A Behavioral Threat Protection (BTP) alert is triggered with an action of "Prevented (Blocked)" on one of several application servers running Windows Server 2022. The investigation determines the involved processes to be legitimate core OS binaries, and the description from the triggered BTP rule is an acceptable risk for the company to allow the same activity in the future.
This type of activity is only expected on the endpoints that are members of the endpoint group "AppServers," which already has a separate prevention policy rule with an exceptions profile named "Exceptions-AppServers" and a malware profile named "Malware-AppServers."
The CGO that was terminated has the following properties:
SHA256: eb71ea69dd19f728ab9240565e8c7efb59821e19e3788e289301e1e74940c208
File path: C:\Windows\System32\cmd.exe
Digital Signer: Microsoft Corporation
How should the exception be created so that it is scoped as narrowly as possible to minimize the security gap?
Create the exception via the alert itself, selecting the CGO hash, CGO signer, CGO process path, and applying the scope to the "Exceptions-AppServers" profile.
Create a Disable Prevention Rule via Exceptions Configuration with the following selections:
Create a Legacy Agent Exception via Exceptions Configuration with the following selections:
Create the exception via the alert itself, selecting the CGO hash, CGO signer, CGO process path, and applying the scope to "Global."
What is the primary function of the URL "https://
How can a Cortex XSIAM engineer resolve the issue when a SOC analyst escalates missing details after merging two similar incidents?
What is the reason all Broker VM options are greyed out when a user attempts to select a Broker VM as a download source in the Agent Settings profile?
During a new Cortex XSIAM deployment, a user consistently experiences timeout sessions while trying to connect to the agent through Live Terminal, even though the firewall engineer has confirmed that all source IP addresses, port 443, and destinations are allowed.
What could be causing these persistent timeout issues?
A Cortex XSIAM engineer adds a disable injection and prevention rule for a specific running process. After an hour, the engineer disables the rule to reinstate the security capabilities, but the capabilities are not applied.
What is the explanation for this behavior?
TESTED 20 Dec 2025
