Learn how to configure exceptions from your baseline policy.
To allow full granularity, Cortex XSIAM enables you to create exceptions from your baseline policy. With these exceptions, you can remove specific folders or paths from evaluation, or disable specific security modules. You can configure exception rules for Cortex XSIAM protection and prevention actions in a centralized location, and apply them across multiple profiles. The exceptions can be configured from → .
Alert Exclusion rules specify match criteria for alerts that you want to suppress.
IOC/BIOC Suppression rules exclude one or more indicators from an IOC or BIOC rule that takes action on specific behaviors.
Disable Injection and Prevention rules specify exceptions that bypasses a process from prevention modules and injections.
Disable Prevention rules specify granular exceptions to prevention actions triggered for your endpoints.
Legacy Agent Exceptions define prevention profile exception rules for all endpoints.
Support Exception rules generate exceptions based on files provided by the support team.
Prior to Cortex XSIAM version 1.3, Legacy Agent Exceptions and Support Exceptions were configured through their relevant profiles.
Starting with version 1.3, Cortex XSIAM enables you to manage the Legacy Agent Exceptions and Support Exception configurations from a central location and easily apply them across multiple profiles in the Agent Exceptions Management page.
To manage the Prevention profile exceptions from Exception Configuration, you must first migrate your existing exceptions configured via profiles. Your existing exception profiles are migrated per module.
Cortex XSIAM simulates the migration to enable you to review the results before activating the migration.
Select Start Simulation.
→ → and clickReview the Legacy Agent Exceptions and the Support Exception Rules.
You can then Activate the new agent management page or Cancel to continue using the Prevention Profiles to configure individual exceptions.
Important
If you don't migrate the legacy exceptions, you can continue to create exceptions through the profiles.
After the migration, you can Add a support exception rule or Add a legacy exception rule.