https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/allow-based-on-certifcate-issuer/m-p/547435#M4657 <P><SPAN><SPAN class="ui-provider bos bot c d e f g h i j k l m n o p q r s t bou bov w x y z ab ac ae af ag ah ai aj ak">We are currently having an issue with our database disk images being blocked that are set on rotation cycles. The file name and the hash changes incrementally. All our disk images are signed, using a certificate by the issuer; this was used previously to stop these executables from being blocked.</SPAN></SPAN></P> <P><SPAN><SPAN class="ui-provider bos bot c d e f g h i j k l m n o p q r s t bou bov w x y z ab ac ae af ag ah ai aj ak">Is there a way to exclude or allow based on the certificate issuer?</SPAN></SPAN></P> Tue, 27 Jun 2023 15:24:23 GMT mssp_ctunks 2023-06-27T15:24:23Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/allow-based-on-certifcate-issuer/m-p/547435#M4657 <P><SPAN><SPAN class="ui-provider bos bot c d e f g h i j k l m n o p q r s t bou bov w x y z ab ac ae af ag ah ai aj ak">We are currently having an issue with our database disk images being blocked that are set on rotation cycles. The file name and the hash changes incrementally. All our disk images are signed, using a certificate by the issuer; this was used previously to stop these executables from being blocked.</SPAN></SPAN></P> <P><SPAN><SPAN class="ui-provider bos bot c d e f g h i j k l m n o p q r s t bou bov w x y z ab ac ae af ag ah ai aj ak">Is there a way to exclude or allow based on the certificate issuer?</SPAN></SPAN></P> Tue, 27 Jun 2023 15:24:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/allow-based-on-certifcate-issuer/m-p/547435#M4657 mssp_ctunks 2023-06-27T15:24:23Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/allow-based-on-certifcate-issuer/m-p/547451#M4659 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/215992">@mssp_ctunks</a>,</P> <P>&nbsp;</P> <P>Thanks for reaching out on LIVEcommunity.</P> <P>&nbsp;</P> <P>I can definitely see how this issue would cause some headaches.&nbsp; I would recommend adding the exception as a folder instead of a file since the names and hashes change.&nbsp; If you can exclude the folder it should exclude any processes running within that folder.&nbsp; I'd like to caution you to be mindful that anything nested in the folder will be excluded as well.&nbsp; I'll leave some information about this right <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-Legacy-Exception-Rule" target="_self">here</A>.&nbsp;</P> <P>&nbsp;</P> <P>With the introduction of Cortex XDR 3.5 all of the exception have now been moved to the Global Exceptions Configuraiton which is accessible as seen below.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-06-27 at 11.24.14 AM.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51226i8D5F8A8B8E6BB552/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2023-06-27 at 11.24.14 AM.png" alt="Screenshot 2023-06-27 at 11.24.14 AM.png" /></span></P> <P>&nbsp;</P> <P>I would just caution that you test this method to verify it's validity before deploying to a production environment.</P> <P>&nbsp;</P> <P data-unlink="true">Lastly, If that doesn't work out properly.&nbsp; I highly suggest reaching out to <A href="https://support.paloaltonetworks.com/Support/Index" target="_self">support</A>&nbsp;&nbsp;as they should be able to provide you with support exception to deal with your issue specifically.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">I hope you find this information helpful.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">Have a great day!</P> Tue, 27 Jun 2023 16:27:11 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/allow-based-on-certifcate-issuer/m-p/547451#M4659 anlynch 2023-06-27T16:27:11Z