Add a disable injection and prevention rule - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Product
Cortex XDR
License
Prevent
Creation date
2024-07-16
Last date published
2024-11-04
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

You can generate a temporary exception to bypass a process from prevention modules and injections.

You can generate a temporary exception to bypass a process from prevention modules and injections. You can specify paths, or command line, from both prevention and injection. This may be useful when you have processes that are essential to your organization and must not be terminated. Cortex XDR still generates alerts from data collections.

Important

  • Exceptions are limited up to 48 hours by default and configurable up to one week.

  • Consider the consequences of disabling a prevention rule before you add the exception and monitor it over time.

  • You can only apply a Disable Prevention Rule to agents version 7.9 and later.

  1. Select SettingsException ConfigurationDisable Injection and Prevention.

  2. Click +Add Injection Rule.

  3. Specify a rule name and an optional description.

  4. Select the platform. To cover all your endpoints, you can prevent different exception rules per platform.

  5. Add the Process Name , and specify the Path to bypass.

  6. Select the time limit for the exception rule.

  7. Select the Scope for the rule. If you want to apply the rule to only specific Exception Profiles, select them from the list.

  8. Enable the rule.

  9. Click Yes, to confirm that you acknowledge that the selected rules will be disabled.