Automation exclusion policies prevent commands and scripts from performing remediation on critical assets.
Automation exclusion policies enable you to protect critical assets from automated remediation, without having to detach and customize playbooks and scripts.
Automation exclusion policies prevent commands and scripts from performing automated remediation actions on critical assets, such as users, IP addresses, and domains. For example, a playbook task might block multiple domains, but mission-critical domains in the policy list would not be blocked.
Automation exclusion policies apply any time a relevant command or script runs, whether in a playbook task, a Quick Action, as an action executed by an AI agent, or in the CLI. If you configure a policy to allow overrides, users can manually run the command in the War Room, using the override-policy parameter. Any command triggered with the override-policy parameter appears in the Management Audit Logs. If you attempt to use the override-policy parameter and the policy does not allow overrides, an error entry appears in the War Room.
When an automation exclusion policy prevents a command or script from a remediation action, the exclusion appears in the issue War Room.
When a playbook task contains a command or script that is included in an automation exclusion policy, a Policy tab appears in the task details pane, showing the relevant policy.
To enable an automation exclusion policy, add critical assets to a list. Each policy uses one or more lists to exclude assets from remediation. By default, all policies are enabled, but lists are empty until assets are added to the list.
Note
By default, all users have read and edit permissions to lists. When creating a list of critical assets, we recommend limiting the read and edit permissions to specific roles.
User Hard Remediation and User Soft Remediation policies can also use asset groups, enabling automatic updates of critical assets without requiring you to edit a list. These remediation policies can contain lists, asset groups, or a combination of lists and asset groups.
Policies can be enabled or disabled, and lists can be edited, but you cannot add or remove policies.
Each policy can include one or more scripts or commands. Commands and scripts only appear if the content is installed. The policy affects only these scripts and commands. Scripts and commands cannot be added, edited, or removed from the policy.
By default, only admin users have access to the Automation Exclusion Center page. You can also provide other roles with View or View/Edit access to the Automation Exclusion Center. When creating or editing a role, the permission can be found under → .
Policies can be sorted, filtered, and searched using the category, status, policy, exclude, and description columns.