Exception configuration - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Learn how to configure exceptions from your baseline policy.

To allow full granularity, Cortex XSIAM enables you to create exceptions from your baseline policy. With these exceptions, you can remove specific folders or paths from evaluation, or disable specific security modules. You can configure exception rules for Cortex XSIAM protection and prevention actions in a centralized location, and apply them across multiple profiles. The exceptions can be configured from SettingsException Configuration.

  • Alert Exclusion rules specify match criteria for alerts that you want to suppress.

  • IOC/BIOC Suppression rules exclude one or more indicators from an IOC or BIOC rule that takes action on specific behaviors.

  • Disable Injection and Prevention rules specify exceptions that bypasses a process from prevention modules and injections.

  • Disable Prevention rules specify granular exceptions to prevention actions triggered for your endpoints.

  • Legacy Agent Exceptions define prevention profile exception rules for all endpoints.

  • Support Exception rules generate exceptions based on files provided by the support team.

Prior to Cortex XSIAM version 1.3, Legacy Agent Exceptions and Support Exceptions were configured through their relevant profiles.

Starting with version 1.3, Cortex XSIAM enables you to manage the Legacy Agent Exceptions and Support Exception configurations from a central location and easily apply them across multiple profiles in the Agent Exceptions Management page. 

To manage the Prevention profile exceptions from Exception Configuration, you must first migrate your existing exceptions configured via profiles. Your existing exception profiles are migrated per module.

Cortex XSIAM simulates the migration to enable you to review the results before activating the migration.

How to migrate existing exceptions
  1. Select SettingsException ConfigurationLegacy Exceptions and click Start Simulation.

  2. Review the Legacy Agent Exceptions and the Support Exception Rules.

  3. You can then Activate the new agent management page or Cancel to continue using the Prevention Profiles to configure individual exceptions.

After the migration, you can Add a support exception rule or Add a legacy exception rule.