:57 AM

Thanks a lot for your response , this is very useful and thanks for all the explanation and URL Links .Appreciate it .

  • 2630 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks