Add a New Exceptions Security Profile

Add a new profile.
From
Cortex
XDR
, select
Endpoints
Policy Management
Prevention
Profiles
+ New Profile
and select whether to
Create New
or
Import from File
a new profile.
New imported profiles are added and not replaced.
Select the platform to which the profile applies and
Exceptions
as the profile type.
Click
Next
.
Define the basic settings.
Enter a unique
Profile Name
to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profile
Description
. For example, you might include an incident identification number or a link to a help desk ticket.
Configure the exceptions profile.
To configure a Process Exception
:
Select the operating system.
Enter the name of the process.
Select one or more Endpoint Protection Modules that will allow this process to run. The modules displayed on the list are the modules relevant to the operating system defined for this profile. To apply the process exception on all security modules,
Select all
. To apply the process exception on all exploit security modules, select
Disable Injection
.
Click the adjacent arrow.
After you’ve added all processes, click
Create
.
You can return to the Process Exception profile from the
Endpoints Profile
page at any point and edit the settings, for example if you want to add or remove more security modules.
To configure a Support Exception
:
Import the
json
file you received from Palo Alto Networks support team by either browsing for it in your files or by dragging and dropping the file on the page.
Click
Create
.
To configure module specific exceptions relevant for the selected profile platform
:
Behavioral Threat Protection Rule Exception
—When you view an alert for a Behavioral Threat event which you want to allow in your network from now on, right-click the alert and
Create alert exception
. Review the alert data (Platform and Rule name) and select from the following options as needed.
-
CGO hash
—Causality Group Owner (CGO) hash value.
-
CGO signer
—CGO signer entity (for Windows and Mac only).
-
CGO process path
—Directory path of the CGO process.
-
CGO command arguments
—CGO command arguments. This option is available only if
CGO process path
is selected, and only if you are using
Cortex
XDR
Agent 7.5 or later on your endpoints. After selecting this option, check the full path of each relevant command argument within quote marks. You can edit the displayed paths if needed.
From
Exception Scope
, select
Profile
and click
Create
.
Digital Signer Exception
—When you view an alert for a Digital Signer Restriction which you want to allow in your network from now on, right-click the alert and
Create alert exception
.
Cortex
XDR
displays the alert data (Platform, Signer, and Generating Alert ID). Select
Exception Scope: Profile
and select the exception profile name. Click
Add
.
Java Deserialization Exception
—When you identify a Suspicious Input Deserialization alert that you believe to be benign and want to suppress future alerts, right-click the alert and
Create alert exception
.
Cortex
XDR
displays the alert data (Platform, Process, Java executable, and Generating Alert ID). Select
Exception Scope: Profile
and select the exception profile name. Click
Add
.
Local File Threat Examination Exception
—When you view an alert for a PHP file which you want to allow in your network from now on, right-click the alert and
Create alert exception
.
Cortex
XDR
displays the alert data (Process, Path, and Hash). Select
Exception Scope: Profile
and select the exception profile name. Click
Add
Gatekeeper Enhancement Exception
—When you view a Gatekeeper Enhancement security alert for a bundle or specific source-child combination you want to allow in your network from now on, right-click the alert and
Create alert exception
.
Cortex
XDR
displays the alert data (Platform, Source Process, Target Process, and Alert ID). Select
Exception Scope: Profile
and select the exception profile name. Click
Add
. This exception allows
Cortex
XDR
to continue enforcing the Gatekeeper Enhancement protection module on the source process running other child processes.
At any point, you can click the
Generating Alert ID
to return to the original alert from which the exception was originated. You cannot edit module specific exceptions.
Apply Security Profiles to Endpoints.
If you want to remove an exceptions profile from your network, go to the
Profiles
page, right-click and select
Delete