Device control - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Protect your Windows and macOS-based endpoints from connecting to malicious USB-connected removable devices, to Bluetooth devices, and to print jobs.

By default, all external USB and Bluetooth devices are allowed to connect to your Windows and macOS-based Cortex XDR endpoints, and all print jobs are allowed. To protect endpoints from connecting to removable devices, such as disk drives, CD-ROM drives, floppy disk drives, Bluetooth devices, and other portable devices, that can contain malicious files, Cortex XDR provides device control. Different types of print jobs can also be blocked.

Using device control, you can:

  • (Windows and macOS) Block all supported USB-connected devices for an endpoint group.

  • (Windows and macOS) Block a USB device type but add to your allow list a specific vendor from that list that will be accessible from the endpoint.

  • (Windows only) Block connections to Classic Bluetooth devices or Low Energy Bluetooth services. These are two different Bluetooth protocols used for short-range wireless connections.

    • Some examples of Classic Bluetooth devices include: laptop computers, tablets, telephones, audio/video devices, wearables, peripherals, imaging devices, health devices, toys, and so on.

    • Some examples of Low Energy Bluetooth devices include: telephone alert status, microphone control, health sensors, insulin delivery, location and navigation, object transfer, and so on.

  • Temporarily block only some device types on an endpoint.

    • USB devices (Windows and macOS)

    • Bluetooth devices (Windows only)

  • (Windows and macOS) Block some, or all, print jobs to local or network printers, or to file.

Note

Depending on your defined user scope permissions, creating device profiles, policies, exceptions, and violations may be disabled.

The following are prerequisites to enforce device control policy rules on your endpoints:

Platform

Prerequisites

Windows

For VDI:

  • For VMware Horizon, you must disable Sharing Allow access to removable storage in your VMware Horizon client settings.

Mac

No prerequisites

Linux

Not supported

Android

Not supported

iOS

Not supported

The following limitations apply to device control on your endpoints:

Platform

Device Type

Limitation

Windows

VDI

  • Virtual environments leverage different stacks that might not be subject to the Device Control policy rules that are enforced by the Cortex XDR agent and, therefore, could lead to USB devices that are allowed to connect to the VDI instance in contrast to the configured policy rules.

  • The Cortex XDR agent provides best-effort enforcement of the Device Control policy rules on VDI instances that are running on physical endpoints where a Cortex XDR agent is not deployed.

  • For Citrix Virtual Apps and Desktops, Cortex XDR Device Control is supported on generic virtual channels only.

Windows

Bluetooth

  • Serial number queries are not supported.

  • If a profile is set to block specific Bluetooth Low Energy (BLE) services, Cortex XDR only blocks the services set to Block, and not the functionality of the entire device. This means that if a device has multiple services, some of them might still be accessible, while others are blocked.

  • Cortex XDR attempts to aggregate all related BLE services so that they appear under a single logical Bluetooth device control violation report. However, some Bluetooth devices might be reported in a separate violation report due to the way these devices are paired in the Windows operating system and because they reside outside the device container.

  • Cortex XDR cannot block low energy services or report device control violations on devices that do not report any LE services. The devices can, however, be blocked completely by setting the entire Bluetooth device to Block.

  • Exceptions can only be created when the Vendor field for the device is available in a violation report.

  • Exceptions for specific BLE devices cannot be created from a violation report. Exceptions for such devices can only be created by disabling the the blocked LE services in the policy.

  • If a Bluetooth device vendor is registered as a Vendor (with ID) in the regulatory organization that supervises USB devices, but is not registered as a Bluetooth device, exceptions cannot be created from a violation report. An alternate method for creating an exception is to create a separate profile for the endpoints using the Bluetooth devices, and allow/unblock use of the specific Bluetooth classes or BLE services for these devices.

macOS

-

No limitations

Linux

-

Not supported

Android

-

Not supported

iOS

-

Not supported

Device control profiles

To apply device control in your organization, define device control profiles that determine which device types Cortex XDR blocks, and which it permits. There are two types of profiles:

Profile

Description

Configuration Profile

Allow or block these device type groups:

  • Disk Drives (USB-connected)

  • CD-Rom Drives (USB-connected)

  • Floppy Disk Drives (USB-connected)

  • (Windows only) Windows Portable Devices (USB-connected)

  • (Windows only) Bluetooth Devices (block, allow, or custom types)

    • The Custom option includes configuration options for specific Bluetooth Classes (Bluetooth Classic) device types, and for Low Energy Services (Bluetooth Low Energy).

      When you select an option in Bluetooth Classes, the right pane of the dialog box provides a detailed list of device types that belong to the selected class. You can choose all, or some of the items in this list.

  • Print Jobs (all, or custom types)

    • When set to Block, all print jobs sent from the endpoint will be blocked.

