Add a Global Endpoint Policy Exception - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

From the Cortex XDR management console, define and manage global endpoint policy exceptions.

As an alternative to adding an endpoint-specific exception in policy rules, you can define and manage global exceptions that apply across all of your endpoints. On the Global Exception page, you can manage all the global exceptions in your organization for all platforms. Profiles associated with one or more targets that are beyond your defined user scope are locked and cannot be edited.

Add a Global Process Exception
Abstract

Configure exception rules forCortex XDR protection and prevention actions in a centralized location, and apply them across multiple profiles.

  1. Go to EndpointsPolicy ManagementPolicy Exceptions.

  2. Select Process exceptions.

    1. Select the operating system.

    2. Enter the name of the process.

    3. Select one or more Endpoint Protection Modules that will allow this process to run. The modules displayed on the list are the modules relevant to the operating system defined for this profile. To apply the process exception on all security modules, Select all. To apply the process exception on all exploit security modules, select Disable Injection. Click the adjacent arrow to add the exception.

  3. After you add all exceptions, Save your changes.

    The new process exception is added to the Global Exceptions in your network and will be applied across all rules and policies. To edit the exception, select it and click the edit icon. To delete it, select it and click the delete icon.

Add a Global Support Exception
Abstract

Configure Support exception rules for Cortex XDR protection and prevention actions in a centralized location, and apply them across multiple profiles.

Important

Starting with version 3.5, Cortex XDR enables you to manage the Global Support exceptions from a central location and easily apply them across multiple profiles in the Legacy Agent Exceptions management page. 

To manage the global support exceptions from Exception Configuration, you must first migrate your existing exceptions.

Your migrated rules are displayed on the SettingsException ConfigurationsSupport Exception Rules page. For more information about the migration, see Exception Configuration.

To create new Global Support exceptions using the Support Exception Rules page, see Add a Support Exception Rule.

If you don't migrate the legacy exceptions, you can continue to create exceptions as described below.

  1. Go to EndpointsPreventionGlobal Exceptions.

  2. Select Support Exceptions.

    Import the json file you received from Palo Alto Networks support team by either browsing for it in your files or by dragging and dropping the file on the page.

  3. Click Save.

    The new support exception is added to the Global Exceptions in your network and will be applied across all rules and policies.

Add a Global Behavioral Threat Protection (BTP) Rule Exception
Abstract

How to add a Global Behavioral Threat Protection (BTP) Rule Exception.

When you view a Behavioral Threat alert in the Alerts table which you want to allow across your organization, you can create a global exception for that rule.

  1. Right-click the BTP alert and select Create alert exception.

  2. Review the alert data (platform and rule name) and then select from the following options as needed:

    1. CGO hash—Causality Group Owner (CGO) hash value.

    2. CGO signer—CGO signer entity (for Windows and Mac only).

    3. CGO process path—Directory path of the CGO process.

    4. CGO command arguments—CGO command arguments. This option is available only if CGO process path is selected, and only if you are using Cortex XDR Agent 7.5 or later on your endpoints. After selecting this option, check the full path of each relevant command argument within quote marks. You can edit the displayed paths if needed.

    5. From Exception Scope, select Global.

  3. Click Create.

    The relevant BTP exception is added to the Global Exceptions in your network and will be applied across all rules and policies. At any point, you can click the Generating Alert ID to return to the original alert from which the exception originated. To delete a specific global exception, select it and click X.

    Note

    You cannot edit global exceptions generated from a BTP security event.

Add a Global Credential Gathering Protection Exception
Abstract

How to add a Global Credential Gathering Protection Exception.

When you view a Credential Gathering Protection alert in the Alerts table which you want to allow across your organization, you can create a global exception for that rule.

  1. Right-click the Credential Gathering Protection alert and select Create alert exception.

  2. Review the alert data (platform and module name) and then select from the following options as needed:

    1. CGO hash—Causality Group Owner (CGO) hash value.

    2. CGO signer—CGO signer entity (for Windows and Mac only).

    3. CGO process path—Directory path of the CGO process.

    4. CGO command arguments—CGO command arguments. This option is available only if CGO process path is selected, and only if you are using Cortex XDR Agent 7.5 or later on your endpoints. After selecting this option, check the full path of each relevant command argument within quote marks. You can edit the displayed paths if needed.

    5. From Exception Scope, select Global.

  3. Click Create.

    The relevant exception is added to the Global Exceptions in your network and will be applied across all rules and policies. At any point, you can click the Generating Alert ID to return to the original alert from which the exception originated. To delete a specific global exception, select it and click X.

    Note

    You cannot edit global exceptions generated from a Credential Gathering Protection security event.

Add a Global Anti Webshell Protection Exception
Abstract

How to add a Global Anti Webshell Protection Exception.

When you view an Anti Webshell Protection alert in the Alerts table which you want to allow across your organization, you can create a global exception for that rule.

  1. Right-click the Anti Webshell Protection alert and select Create alert exception.

  2. Review the alert data (platform and module name) and then select from the following options as needed:

    1. CGO hash—Causality Group Owner (CGO) hash value.

    2. CGO signer—CGO signer entity (for Windows and Mac only).

    3. CGO process path—Directory path of the CGO process.

    4. CGO command arguments—CGO command arguments. This option is available only if CGO process path is selected, and only if you are using Cortex XDR Agent 7.5 or later on your endpoints. After selecting this option, check the full path of each relevant command argument within quote marks. You can edit the displayed paths if needed.

