Add a Disable Prevention Rule - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Product
Cortex XDR
License
Prevent
Creation date
2024-07-16
Last date published
2024-11-25
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Cortex XDR enables you to generate granular exceptions to prevention actions defined for your endpoints.

Cortex XDR enables you to generate granular exceptions to prevention actions defined for your endpoints. You can specify signers, command line, or processes to exclude from the prevention actions triggered by specific security modules. This may be useful when you have processes that are essential to your organization and must not be terminated. Cortex XDR still generates Alerts from the disabled rules.

Important

All applicable prevention actions are skipped for the files and process that match the properties defined in the rule.

You must consider the consequences of disabling a prevention rule before you add the exception and monitor it over time.

Important

You can only apply a Disable Prevention Rule to agents version 7.9 and later.

Configure a Disable Prevention Rule.

  1. From SettingsException ConfigurationDisable Prevention Rules, +Add Rule.

  2. Specify an optional Description for the reason or intent for the rule.

  3. Select the platform. To cover all your endpoints, you can prevent different exception rules per platform.

  4. Under Target Properties, specify the Hash, Path, Command Line argument, or trusted Signer Name, or any combination of these.

    When you specify two or more values, the exception is applied only if the file satisfies all the specified target properties.

    You can use wildcards for matching the command line.

  5. Select one or more security Modules which won't trigger prevention actions.

    The actions triggered by the other modules are not affected.

  6. Select the Scope for the rule. If you want to apply the rule to only specific Exception Profiles, select them from the drop-down list.

  7. Enable the rule.

  8. Review the configurations for the exception, and if the risks are acceptable to you, check I understand the risk.