Add a legacy exception rule - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-11-07
Category
Administrator Guide
Abstract

Learn how to use Cortex XSIAM Legacy Exception rules to configure an exception to prevention and protection modules on endpoints for selected profiles.

Legacy Exception rules enable you to configure an exception to prevention and protection modules on endpoints for selected profiles.

Items included in allow lists may continue to generate Cortex XSIAM security events. If you want to exclude event reporting, configure this on the Alert Exclusions page (SettingsException ConfigurationsAlert Exclusions).

Keep in mind the following:

  • Prior to Cortex XSIAM version 1.3, legacy exceptions were configured through profiles.

  • Starting with version 1.3, Cortex XSIAM enables you to manage the malware security exceptions from a central location and easily apply them across multiple profiles in the Legacy Agent Exceptions Management page. 

To manage the prevention profile exceptions from Exception Configuration, you must first migrate your existing exceptions configured via the prevention profiles.

Your migrated rules are displayed on the SettingsException ConfigurationsLegacy Agent Exceptions page. For more information about the migration, see Exception configuration.

  1. From SettingsException ConfigurationsLegacy Agent Exceptions, + Add Rule.

  2. Select the platform for which you want to create an agent exception.

  3. Select the module for which you want to create an exception.

  4. For each module, specify the following parameters:

    Type

    Module

    Platform

    Parameters

    Malware

    Respond to Malicious Causality Chains

    Windows

    Add to your allow list specific and known safe IP address or IP address ranges that you do not want Cortex XSIAM to block.

    Behavioral Threat Protection

    Windows, MacOS, Linux

    Add to your allow list the file or folder path you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Office Files with Micros Examination

    Windows

    Add to your allow list the file or folder path you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Portable Executable and DLL Examination

    Windows

    Add to your allow list the file or folder path and the signers you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Malicious Child Process Protection

    Windows

    Add to your allow list the parent processes that can launch child processes to your allow list with optional execution criteria. Specify the allow list criteria including the Parent Process NameChild Process Name, and Command Line Params. Use ? to match a single character or * to match any string of characters.

    Ransomware Protection

    Windows

    Add to your allow list the file or folder path you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Endpoint Scanning

    Windows, MacOS, Linux

    Add to your allow list the file or folder path and the signers you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Credential Gathering Protection

    Windows, MacOS, Linux

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Anti Webshell Protection

    Windows, MacOS, Linux

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Financial Malware Threat Protection

    Windows, MacOS, Linux

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Cryptominers Protection

    Windows, MacOS, Linux

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    In-process Shellcode Protection

    Windows

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Malicious Device Prevention

    Windows

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    UAC Bypass Prevention

    Windows

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Anti Tampering Protection

    Windows, MacOS

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Mach-o Files Examination

    MacOS

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    DMG File Examination

    MacOS

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Local File Threat Examination

    Linux

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    ELF File Examination

    Linux

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Reverse Shell Protection

    Linux

    Specify the Process Path. Local IP Address and port, and the Remote IP Address and port of the process you want to allow. Use ? to match a single character or * to match any string of characters.

    APK Files Examination

    Android

    Specify the signers you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    SMS and MMS Malicious URL filtering Allow list

    iOS

    Add to your allow list and known safe URLs that you do not want Cortex XSIAM to block.

    Call and Messages Blocking Allow list

    iOS

    Add to your allow list names and phone numbers of contacts that you do not want Cortex XSIAM to block.

    Dynamic Kernel Protection

    Windows

    Add to your allow list the file or folder path you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Restrictions

    Executable Files

    Windows

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Network Location Files

    Windows

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Optical Drive Files

    Windows

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Removable Media Files

    Windows

    Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

    Exceptions

    Process Exceptions

    Windows, MacOS, Linux

    Add to your allow list the process and the module names to exclude from evaluation. Use ? to match a single character or * to match any string of characters.

  5. Select all to apply the exception to all profiles for this module or select specific profiles.