Creating exceptions for findings

Use exceptions to exclude certain scan results from compliance and vulnerability findings. Exclusions may be needed in situations when endpoints aren’t exploitable or certain risks are determined to be acceptable, and you no longer want to see those scan results in findings. Excepted configurations are still scanned for, but their results are hidden unless you select to show them. You can also configure reports and exports to exclude excepted findings.

Before you begin

To view and edit exceptions, the following RBAC permissions are required: Comply Exception Read and Comply Exception Write.
Exceptions are not intended to hide an overly large number of findings. They are intended to narrowly target specific findings that you no longer wish to see in reports.
After an exception is created, if new endpoints are added that meet the criteria, those endpoints are automatically included in the exception. Although it may take several minutes for that to be reflected in findings.
The number of endpoints listed in the data grid for each Exception may appear higher than expected. This number will likely be larger than the actual number of endpoints listed in the Preview and larger than the actual number of endpoints listed in Findings. This is because the total number of endpoints that match the Exception targeting criteria include managed and unmanaged endpoints as well as endpoints both with and without findings.

Configure exceptions

You can configure exceptions directly from the list of compliance and vulnerability findings. When you create an exception from findings, filtering and endpoint data (if available) are automatically included in the configuration. You can also create an exception from scratch by navigating to the Exceptions page in the Comply menu.

Configure exceptions from Findings
Configure exceptions from scratch

Configure exceptions from Findings

For Compliance findings, you can create exceptions from the Rule tab and from the All Findings tab. For Vulnerability findings, you can create exceptions from the Check ID tab and the All Findings tab.

If you create an exception from the All Findings tab, endpoint information is also automatically included in the exception. If you select multiple findings from the All Findings tab, and those findings have different endpoints, multiple exceptions will be created, one for each endpoint. See Configure exceptions from All Findings (multiple endpoints).

Select Findings from the Comply menu.
Select the check box for one or more findings to which you want to create an exception. An exception means that the configurations are still scanned for, but their results are hidden unless you select to show them.
Click the Create Exception button.
In the Details section of the Create Exceptions window, provide the following:

Enter a unique Name
Enter a Description.
Select a Reason for the exception: Acceptable Use, Acceptable Risk, Compensating Control, False Positive, or Other. If you select Other, make sure to enter your reasoning in the Description field above.
Optionally, enter an Expiration Date. (Never is the default.)

The Filtering Criteria is automatically populated from the selected findings. Filters are the findings that will be excepted.
If you select multiple findings, criteria from each selected finding is included. You can edit the filtering criteria, add rows and groups, or delete values.
In the Target section, if you created the exception from the All Findings tab, the endpoint is automatically added under Additional Filter Criteria. You can edit or add endpoints as follows:

Click Select Computer Groups and select one or more groups that were defined in the Administration section of the Tanium Console. See Tanium Platform User Guide: Managing Computer Groups. To search for a group, type the first few letters of the group into the search field.

You might not have access to all computer groups that appear in the target list. Click All and Available in the target window to see every computer group or only the ones that you have permissions to view. Additionally, rules might limit your access to computers within the groups you select.

Optionally, select Additional Filtering Criteria: This further filters down from the selected computer groups.
- None
- Ask a Question: Enter a filter question.
- Define a Rule: Add rows and groupings to build a filter.
- Specify Individual Endpoints: Enter or paste a comma-separated list of computer names into the provided field. This list must be no longer than 50 computers.

Click Show Preview to review potential findings that match the filters and targeting criteria. Edit the criteria if necessary or click Save to create the exception. After you save the exception, you return to the Finding page and the newly created exception is applied. Any scans that meet the criteria will no longer appear in the list. They will not appear in reports or exports. Select the Show Excepted Findings check box to see all excepted findings again and include them in reports.

Navigate to Exceptions in the Comply menu to view or edit the exception you created. The side panel for each exception provides configuration and targeting details.

When you use Tanium Connect to export findings, you have the option to Include excepted findings in exports. See Exporting findings and assessments.

Configure exceptions from All Findings (multiple endpoints)

If you select multiple findings from the All Findings tab, and those findings have different endpoints, multiple exceptions will be created, one for each endpoint. The following configuration items are different for exceptions with multiple endpoints.

Rather than configuring a Name, you configure a Base Name. With a base name, when the exceptions are created, each exception will be named as follows: <base name>-<endpoint>-<current timestamp>.
You cannot edit filtering criteria from the exception creation page. Endpoints are listed individually with along with read-only data from the findings. After you click Save, you are returned to findings and the newly created exceptions are applied. You can edit each individual exception from the Comply > Exceptions page.

Configure exceptions from scratch

To configure exceptions, do the following:

Select Exceptions from the Comply menu.
In the Details section, provide the following:

Enter a unique Name
Enter a Description.
Select the scan Type you are creating this exception for: Compliance or Vulnerability
Select a Reason for the exception: Acceptable Use, Acceptable Risk, Compensating Control, False Positive, or Other. If you select Other, make sure to enter your reasoning in the Description field above.
Optionally, enter an Expiration Date. (Never is the default.)
Optionally, change the State from Active (the default) to Inactive. With Active, the exception goes into effect immediately. With Inactive, it does not go into effect upon creation, but you can save it to use at a later time.

In the Filters section, enter Filtering Criteria.These are the findings that will be excepted and are specific to either compliance or vulnerability assessments depending on which finding type is selected. Select an Attribute, Operator, and Value. Click the + plus sign to add another row or group. For the Value field, begin typing and potential matches appear.
In the Target section, do the following:

Click Select Computer Groups and select one or more groups that were defined in the Administration section of the Tanium Console. See Tanium Platform User Guide: Managing Computer Groups. To search for a group, type the first few letters of the group into the search field.

Optionally, select Additional Filtering Criteria: This further filters down from the selected computer groups.
- None
- Ask a Question: Enter a filter question.
- Define a Rule: Add rows and groupings to build a filter.
- Specify Individual Endpoints: Enter or paste a comma-separated list of computer names into the provided field. This list must be no longer than 50 computers.

Click Show Preview to review potential findings that match the filters and targeting criteria. Edit the criteria if necessary or click Save to create the exception.

After the exception is created, go to Findings for compliance or vulnerability scans. Any scans that meet the criteria will no longer appear in the list. They will not appear in reports or exports. Select the Show Excepted Findings check box to see all excepted findings again and include them in reports.

When you use Tanium Connect to export findings, you have the option to Include excepted findings in exports. See Exporting findings and assessments.

Export exceptions list

To export the list of exceptions, do the following:

Select Exceptions from the Comply menu.
From the list view, click the Export button and select Export to CSV or Copy to clipboard.

Filter the list of exceptions by clicking on Filters and entering filter criteria such as Name, Description, Type, Reason, Endpoints, Created On, Modified On.

Exception examples

The following are possible situations for using compliance and vulnerability exceptions.

Compliance finding exception example

You have a set of developer systems running Windows 10, but due to how they are used, you cannot configure BitLocker on these systems. Rather than creating a custom profile and a separate assessment for these endpoints, you create an exception for all BitLocker rules for compliance assessments on those Windows 10 developer systems.

Vulnerability finding exception example

You have a set of servers running an old version of Tomcat. You cannot update Tomcat because the custom application you are running will not work on newer versions of Tomcat. You're tired of seeing findings about Tomcat on those machines, therefore you create an exception that hides those findings.