Add a New Exceptions Security Profile

You can configure exceptions that apply to specific groups of endpoints or you can Add a Global Endpoint Policy Exception. Use the following workflow to create an endpoint-specific exception:
  1. Add a new profile.
    1. From Cortex XDR, select
      Endpoints
      Policy Management
      Profiles
      + New Profile
      .
    2. Select the platform to which the profile applies and
      Exceptions
      as the profile type.
    3. Click
      Next
      .
  2. Define the basic settings.
    1. Enter a unique
      Profile Name
      to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
    2. To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profile
      Description
      . For example, you might include an incident identification number or a link to a help desk ticket.
  3. Configure the exceptions profile.
    To configure a Process Exception
    :
    1. Select the operating system.
    2. Enter the name of the process.
    3. Select one or more Endpoint Protection Modules that will allow this process to run. The modules displayed on the list are the modules relevant to the operating system defined for this profile. To apply the process exception on all security modules,
      Select all
      . To apply the process exception on all exploit security modules, select
      Disable Injection
      .
    4. Click the adjacent arrow.
    5. After you’ve added all processes, click
      Create
      .
      You can return to the Process Exception profile from the
      Endpoints Profile
      page at any point and edit the settings, for example if you want to add or remove more security modules.
    To configure a Support Exception
    :
    1. Import the
      json
      file you received from Palo Alto Networks support team by either browsing for it in your files or by dragging and dropping the file on the page.
    2. Click
      Create
      .
    To configure module specific exceptions
    :
    • Behavioral Threat Protection Rule Exception—When you view an alert for a Behavioral Threat event which you want to allow in your network from now on, right-click the alert and
      Create alert exception
      . Cortex XDR displays the alert data (Platform and Rule name). Select
      Exception Scope: Profile
      and select the exception profile name. Click
      Add
      .
    • Digital Signer Exception—When you view an alert for a Digital Signer Restriction which you want to allow in your network from now on, right-click the alert and
      Create alert exception
      . Cortex XDR displays the alert data (Platform, Signer, and Generating Alert ID). Select
      Exception Scope: Profile
      and select the exception profile name. Click
      Add
      .
    • Java Deserialization Exception—When you identify a Suspicious Input Deserialization alert that you believe to be benign and want to suppress future alerts, right-click the alert and
      Create alert exception
      . Cortex XDR displays the alert data (Platform, Process, Java executable, and Generating Alert ID). Select
      Exception Scope: Profile
      and select the exception profile name. Click
      Add
      .
    • Local File Threat Examination Exception—When you view an alert for a PHP file which you want to allow in your network from now on, right-click the alert and
      Create alert exception
      . Cortex XDR displays the alert data (Process, Path, and Hash). Select
      Exception Scope: Profile
      and select the exception profile name. Click
      Add
    At any point, you can click the
    Generating Alert ID
    to return to the original alert from which the exception was originated. You cannot edit module specific exceptions.
    exceptions-profile-example.png
  4. If you want to remove an exceptions profile from your network, go to the
    Profiles
    page, right-click and select
    Delete

Recommended For You