Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Cortex XDR Prevent Specific Questions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR Prevent Specific Questions

L2 Linker

We are using Cortex XDR Prevent 

 

1) I see many places the word 'rules' and 'rule exception' is used , I assume this option or feature is not available in Cortex XDR Prevent as I do not see it in the menus/blades .I guess its a 'Pro' edition feature . Please correct me .

 

2) In Cortex XDR Prevent , I had a legitimate batch file which was 'prevented' by Cortex , so I was looking at best way to allow it to run on the host next time , so I added all hashes from ' Key Assets and Artifacts ' for the Incident to Allow list . So fingers crossed . However I see I get one option when I right click on the individual alert ' Create Alert Exception ' , I did not find any documentation about this feature in the pdf admin guide  , can anybody explain what this does and is this a better option . The alert source is ' XDR Agent ' and its a 'Behavioural threat ' 

 

Thanks in advance 

2 REPLIES 2

L2 Linker

Since this is a Behavioral Threat , you may consider to "Add a Global Behavioral Threat Protection (BTP) Rule Exception" if this is what you are trying to accomplish, more details can be found in here  Add a Global Endpoint Policy Exception,

This will take you to the below steps:

 

zarnous_0-1646500454033.png

 

Rather than creating global BTP rule exception, if you wish To configure module specific exceptions relevant for the selected profile platform, you still can do for the module you choose, which is in your case BTP and limit the scope to a specific profile as below:

Behavioral Threat Protection Rule Exception—When you view an alert for a Behavioral Threat event which you want to allow in your network from now on,

1- Right-click the alert and Create alert exception.
2- Cortex XDR displays the alert data (Platform and Rule name).
3- Select Exception Scope: Profile and select the exception profile name. Click Add.

Link for the above - configure module specific exceptions.

 

I hope this helps.

 
Z

Thanks a lot for your response , this is very useful and thanks for all the explanation and URL Links .Appreciate it .

  • 2579 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!