Add a New Exceptions Security Profile

In Cortex XDR, an exceptions security profile apply to specific groups of endpoints.
You can configure exceptions that apply to specific groups of endpoints or you can Add a Global Endpoint Policy Exception. Use the following workflow to create an endpoint-specific exception:
  1. Add a new profile.
    1. From
      Cortex
      XDR
      , select
      Endpoints
      Policy Management
      Prevention
      Profiles
      + New Profile
      and select whether to
      Create New
      or
      Import from File
      a new profile.
      New imported profiles are added and not replaced.
    2. Select the platform to which the profile applies and
      Exceptions
      as the profile type.
    3. Click
      Next
      .
  2. Define the basic settings.
    1. Enter a unique
      Profile Name
      to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
    2. To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profile
      Description
      . For example, you might include an incident identification number or a link to a help desk ticket.
  3. Configure the exceptions profile.
    To configure a Process Exception
    :
    1. Select the operating system.
    2. Enter the name of the process.
    3. Select one or more Endpoint Protection Modules that will allow this process to run. The modules displayed on the list are the modules relevant to the operating system defined for this profile. To apply the process exception on all security modules,
      Select all
      . To apply the process exception on all exploit security modules, select
      Disable Injection
      .
    4. Click the adjacent arrow.
    5. After you’ve added all processes, click
      Create
      .
      You can return to the Process Exception profile from the
      Endpoints Profile
      page at any point and edit the settings, for example if you want to add or remove more security modules.
    To configure a Support Exception
    :
    1. Import the
      json
      file you received from Palo Alto Networks support team by either browsing for it in your files or by dragging and dropping the file on the page.
    2. Click
      Create
      .
    To configure module specific exceptions relevant for the selected profile platform
    :
    • Behavioral Threat Protection Rule Exception
      —When you view an alert for a Behavioral Threat event which you want to allow in your network from now on, right-click the alert and
      Create alert exception
      . Review the alert data (Platform and Rule name) and select from the following options as needed.
      -
      CGO hash
      —Causality Group Owner (CGO) hash value.
      -
      CGO signer
      —CGO signer entity (for Windows and Mac only).
      -
      CGO process path
      —Directory path of the CGO process.
      -
      CGO command arguments
      —CGO command arguments. This option is available only if
      CGO process path
      is selected, and only if you are using
      Cortex
      XDR
      Agent 7.5 or later on your endpoints. After selecting this option, check the full path of each relevant command argument within quote marks. You can edit the displayed paths if needed.
      From
      Exception Scope
      , select
      Profile
      and click
      Create
      .
    • Digital Signer Exception
      —When you view an alert for a Digital Signer Restriction which you want to allow in your network from now on, right-click the alert and
      Create alert exception
      .
      Cortex
      XDR
      displays the alert data (Platform, Signer, and Generating Alert ID). Select
      Exception Scope: Profile
      and select the exception profile name. Click
      Add
      .
    • Java Deserialization Exception
      —When you identify a Suspicious Input Deserialization alert that you believe to be benign and want to suppress future alerts, right-click the alert and
      Create alert exception
      .
      Cortex
      XDR
      displays the alert data (Platform, Process, Java executable, and Generating Alert ID). Select
      Exception Scope: Profile
      and select the exception profile name. Click
      Add
      .
    • Local File Threat Examination Exception
      —When you view an alert for a PHP file which you want to allow in your network from now on, right-click the alert and
      Create alert exception
      .
      Cortex
      XDR
      displays the alert data (Process, Path, and Hash). Select
      Exception Scope: Profile
      and select the exception profile name. Click
      Add
    • Gatekeeper Enhancement Exception
      —When you view a Gatekeeper Enhancement security alert for a bundle or specific source-child combination you want to allow in your network from now on, right-click the alert and
      Create alert exception
      .
      Cortex
      XDR
      displays the alert data (Platform, Source Process, Target Process, and Alert ID). Select
      Exception Scope: Profile
      and select the exception profile name. Click
      Add
      . This exception allows
      Cortex
      XDR
      to continue enforcing the Gatekeeper Enhancement protection module on the source process running other child processes.
    At any point, you can click the
    Generating Alert ID
    to return to the original alert from which the exception was originated. You cannot edit module specific exceptions.
  4. If you want to remove an exceptions profile from your network, go to the
    Profiles
    page, right-click and select
    Delete

Recommended For You