Add a New Exceptions Security Profile - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-05-12
Category
Administrator Guide
Abstract

How to add a new Exceptions Security profile.

You can configure exceptions that apply to specific groups of endpoints or you can Add a Global Endpoint Policy Exception.

Important

Starting with version 1.3, Cortex XSIAM enables you to manage the Exception Security rules from a central location and easily apply them across multiple profiles in the Legacy Agent Exceptions management page. 

To manage the exceptions from Exception Configuration, you must first migrate your existing exceptions configured via the Exceptions Security profiles.

To create new Exception Security Profile rules using the Legacy Agent Exceptions management page, see Add a Legacy Exception Rule.

If you don't migrate the legacy exceptions, you can continue to create exceptions as described below.

Use the following workflow to create an endpoint-specific exception:

  1. Add a new profile.

    1. From Cortex XSIAM, select EndpointsPolicy ManagementPreventionProfiles+Add Profile and select whether to Create New or Import from File a new profile.

      Note

      New imported profiles are added and not replaced.

    2. Select the platform to which the profile applies and Exceptions as the profile type.

    3. Click Next.

  2. Define the basic settings.

    1. Select a unique Profile Name to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    2. To provide additional context for the purpose or business reason for creating the profile, specify a profile Description. For example, you might include an incident identification number or a link to a help desk ticket.

  3. Configure the exceptions profile.

    To configure a Process Exception:

    1. Select the operating system.

    2. Enter the name of the process.

    3. Select one or more Endpoint Protection Modules that will allow this process to run. The modules displayed in the list are the modules relevant to the operating system defined for this profile.

      • To apply the process exception on all security modules, Select all.

      • To apply the process exception on the following exploit modules, select Disable Injection.

        APC Guard, CPL Execution Protection, DEP, DLL Hijacking Protection, DLL Security, EPM D02, Exception Heap Spray Check, Exception SysExist Check, Exploit Kit Fingerprinting Protection, Font Protection, Hot Patch Protection, JIT Mitigation, Library Preallocation, Memory Limit Heap Spray Check, Null Dereference Protection, Password Theft Protection, ROP Mitigation, SEH Protection, Shellcode Preallocation, UASLR

    4. Click the adjacent arrow.

    5. After you've added all the processes, select Create.

      You can return to the Process Execution profile from the Endpoint Profile page at any point and edit the settings. For example, if you want to add or remove security modules.

    To configure a Support Exception:

    1. Import the json file you received from Palo Alto Networks support team by either browsing for it in your files or by dragging and dropping the file on the page.

    2. Click Create.

    To configure module specific exceptions relevant for the selected profile platform:

    • Behavioral Threat Protection Rule Exception—When you view an alert for a Behavioral Threat event that you want to allow in your network from now on, right-click the alert and Create alert exception. Review the alert data (Platform and Rule name) and select from the following options as needed.

      - CGO hash—Causality Group Owner (CGO) hash value.

      - CGO signer—CGO signer entity (for Windows and Mac only).

      - CGO process path—Directory path of the CGO process.

      - CGO command arguments—CGO command arguments. This option is available only if CGO process path is selected, and only if you are using Cortex XDR Agent 7.5 or later on your endpoints. After selecting this option, check the full path of each relevant command argument within quote marks. You can edit the displayed paths if needed.

      From Exception Scope, select Profile and click Create.

    • Digital Signer Exception—When you view an alert for a Digital Signer Restriction that you want to allow in your network from now on, right-click the alert and Create alert exception. Cortex XSIAM displays the alert data (Platform, Signer, and Generating Alert ID). Select Exception Scope: Profile and select the exception profile name. Click Add.

    • Java Deserialization Exception—When you identify a Suspicious Input Deserialization alert that you believe to be benign and want to suppress future alerts, right-click the alert and Create alert exception. Cortex XSIAM displays the alert data (Platform, Process, Java executable, and Generating Alert ID). Select Exception Scope: Profile and select the exception profile name. Click Add.

    • Local File Threat Examination Exception—When you view an alert for a PHP file that you want to allow in your network from now on, right-click the alert and Create alert exception. Cortex XSIAM displays the alert data (Process, Path, and Hash). Select Exception Scope: Profile and select the exception profile name. Click Add.

    • Gatekeeper Enhancement Exception—When you view a Gatekeeper Enhancement security alert for a bundle or specific source-child combination you want to allow in your network from now on, right-click the alert and Create alert exception. Cortex XSIAM displays the alert data (Platform, Source Process, Target Process, and Alert ID). Select Exception Scope: Profile and select the exception profile name. Click Add. This exception allows Cortex XSIAM to continue enforcing the Gatekeeper Enhancement protection module on the source process running other child processes.

    At any point, you can click the Generating Alert ID to return to the original alert from which the exception originated. You cannot edit module specific exceptions.

  4. Apply Security Profiles to Endpoints.

    If you want to remove an exceptions profile from your network, go to the Profiles page, right-click and select Delete.