Set up Identity profiles - Configure the Identity Profile to unify AD-SPM, Conditional Access, LDAP Protection controls in one centralized hub. - Administrator Guide - Cortex XDR - Cortex

Set up Identity profiles - Configure the Identity Profile to unify AD-SPM, Conditional Access, LDAP Protection controls in one centralized hub. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-11

Notice

Requires the ITDR add-on.

The identity profile serves as a centralized hub for defining and enforcing your organization's identity security policies on Domain Controllers. It is an integral part of the onboarding flow for setting up identity security. This profile allows you to configure and manage critical controls from a single, unified interface. By consolidating these settings, you can streamline your workflow, reduce configuration errors, and maintain a consistent identity security posture across your environment. This profile is available for Windows environments, and must be mapped to policies for Domain Controller endpoints.

Note

The identity profile is available on Cortex XSIAM 3.5, Cortex XDR 5.1, and Cortex Cloud Runtime 2.1 or later, and requires Cortex XDR agent version 9.1 or later. This feature is not available on Cortex XSIAM 2.x or Cortex XDR 3.x tenants.

In environments with mixed agent versions, you can assign policies containing an identity profile; however, any agents running versions earlier than 9.1 will ignore these settings.

To customize the configuration for specific Cortex XDR agents, configure a new identity prevention profile and assign it to one or more policy rules defined specifically for Domain Controller endpoints.

Add a new profile and define basic settings.
1. From Cortex XDR, select Inventory → Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.
  Note
  New profiles based on imported profiles are added, and do not replace existing ones.
2. Select the Windows platform, and Identity as the profile type.
3. Click Next.
4. For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
5. For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include a case identification number or a link to a help desk ticket.

Configure LDAP Protection to analyze and act upon suspicious LDAP queries sent by endpoints to a Domain Controller. This feature is designed to detect and block Active Directory reconnaissance attacks. Use the toggle to enable or disable the feature.

Note

This feature only comes into effect after a restart.

Item	Options	More details
Action Mode	Block Report Disabled	When the Cortex XDR agent detects suspicious attempts to query a Domain Controller, it performs the configured action.
Monitor and Collect Domain Controller LDAP Events	Enabled Disabled	When set to Enabled, the Cortex XDR agent collects information about LDAP queries and creates events for them. These events can be used investigate suspicious LDAP queries.

To save the profile, click Create.

What to do next

If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as: