Correct Way to Add Cortex Exclusions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Correct Way to Add Cortex Exclusions

L0 Member

Often, we get requests from application admins and their vendors to exclude an application or folder from the anti-virus or security software. In the past, we have entered these requests into the Allow List of the related Malware Profile (which has been migrated to Legacy Exclusions now). I am not sure if this is the correct way to enter an exclusion.

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-4.x-Documentation/Exception-configu...
I have tried reading this documentation. It seems like an "Issue Exception" might be what I'm looking for, but I don't know. In our XDR portal, I click Settings > Exception Configuration, but we are missing the Issue Exception menu?

 

Here is a fictional example:
Lets say a vendor, XYZ Company, owns the application "Greatest Software". They suggest adding an exception in our security software / anti-virus (cortex) for "c:\program files\xyz company\software.exe" and a folder named "c:\AppData\xyz company\*". How would this be entered into Cortex?

 

We get these requests once in a while and just want to get it "right" the first time. Thanks for the help/info! 😃

2 REPLIES 2

L5 Sessionator

Hello @DarykHall ,

 

Thanks for reaching out on live community. Exception and exclusion in XDR are to different things with different uses cases.

Exception-> This basically means whitelisting an application based on various parameters like file/folder path or signer etc. When you create an exception, the prevention capability of XDR will be disabled and no alerts will be generated.

Exclusion-> This only turn the alert generation off but the prevention capability will be on. Use case for this is to ignore alerts that you know are getting generated because of misconfiguration of application or vulnerability alerts that you are aware about and will patch after certain period of time.

 

For your use case, exception is the correct choice. You will find the exception menu under settings->exception configuration.

Screenshot 2025-08-18 at 7.26.11 PM.pngScreenshot 2025-08-18 at 7.28.14 PM.png

 

 

Note: Please create exceptions as granular as possible and review them on regular basis to prevent any misuse.

 

 

L5 Sessionator

Hi @DarykHall 

 

First of all please realize that Exclusion and Exception is a different concept in XDR. 

 

XDR is a multi-method detection tool. Depending the module that is triggering the alerts, the exceptions will have to be created. So there is no a single way to create exceptions, for which you can trust the application or the application vendor in security aspect. 

As a result, we have granular exceptions creation processes, which ensures we are able to achieve maximum availability alongside minimal required security. This ensures least number of false positives and maximum security coverage (supply chain attacks).

 

Additionally, exceptions reduce security coverage so we might create an exception for a true positive. 

In the use case you propose it will depend on the module that is blocking your software, the exception should be created in one way or another. 

I would recommend identifying the specific module that created the alert (on the alerts table) and then selecting the proper module in the legacy exception creation window. 

 

Please check the doc you already gave to see how to proceed depending on the specific use case:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-4.x-Documentation/Exception-configu...

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

 

KR,

Luis

  • 276 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!