    • When set to Custom, the following options are available:

      Network printer jobs only when outside Corp. network blocks print jobs sent to network printers while the endpoint is not on the corporate network.

      Network printer jobs (internal/VPN) blocks print jobs sent to network printers while the endpoint is connected to the network via VPN or an internal connection.

      Local printer jobs blocks print jobs sent to a printer which is directly connected to an endpoint.

      Printing to file (Windows only) blocks print jobs that are saved as a file. This option only blocks the print driver.

Note

  • For network printer print jobs, ensure that you also configure the Agent Settings profile, Network Location Configuration option. This setting must be set to Enabled, and configured.

    If you do not enable and configure this setting, all network printer operations will be treated as internal network print jobs.

  • The Print Job option does not block connections to a printer, but blocks print jobs according to the type of print job. You cannot block use of a specific printer with this feature.

    Any print job that is not sent via the endpoint's printer spooler, such as a file uploaded to a remote software based printing service, will not be blocked.

  • Cortex XDR relies on the device class assigned by the operating system.

Add a new configuration profile.

The Cortex XDR agent relies on the device class assigned by the operating system. For Windows endpoints only, you can configure additional device classes.

Add a custom device class.

Exceptions Profile

Allow specific devices according to device types and vendor. You can further specify a specific product and/or product serial number.

Add a new exceptions profile.

Device Configuration and Device Exceptions profiles are configured for each operating system separately. After you configure a device control profile, Apply device control profiles to your endpoints.

  1. In EndpointsPolicy managementExtensionsProfiles, select +Add Profile and then select either Create New or Import from File.

  2. Select a Platform and click Device ConfigurationNext.

  3. Fill in the General Information.

    Assign the profile Name and add an optional Description. The profile Type and Platform are set by Cortex XDR.

  4. Configure Device Configuration.

    For each group of device types, select the desired action. To use the default option defined by Palo Alto Networks, leave Use Default selected.

    • For Disk Drives only, you can also allow connecting in Read-only mode.

    • For Print Jobs, you can choose the Custom option, and then select the desired print job type.

    • For Bluetooth Devices, you can choose the Custom option, and then select the desired Bluetooth Classes or Low Energy Services type.

    Note

    • Currently, the default is set to Use Default (Allow), however, Palo Alto Networks may change the default definition at any time.

    • In XQL Search, to view connect and disconnect events of USB devices that are reported by the agent, the Device Configuration must be set to Block. Otherwise, the USB events are not captured. The events are also captured when a group of device types are blocked on the endpoints with a permanent or temporary exception in place. For more information, see Ingest connect and disconnect events of USB devices.

  5. To save your device profile definitions, click Create.

    If needed, you can edit, delete, or duplicate your profiles.

    Note

    You cannot edit or delete the default profiles pre-defined in Cortex XDR.

  6. (Optional) To define exceptions to your Device Configuration profile, Add a new exceptions profile.

  7. Apply device control profiles to your endpoints.

  1. In EndpointsPolicy managementExtensionProfiles, select + New Profile or Import from File.

  2. Select Platform and click Device ExceptionsNext.

  3. Fill in the General Information.

    Assign the profile Name and add an optional Description. The profile Type and Platform are set by the system.

  4. Configure Device Exceptions.

    You can add devices to your allow list according to different sets of identifiers: vendor, product, and serial numbers.

    • Type: Select the device type that you want to add to the allow list: Bluetooth, CD-ROM, Disk Drive, Floppy Disk, or Windows Portable Devices (Windows only).

    • (Disk Drives only) Permission: Select the permissions you want to grant: Read only or Read/Write.

    • Vendor: Select a specific vendor from the list or enter the vendor ID in hexadecimal code.

    • (Optional) Product: Select a specific product (filtered by the selected vendor) to add to your allow list, or add your product ID in hexadecimal code.

    • (Optional) Serial Number: Enter a specific serial number (pertaining to the selected product) to add to your allow list. Only devices with this serial number are included in the allow list. If you want to add serial number where the last character is a space character, use quotation marks. For example, "K04M1972138 ".

  5. To save your device exceptions profile, click Create.

    If needed, you can later edit, delete, or duplicate your profiles.

    Note

    You cannot edit or delete the predefined profiles in Cortex XDR.

  6. Apply device control profiles to your endpoints.

After you define the required profiles for Device Configuration and Exceptions, you must configure Device Control policies and enforce them on your endpoints. Cortex XDR applies Device Control policies on endpoints from beginning to end, as you’ve ordered them on the page. The first policy that matches the endpoint is applied. If no policies match, the default policy that enables all devices is applied.

