Define applications by cloud tag-based Criteria - Administrator Guide - Cortex Cloud Posture Management - Cortex CLOUD

Under Modules, select Application Security → Business Applications (under Application Management) → Create Applications → New Criteria.

Configure the General step.

1. Select Cloud as the Criteria type.

   Note

   A single Criteria is strictly locked to one cloud provider at a time. You cannot mix assets from different cloud vendors into the same Criteria.

   Cortex Cloud automatically retrieves all available tag keys from that provider.

2. Provide a unique Criteria name (required) and description.

3. Click Next.

Configure the Define Criteria step of the wizard.

Select the organizational tags you will use for automatic asset grouping on this step, which displays one provider tile per cloud provider that has at least one connected account. Each tile shows the provider icon, name, and an account count badge. If only one cloud provider has connected accounts, that tile is selected automatically. If two or more providers are connected, the tiles appear side by side, but only one can be selected.

1. Select a cloud provider tile: AWS, GCP, or Azure.

   Only providers with at least one connected account are selectable. The first available provider is auto-selected when the step loads.

   Cortex Cloud automatically retrieves all available tag keys from that provider.

2. Select the organizational tags you will use for automatic asset grouping.

   • Selection limit: Select between one and five tags

   • Provider and Account scope:

   • Grouping logic: When multiple tags are selected, an AND condition is applied. Only assets that contain all the chosen tag keys will be included in the resulting application. For example, selecting the tag keys service and environment produces one application per unique pair of tag values (service, environment) found in that account

   • Asset eligibility: An asset participates in grouping only if it carries values for all selected tag keys. Assets missing one or more of your selected tag keys will be excluded from automatic grouping

   Note

   • One provider and account per Criteria: Cloud Criteria cannot cross provider types or account boundaries. A single Criteria applies to one provider and one account only. To cover a multi-account or multi-cloud estate (such as both AWS and GCP accounts), create a separate Cloud Criteria for each individual account

   • Kubernetes (K8S) labels: Labels are only available as Criteria tag keys if your managed service (such as EKS, GKE, or AKS) exposes them as tags on the underlying cloud resources. If a label is not visible on the cloud resource, Criteria cannot use it. To verify available labels, check the cloud asset's tag list in Cortex Cloud.

   • Validation errors: You cannot create a duplicate Criteria. If you select a provider and tag key combination that matches an existing Criteria, validation will fail

3. Click Next.

Configure the Metadata step.

1. Map application metadata: Map existing cloud tags to the application metadata fields below. This ensures that each automatically created application inherits the required security and business context from its grouped assets, reducing the need for manual updates after creation.

   • Application Name: Specifies which tag key should be used to derive the application name ( for example, if you specify app-name as the source tag, applications will be named based on values found in the app-name tag)

     Note

     Application names must be unique. If two applications resolve to the same name (for example, two tag combinations both produce checkout), the engine appends a UTC timestamp suffix to the second one, for example, checkout_05_31_26_07:42:18, so it can be saved.

   • Business Criticality: Determines which tag key contains business criticality information (such as criticality). How it works: Extracts criticality levels (Critical, High, Medium, Low) from the specified tag and assigns the highest criticality level found across assets. If not specified or no value found, defaults to Medium

   • Business Owner: Map to a tag key which contains business owner information, allowing you to define the entity responsible for the application (such as owner)

   • Business Unit: Map to a tag key containing business unit information by defining the relevant department within the organization that uses or owns the application (such as org)

2. Select Submit.

   The configured values are assigned to their corresponding application fields, creating the criteria set and ensuring that mapped metadata is applied to all matching assets. The engine evaluates matching cloud resources and enriches each generated application with its connected assets to reflect the full Code-to-Cloud context.

   Code-to-Cloud mapping: Applications automatically link to related code assets (such as repositories, branches, and pipelines). This delivers a unified Code-to-Cloud view across policies, Urgency, and the Applications page.