Manage endpoint prevention profiles - You can manage the endpoint prevention profiles of your Cortex XDR agent endpoints in various ways, including editing, duplicating, and populating endpoint prevention policy rules. - Administrator Guide - Cortex XSIAM - Cortex CLOUD

Cortex Cloud Runtime Security Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Runtime Security
Creation date
2024-12-24
Last date published
2026-06-10
Category
Administrator Guide
Abstract

You can manage the endpoint prevention profiles of your Cortex XDR agent endpoints in various ways, including editing, duplicating, and populating endpoint prevention policy rules.

After you create and customize your endpoint prevention profiles, you can manage them from the Prevention Profiles page as needed.

View the prevention policy rules that use a specific prevention profile

Before you modify or delete a profile, you can check which policy rules, if any, use the profile.

  • From InventoryEndpointsPolicy ManagementPreventionProfiles, right-click the profile and select View policy Rules.

    Cortex Cloud opens the Prevention Policy Rules page on a new tab. This page is filtered, and only displays the rules that use the profile that you selected.

Edit, export, duplicate, or delete an endpoint prevention profile

Edit a profile:

  1. From InventoryEndpointsPolicy ManagementPreventionProfiles, right-click the profile and select Edit.

  2. Make your changes, and then click Save.

Export a profile:

  1. From InventoryEndpointsPolicy ManagementPreventionProfiles, right-click the profile and select Export Profile.

  2. Click Export. The profile is downloaded to your computer.

Duplicate a profile:

  1. From InventoryEndpointsPolicy ManagementPreventionProfiles, right-click the prevention profile and select Save as New. A new profile is displayed, containing the values from the profile that you selected.

  2. Edit the profile name and description, edit any values that you want to change, and then click Create.

  3. Populate a new prevention policy rule with your new profile.

Delete a profile:

  1. If necessary, delete or detach any policy rules that use the profile before attempting to delete it.

  2. From InventoryEndpointsPolicy ManagementPreventionProfiles, locate the profile that you want to remove. The profile's Usage Count cell must have a 0 (zero) value.

  3. Right-click the prevention profile and select Delete.

  4. To confirm the deletion, click Yes.

Populate a new prevention policy rule with a prevention profile

  1. From InventoryEndpointsPolicy ManagementPreventionProfiles, right-click the profile and select Create a new policy rule using this profile.

    Cortex Cloud automatically populates the Platform selection based on your profile configuration, and assigns the profile based on the profile type.

  2. For Policy Name, enter a meaningful name, and optionally, add a description for the policy rule.

  3. Assign any additional profiles that you want to apply to your policy rule, and click Next. A list of endpoints is displayed.

  4. Select the target endpoints for the policy rule, or use the filters to define criteria for the policy rule to apply, and then click Next.

  5. Review the policy rule summary, and then click Done.

Create a new prevention policy rule for serverless function

  1. From InventoryEndpointsPolicy ManagementPreventionProfiles, right-click the profile and select Create a new policy rule using this profile.

    Cortex Cloud automatically populates the Platform selection based on your profile configuration as well as the Restricitons selection with the selected profile.

  2. For Policy Name, enter a meaningful name, and optionally, add a description for the policy rule, and then click Next.

  3. Use the filters to define criteria for the policy rule to apply, and then click Next.

    Select from the following function parameters:

    • Cloud provider

    • Region

    • Runtime

    • Function version

    • Endpoint name

  4. Review the policy rule summary, and then click Done.

Note

The filter is stored within the policy definition and assessed during runtime to extract the functions that match the filter criteria.

View information about your endpoint prevention profiles

The following table displays the fields that are available on the Prevention Profiles page, in alphabetical order. The table includes both default fields and additional fields that are available in the column manager. To view this page, go to InventoryEndpointsPolicy ManagementPreventionProfiles.

Field

Description

Associated Targets

The endpoints or endpoint groups to which the profile is assigned

Created By

The administrator who created the prevention profile

Created Time

The date and time at which the prevention profile was created

Description

An optional description entered by an administrator to describe the prevention profile

Modification Time

The date and time at which the prevention profile was modified

Modified By

The administrator who modified the prevention profile

Name

The prevention profile name

Profile ID

The ID assigned to to the profile by Cortex Cloud

Summary

Summary of prevention profile configuration

Type

The prevention profile type, such as Malware or Agent Settings

Usage Count

The number of policy rules that use the profile. If you want to delete a profile, ensure that this cell displays "0".