Add a Global Endpoint Policy Exception
From the Cortex XDR management console, you can define
and manage global exceptions that apply across all of your endpoints.
As
an alternative to adding an endpoint-specific exception in policy
rules, you can define and manage global exceptions that apply across
all of your endpoints. On the Global Exception page, you can manage
all the global exceptions in your organization for all platforms.
Profiles associated with one or more targets that are beyond your
defined user scope are locked and cannot be edited.
Together
with Exceptions Security Profiles, global exceptions constitute
the sum of all the exceptions allowed within your security policy
rules.
Add a Global Process Exception
- Go to .
- SelectProcess exceptions.
- Select the operating system.
- Enter the name of the process.
- Select one or more Endpoint Protection Modules that will allow this process to run. The modules displayed on the list are the modules relevant to the operating system defined for this profile. To apply the process exception on all security modules,Select all. To apply the process exception on all exploit security modules, selectDisable Injection. Click the adjacent arrow to add the exception.
- After you add all exceptions,Saveyour changes.The new process exception is added to theGlobal Exceptionsin your network and will be applied across all rules and policies. To edit the exception, select it and click the edit icon. To delete it, select it and click the delete icon.
Add a Global Support Exception
- Go to .
- SelectSupport Exceptions.Import thejsonfile you received from Palo Alto Networks support team by either browsing for it in your files or by dragging and dropping the file on the page.
- ClickSave.The new support exception is added to theGlobal Exceptionsin your network and will be applied across all rules and policies.
Add a Global Behavioral Threat Protection (BTP) Rule Exception
When
you view a Behavioral Threat alert in the
Alerts
table
for which you want to allow across your organization, you can create
a global exception for that rule.- Right-click the BTP alert and selectCreate alert exception.
- Review the alert data (platform and rule name) and then select from the following options as needed:
- CGO hash—Causality Group Owner (CGO) hash value.
- CGO signer—CGO signer entity (for Windows and Mac only).
- CGO process path—Directory path of the CGO process.
- CGO command arguments—CGO command arguments. This option is available only ifCGO process pathis selected, and only if you are usingCortexXDRAgent 7.5 or later on your endpoints. After selecting this option, check the full path of each relevant command argument within quote marks. You can edit the displayed paths if needed.
- FromException Scope, selectGlobal.
- ClickCreate.The relevant BTP exception is added to theGlobal Exceptionsin your network and will be applied across all rules and policies. At any point, you can click theGenerating Alert IDto return to the original alert from which the exception was originated. To delete a specific global exception, select it and clickX.You cannot edit global exceptions generated from a BTP security event.
Add A Global Local Analysis Rules Exception
When
you view in the
Alerts
table a Local Analysis
alert that was triggered as a result of local analysis rules, you
can create a global exception to allow these rules across your organization.- Right-click the alert and selectCreate alert exception.
- Review the alert data (platform and rule name) and selectException Scope: Global.
- ClickAdd.The relevant Local Analysis Rules exception is added to theGlobal Exceptionsin your network and will be applied across all rules and policies. The exception allows all the rules that triggered the alert, and you cannot choose to allow only specific rules within the alert. At any point, you can click theGenerating Alert IDto return to the original alert from which the exception was originated. To delete a specific global exception, select it and clickX. You cannot edit global exceptions generated from a local analysis security event.
Review Advanced Analysis Exceptions
With Advanced
Analysis,
Cortex
XDR
can
provide a secondary validation of Cortex
XDR
Agent alerts raised by exploit protection modules.
To perform the additional analysis, Cortex
XDR
analyzes alert data sent by the Cortex
XDR
agent. If Advanced Analysis
indicates an alert is actually benign, Cortex
XDR
can automatically create exceptions and distribute
the updated security policy to your endpoints. By enabling
Cortex
XDR
to
automatically create and distribute global exceptions you can minimize disruption
for users when they subsequently encounter the same benign activity.
To enable the automatic creation of Advanced Analysis Exceptions,
configure the Advanced Analysis options in your Configure Global Agent Settings.For each exception,
Cortex
XDR
displays the affected platform, exception name, and the
relevant alert ID for which Cortex
XDR
determined activity was benign. To drill down into
the alert details, click the Generating Alert ID
.Add a Global Digital Signer Exception
When
you view in the
Alerts
table a Digital Signer
Restriction alerts for a digital signer you trust and want to allow
from now on across your network, create a Global Exception for that
digital signer directly from the alert.- Right-click the alert and selectCreate alert exception.Review the alert data (Platform, signer, and alert ID) and selectException Scope: Global.
- ClickAdd.The relevant digital signer exception is added to theGlobal Exceptionsin your network and will be applied across all rules and policies. At any point, you can click theGenerating Alert IDto return to the original alert from which the exception was originated. To delete a specific global exception, select it and clickX. You cannot edit global exceptions generated from a digital signer restriction security event.
Add a Global Java Deserialization Exception
When
you view in the
Alerts
table a Suspicious
Input Desensitization alert for a Java executable you want to allow
from now on across your network, create a global exception for that
executable directly from the alert of the security event that prevented it.- Right-click the alert and selectCreate alert exception.Review the alert data (Platform, Process, Java executable, and alert ID) and selectException Scope: Global.
- ClickAdd.The relevant digital signer exception is added to theGlobal Exceptionsin your network and will be applied across all rules and policies. At any point, you can click theGenerating Alert IDto return to the original alert from which the exception was originated. To delete a specific global exception, select it and clickX. You cannot edit global exceptions generated from a digital signer restriction security event.
Add a Global Local File Threat Examination Exception
When
you view in the
Alerts
table a Local Threat
Detected alert for a PHP file you want to allow from now on across
your network, create a global exception for that file directly from
the alert of the security event that prevented it.- Right-click the alert and selectCreate alert exception.Review the alert data (Process, Path, and Hash) and selectException Scope: Global.
- ClickAdd.The relevant PHP file is added to theGlobal Exceptionsin your network and will be applied across all rules and policies. At any point, you can click theGenerating Alert IDto return to the original alert from which the exception was originated. To delete a specific global exception, select it and clickX. You cannot edit global exceptions generated from a local file threat examination exception restriction security event.
Add a Global Gatekeeper Enhancement Exception
When
you view a Gatekeeper Enhancement security alert in the
Alerts
table,
you can create a global exception for this specific bundle or source-child
combination only, while allowing Cortex
XDR
to continue enforcing the Gatekeeper Enhancement
protection module on the source process running other child processes.- Right-click the alert and selectCreate alert exception.Review the alert data (Platform, Source Process, Target Process, and Alert ID) and selectException Scope: Global.
- ClickAdd.The relevant source and target processes are added to theGlobal Exceptionsin your network and will be applied across all rules and policies. At any point, you can click theGenerating Alert IDto return to the original alert from which the exception was originated. To delete a specific global exception, select it and clickX. You cannot edit global exceptions generated from a gatekeeper enhancement security event.
Import and Export Exceptions
Select
+ Import/Export
to Export
your
exceptions list and/or Import from File
.The
exported file is encoded Base64 and cannot be edited.