    5. From Exception Scope, select Global.

  3. Click Create.

    The relevant exception is added to the Global Exceptions in your network and will be applied across all rules and policies. At any point, you can click the Generating Alert ID to return to the original alert from which the exception originated. To delete a specific global exception, select it and click X.

    Note

    You cannot edit global exceptions generated from an Anti Webshell Protection security event.

Add A Global Local Analysis Rules Exception
Abstract

How to add a global Local Analysis Rules exception

When you view in the Alerts table a Local Analysis alert that was triggered as a result of local analysis rules, you can create a global exception to allow the rules across your organization.

  1. Right-click the alert and select Create alert exception.

  2. Review the alert data (platform and rule name) and select Exception Scope: Global.

  3. Click Add.

    The relevant Local Analysis Rules exception is added to the Global Exceptions in your network and will be applied across all rules and policies. The exception allows all the rules that triggered the alert, and you cannot choose to allow only specific rules within the alert. At any point, you can click the Generating Alert ID to return to the original alert from which the exception originated. To delete a specific global exception, select it and click X. You cannot edit global exceptions generated from a local analysis security event.

Review Advanced Analysis Exceptions

With Advanced Analysis, Cortex XDR can provide a secondary validation of Cortex XDR Agent alerts raised by exploit protection modules. To perform the additional analysis, Cortex XDR analyzes alert data sent by the Cortex XDR agent. If Advanced Analysis indicates an alert is benign, Cortex XDR can automatically create exceptions and distribute the updated security policy to your endpoints.

By enabling Cortex XDR to automatically create and distribute global exceptions you can minimize disruption for users when they subsequently encounter the same benign activity. To enable the automatic creation of Advanced Analysis Exceptions, configure the Advanced Analysis options in Settings+Configurations+General+Agent Configurations.

For each exception, Cortex XDR displays the affected platform, exception name, and the relevant alert ID for which Cortex XDR determined activity was benign. To drill down into the alert details, click the Generating Alert ID.

Add a Global Digital Signer Exception
Abstract

How to add a Global Digital Signer Exception

When you view in the Alerts table a Digital Signer Restriction alerts for a digital signer you trust and want to allow from now on across your network, create a Global Exception for that digital signer directly from the alert.

  1. Right-click the alert and select Create alert exception.

    Review the alert data (Platform, signer, and alert ID) and select Exception Scope: Global.

  2. Click Add.

    The relevant digital signer exception is added to the Global Exceptions in your network and will be applied across all rules and policies. At any point, you can click the Generating Alert ID to return to the original alert from which the exception originated. To delete a specific global exception, select it and click X. You cannot edit global exceptions generated from a digital signer restriction security event.

Add a Global Java Deserialization Exception
Abstract

How to add a Global Java Deserialization Exception

When you view in the Alerts table a Suspicious Input Desensitization alert for a Java executable you want to allow from now on across your network, create a global exception for that executable directly from the alert of the security event that prevented it.

  1. Right-click the alert and select Create alert exception.

    Review the alert data (Platform, Process, Java executable, and alert ID) and select Exception Scope: Global.

  2. Click Add.

    The relevant digital signer exception is added to the Global Exceptions in your network and will be applied across all rules and policies. At any point, you can click the Generating Alert ID to return to the original alert from which the exception originated. To delete a specific global exception, select it and click X. You cannot edit global exceptions generated from a digital signer restriction security event.

Add a Global Local File Threat Examination Exception
Abstract

Configure exception rules forCortex XDR protection and prevention actions in a centralized location, and apply them across multiple profiles. Adding a local file threat examination, global exemption.

When you view in the Alerts table a Local Threat Detected alert for a PHP file you want to allow from now on across your network, create a global exception for that file directly from the alert of the security event that prevented it.

  1. Right-click the alert and select Create alert exception.

    Review the alert data (Process, Path, and Hash) and select Exception Scope: Global.

  2. Click Add.

    The relevant PHP file is added to the Global Exceptions in your network and will be applied across all rules and policies. At any point, you can click the Generating Alert ID to return to the original alert from which the exception originated. To delete a specific global exception, select it and click X. You cannot edit global exceptions generated from a local file threat examination exception restriction security event.

Add a Global Gatekeeper Enhancement Exception
Abstract

How to add a Global Gatekeeper Enhancement Exception.

When you view a Gatekeeper Enhancement security alert in the Alerts table, you can create a global exception for this specific bundle or source-child combination only, while allowing Cortex XDR to continue enforcing the Gatekeeper Enhancement protection module on the source process running other child processes.

  1. Right-click the alert and select Create alert exception.

    Review the alert data (Platform, Source Process, Target Process, and Alert ID) and select Exception Scope: Global.

  2. Click Add.

    The relevant source and target processes are added to the Global Exceptions in your network and will be applied across all rules and policies. At any point, you can click the Generating Alert ID to return to the original alert from which the exception originated. To delete a specific global exception, select it and click X. You cannot edit global exceptions generated from a gatekeeper enhancement security event.

Import and Export Exceptions
Abstract

How to import and export execptions.

Select + Import/Export to Export your exceptions list and/or Import from File.

Note

The exported file is encoded in Base64 and cannot be edited.