Learn how to define and manage global endpoint policy exceptions in Cortex Cloud.
As an alternative to adding an endpoint-specific exception in policy rules, you can define and manage global exceptions that apply across all of your endpoints. On the Global Exception page, you can manage all the global exceptions in your organization for all platforms. Profiles associated with one or more targets that are beyond your defined user scope are locked and cannot be edited.
Important
To manage the prevention profile exceptions from Exception Configuration, you must first migrate your existing exceptions configured via the Global exceptions.
Your migrated rules are displayed on the Settings → Exception Configurations → Legacy Agent Exceptions page. For more information about the migration, see Exception configuration.Exception configuration
To create new global endpoint policy exceptions using the Legacy Agent Exceptions page, see Add a legacy exception rule for endpoints.
If you don't migrate the legacy exceptions, you can continue to add exceptions as described below.
Configure exception rules forCortex Cloud protection and prevention actions in a centralized location, and apply them across multiple profiles.
Go to Inventory → Endpoints → Policy Management → Policy Exceptions.
Select Process exceptions.
Select the operating system.
Enter the name of the process.
Select one or more Endpoint Protection Modules that will allow this process to run. The modules displayed on the list are the modules relevant to the operating system defined for this profile. To apply the process exception on all security modules, Select all. To apply the process exception on all exploit security modules, select Disable Injection. Click the adjacent arrow to add the exception.
After you add all exceptions, Save your changes.
The new process exception is added to the Global Exceptions in your network and will be applied across all rules and policies. To edit the exception, select it and click the edit icon. To delete it, select it and click the delete icon.
Configure support exception rules for Cortex Cloud protection and prevention actions in a centralized location, and apply them across multiple profiles.
Go to Inventory → Endpoints → Prevention → Global Exceptions.
Select Support Exceptions.
Import the JSON file you received from the Palo Alto NetworksPalo Alto Networks support team by either browsing for it in your files or by dragging and dropping the file on the page.
Click Save.
The new support exception is added to the Global Exceptions in your network and will be applied across all rules and policies.
When you view a Behavioral Threat issue in the Issues table which you want to allow across your organization, you can create a global exception for that rule.
Right-click the BTP issue and select Create issue exception.
Review the issue metadata (platform and rule name) and then select from the following options as needed:
Base an exception on Cortex Cloud’s recommended fields to define granular and precise exception criteria. The automated recommendations enable you to define exceptions for the specific behavior that triggered the alert and its parameters. This allows you to create exceptions for behaviors that are considered acceptable by your organization.
Select the criteria that triggered the alert.
Note
You can only select one criteria per alert.
To create an exception for more than one criteria in an alert, create an exception rule for each criteria separately by right clicking the BTP alert and creating another exception.
From the displayed parameters of the criteria, select one or more parameters that are relevant to your exception.
By default, all parameters are unselected. To create an exception, you must select at least one parameter.
In the editable parameters, change the parameter if needed.
Note
The value you type is validated by Cortex Cloud.
You can use wildcards, but we recommend being as specific as possible to avoid exceptions that are too broad.
Some parameters aren't open to editing.
Select CGO attributes to define general exception criteria.
CGO hash: Causality Group Owner (CGO) hash value.
CGO signer: CGO signer entity (for Windows and Mac only).
CGO process path: Directory path of the CGO process.
CGO command arguments: CGO command arguments. This option is available only if CGO process path is selected, and only if you are using Cortex XDR Agent 7.5 or later on your endpoints. After selecting this option, check the full path of each relevant command argument within quote marks. You can edit the displayed paths if needed.
From Scope, select Global or select the Profile to which you want to apply the exception rule.
Click Create.
The relevant BTP exception is added to the Global Exceptions in your network and or to the Profile exceptions you selected in your network, and will be applied across all rules and policies. At any point, you can click the Generating Issue ID to return to the original issue from which the exception originated. To delete a specific global exception, select it and click X.
Note
You cannot edit global exceptions generated from a BTP security event.
When you view a Credential Gathering Protection issue in the Issues table that you want to allow across your organization, you can create a global exception for that rule.
Right-click the Credential Gathering Protection issue and select Create issue exception.
Review the issue data (platform and module name) and then select from the following options as needed:
CGO hash: Causality Group Owner (CGO) hash value.
CGO signer: CGO signer entity (for Windows and Mac only).
CGO process path: Directory path of the CGO process.
CGO command arguments: CGO command arguments. This option is available only if CGO process path is selected. After selecting this option, check the full path of each relevant command argument within quote marks. You can edit the displayed paths if needed.
From Exception Scope, select Global.
Click Create.
The relevant exception is added to the Global Exceptions in your network and will be applied across all rules and policies. At any point, you can click the Generating Issue ID to return to the original issue from which the exception originated. To delete a specific global exception, select it and click X.
Note
You cannot edit global exceptions generated from a Credential Gathering Protection security event.
When you view an Anti Webshell Protection issue in the Issues table that you want to allow across your organization, you can create a global exception for that rule.
