When to use policy changes or alert exceptions

Showing results for 
Show  only  | Search instead for 
Did you mean: 

When to use policy changes or alert exceptions

L2 Linker



When a BTP rule is blocking a process,

When do we create a policy change and allow the process, and when do we create an alerts exception to allow the process. 


L5 Sessionator

Hi @Aiman_Fathima ,


thank you for reaching out to live community!


When a BTP rule is blocking a process and you consider this activity as a false positive, you can create alert exception for the change without changing any configurations in the policy itself. Right click on the alert> Manage alert> Create Alert exception. You can choose a list of parameters by checking the boxes (like SHA256, signer, cgo, cgo cmdline params etc.) to make a logical granular condition. Choose the exception scope(profile for specific set of endpoints using that profile in a policy or global for all endpoints). 


This in turn disables the rule within the BTP module triggering the alert and cripples it for the execution of parameters and endpoints you defined above. If this behaviour is expected for larger set of endpoints in your environment and not one off events, you can retrieve the alert data and please reach out to our Palo Alto Networks Technical Assistance Center for content whitelisting or support based exceptions.


Once the engineering team determines the event as a false positive and globally applicable, they would release the fix in a content update and you can disable the alert exception created once you ensure your endpoints get the content version with the fix.


Hope this helps!


Best regards.

Hello Neelrohit, 


thank you for your information. Maybe this informations could find a way to the documentation with a nice cheat sheet? 

We are a little bit confused about the broad possibilites to exclude alerts, processes, etc.






Thanks for the clarification.

Could you please give us more idea about when to use "Malware" profile based whitelisting and when to use "Exception" profile based whitelisting. 

L5 Sessionator

@Aiman_Fathima and @RFeyertag ,


This indeed is a broad question as Cortex XDR umpteen number of malware alert categories that can trigger and those can be treated by using methodologies(exceptions and file path whitelists)in different used cases. I would suggest to kindly reach out to you Professional Services Consultant/Customer Success Architect or SE for detailed discussion on the same to outline the used cases and their recommended practice mechanisms.


Best Regards.



Hi @RFeyertag , 


Thank you for reaching out to us and for your suggestions! Please see my response below to the question. We will try to see if that is possible or not as exposing operations mechanisms for security tool on open forum could turn out to be a security issue. However, we will try our best for future line up.


For now I would recommend to kindly reach out to you Professional Services Consultant/Customer Success Team/ SE for the same.



  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!