How to create an Exception from a security event

Document created by Steve McBride on Mar 31, 2015Last modified by Rémi Le Mer on Oct 9, 2019
Version 4Show Document
  • View in full screen mode

Exceptions are made for managing false-positive or false-negative events.

The addition of the Exception subsystem into the Qualys WAF service provides significant flexibility in service management and security policy management than was previously available. This functionality allows the user to highlight a particular security event that WAF has detected, and create an exception from it - essentially telling the WAF that this event is not important in the user's environment, so it should not be blocked in the future. To create an exception, the workflow is very simple and begins with the Events List in the WAF module. Simple highlight the event that you'd like to create an exception from, and then use the Quick Action drop down to choose "Create Exception."




The system will then generate an exception:




As with virtual patches, the creation of an exception can be confirmed in two locations. First, simply look at the events list that the exception was created from. An exception icon (circled here in orange) will now be present and attached to the event:



Also, by clicking Security and then Rules, the creation of the exception can be further confirmed:



Once created, the Exception will be deployed to the WAF appliances that are protecting the application where the event was detected. Exceptions can be removed either from the Security/Rules screen, or by looking at the original source event and choosing to remove the Exception there. Note that the event  from which the Exception was created will no longer be available after a month (retention period).


As with Virtual Patches, Exceptions are deployed independently of any security policy configuration, meaning changes to the underlying security policy will not change the function of a created Exception. Also note that Rules (vpatches, exceptions and user custom rules) have precedency over the Policy in place (template or manual policy, and HTTP profiles).

1 person found this helpful