Right-click the Anti Webshell Protection issue and select Create issue exception.
Review the issue data (platform and module name) and then select from the following options as needed:
CGO hash: Causality Group Owner (CGO) hash value.
CGO signer: CGO signer entity (for Windows and Mac only).
CGO process path: Directory path of the CGO process.
CGO command arguments: CGO command arguments. This option is available only if CGO process path is selected, and only if you are using Cortex XDR Agent 7.5 or later on your endpoints. After selecting this option, check the full path of each relevant command argument within quote marks. You can edit the displayed paths if needed.
From Exception Scope, select Global.
Click Create.
The relevant exception is added to the Global Exceptions in your network and will be applied across all rules and policies. At any point, you can click the Generating Issue ID to return to the original issue from which the exception originated. To delete a specific global exception, select it and click X.
Note
You cannot edit global exceptions generated from an Anti Webshell Protection security event.
When you view in the Issues table a Local Analysis issue that was triggered as a result of local analysis rules, you can create a global exception to allow the rules across your organization.
Right-click the issue and select Create issue exception.
Review the issue data (platform and rule name) and select Exception Scope:Global.
Click Add.
The relevant Local Analysis Rules exception is added to the Global Exceptions in your network and will be applied across all rules and policies. The exception allows all the rules that triggered the issue, and you cannot choose to allow only specific rules within the issue. At any point, you can click the Generating Issue ID to return to the original issue from which the exception originated. To delete a specific global exception, select it and click X. You cannot edit global exceptions generated from a local analysis security event.
With Advanced Analysis, Cortex Cloud can provide a secondary validation of Cortex XDR agent issues raised by exploit protection modules. To perform the additional analysis, Cortex Cloud analyzes issue data sent by the Cortex XDR agent. If Advanced Analysis indicates an issue is benign, Cortex Cloud can automatically create exceptions and distribute the updated security policy to your endpoints.
By enabling Cortex Cloud to automatically create and distribute global exceptions you can minimize disruption for users when they subsequently encounter the same benign activity. To enable the automatic creation of Advanced Analysis Exceptions, configure the Advanced Analysis options in Settings → Configurations → General → Agent Configurations.
For each exception, Cortex Cloud displays the affected platform, exception name, and the relevant issue ID for which Cortex Cloud determined activity was benign. To drill down into the issue details, click the Generating Issue ID.
When you view in the Issues table a Digital Signer Restriction issue for a digital signer you trust and want to allow from now on across your network, create a Global Exception for that digital signer directly from the issue.
Right-click the issue and select Create issue exception.
Review the issue data (Platform, signer, and issue ID) and select Exception Scope:Global.
Click Add.
The relevant digital signer exception is added to the Global Exceptions in your network and will be applied across all rules and policies. At any point, you can click the Generating Issue ID to return to the original issue from which the exception originated. To delete a specific global exception, select it and click X. You cannot edit global exceptions generated from a digital signer restriction security event.
When you view in the Issues table a Suspicious Input Desensitization issue for a Java executable you want to allow from now on across your network, create a global exception for that executable directly from the issue of the security event that prevented it.
Right-click the issue and select Create issue exception.
Review the issue data (Platform, Process, Java executable, and issue ID) and select Exception Scope: Global.
Click Add.
The relevant digital signer exception is added to the Global Exceptions in your network and will be applied across all rules and policies. At any point, you can click the Generating Issue ID to return to the original issue from which the exception originated. To delete a specific global exception, select it and click X. You cannot edit global exceptions generated from a digital signer restriction security event.
When you view in the Issues table a Local Threat Detected issue for a PHP file you want to allow from now on across your network, create a global exception for that file directly from the issue of the security event that prevented it.
Right-click the issue and select Create issue exception.
Review the issue data (Process, Path, and Hash) and select Exception Scope: Global.
Click Add.
The relevant PHP file is added to the Global Exceptions in your network and will be applied across all rules and policies. At any point, you can click the Generating Issue ID to return to the original issue from which the exception originated. To delete a specific global exception, select it and click X. You cannot edit global exceptions generated from a local file threat examination exception restriction security event.
When you view a Gatekeeper Enhancement security issue in the Issues table, you can create a global exception for this specific bundle or source-child combination only, while allowing Cortex Cloud to continue enforcing the Gatekeeper Enhancement protection module on the source process running other child processes.
Right-click the issue and select Create issue exception.
Review the issue data (Platform, Source Process, Target Process, and Issue ID) and select Exception Scope: Global.
Click Add.
The relevant source and target processes are added to the Global Exceptions in your network and will be applied across all rules and policies. At any point, you can click the Generating Issue ID to return to the original issue from which the exception originated. To delete a specific global exception, select it and click X. You cannot edit global exceptions generated from a gatekeeper enhancement security event.
Select + Import/Export to Export your exceptions list and/or Import from File.
Note
The exported file is encoded in Base64 and cannot be edited.