11-20-2020 01:01 AM
Hi @JimWaZ
My name is Or and i'm from the XDR PM group.
Allow me to explain.
The right click --> exclusion option is meant to quickly hide FPs but it does not create any policy or changes anything. It will not suppress future alerts of the same type, nor will it cause them to not fire. It's just for that one alert.
The reason the process is a different for an exception is because we want to allow the granularity of choosing who gets this exception. You can do it by profile + policy, hence only some machines get it (so according to your example, in some sections of the company a coffee cup will be able to change channels and in other it won't) or apply it to all endpoint as a global exception. There are many cases in which you need more granular policies like this.
Another, more specific option, is to add a hash to the allow list - which can be used for cases where you know the hash and you don't expect it to change. It probably won't be effective in cases where dev teams build/test a lot of code.
I hope it helps, but if you want i'd be happy to have session with you to dive deeper into this and listen to any feedback you may have as we're always happy to get any feedback and improve our workflows.
Please email me if you are interested at ocohen@paloaltonetworks.com
Or