Note

When enabling Device Control protection for the first time, some devices that are already connected (or paired in case of Bluetooth) to the machine will not be immediately affected by the change. The profile change will affect the connected device after one of the following occurs:

  • Disconnection and reconnection of the device

  • A computer restart

  • For Bluetooth devices only: Bluetooth toggled off and on, or manual unpairing of the device.

  1. In EndpointsPolicy management ExtensionsPolicy Rules, select + New Policy or Import from File.

    Note

    When importing a policy, select whether to enable the associated policy targets. Rules within the imported policy are managed as follows:

    • New rules are added to the top of the list.

    • Default rules override the default rule in the target tenant.

    • Rules without a defined target are disabled until the target is specified.

  2. Configure settings for the Device Control policy.

    1. Assign a policy name and select the platform. You can add a description.

    2. Assign the Device Type profile you want to use in this rule.

    3. Click Next.

    4. Select the target endpoints on which to enforce the policy.

      Use filters or manual endpoint selection to define the exact target endpoints of the policy rules. If exists, the Group Name is filtered according to the groups within your defined user scope.

    5. Click Done.

  3. Configure policy hierarchy.

    Drag the policies in the desired order of execution. The default policy that enables all devices on all endpoints is always the last one on the page and is applied to endpoints that don’t match the criteria in the other policies.

  4. Save the policy hierarchy.

    After the policy is saved and applied to the agents, Cortex XDR enforces the device control policies on your environment.

  5. (Optional) Manage your policy rules.

    In the Protection Policy Rules table, you can view and edit the policy you created and the policy hierarchy.

    1. View your policy hierarchy.

    2. Right-click to View Policy Details, Edit, Save as New, Disable, and Delete.

    3. Select one or more policies, right-click and select Export Policies. You can choose to include the associated Policy Targets, Global Exceptions, and endpoint groups.

  6. Monitor device control violations.

    After you apply Device Control rules in your environment, you can use the EndpointsDevice Control Violations page to monitor all instances where end users attempted to connect restricted devices or print jobs, and Cortex XDR blocked them on the endpoint. All violation logs are displayed on the page. You can sort the results and use the filters menu to narrow down the results. For each violation event, Cortex XDR logs the following event details, where relevant and available for each device or print job:

    • ID

    • Timestamp for the violation event

    • Host name of the endpoint

    • Platform (operating system)

    • Agent ID

    • User name

    • IP address

    • Type of device

    • GUID of the device

    • Vendor ID of the device

    • Vendor of the device

    • Product name

    • Serial number (not supported for Bluetooth devices on Windows-based endpoints)

    • Print Job Type

    • Document Name of a print job

    • Additional Information

    • Major Class

    • Minor Class

    • Vendor Type

    If you see a violation for which you’d like to define an exception on the device that triggered it, right-click the violation and select one of the following options:

    • Add device to permanent exceptions: To ensure this device is always allowed in your network, select this option to add the device to the Device Permanent Exceptions list, the type of Permissions, and an optional comment.

    • Add device to temporary exceptions: To allow this device only temporarily on the selected endpoint or on all endpoints, select this option and set the allowed time frame for the device, the type of Permissions, and an optional comment.

    • Add device to a profile exception: Select this option to allow the device within an existing Device Exceptions profile, the type of Permissions, and an optional comment.

  7. Tune your device control exceptions.

    To better deploy device control in your network and allow further granularity, you can add devices on your network to your allow list and grant them access to your endpoints. Device control exceptions are configured per device and you must select the device category, vendor, and type of permission that you want to allow on the endpoint. Optionally, to limit the exception to a specific device, you can also include the product and/or serial number.

    Cortex XDR enables you to configure the following exceptions:

    Exception Name

    Description

    Permanent Exceptions

    Permanent exceptions approve the device in your network across all Device Control policies and profiles. You can create them directly from the violation event that blocked the device, or through the Permanent Exceptions list.

    Note

    Permanent exceptions apply across platforms, allowing the devices on all operating systems.

    Create a Permanent Exception.

    Temporary Exceptions

    Temporary exceptions approve the device for a specific time period up to 30 days. You create a temporary exception directly from the violation event that blocked the device.

    Create a Temporary Exception.

    Profile Exceptions

    Profile exceptions approve the device in an existing exceptions profile. You create a profile exception directly from the violation event that blocked the device.

    Create an Exception within a Profile.

    1. Create a Permanent Exception.

      Permanent device control exceptions are managed in the Permanent Exception list and are applied to all devices regardless of the endpoint platform.

      • If you know in advance which device you’d like to allow throughout your network, create a general exception from the list:

        1. Go to EndpointsPolicy ManagementExtensions and select Device Permanent Exceptions on the left menu. The list of existing Permanent Exceptions is displayed.

        2. Select Type, Permission, and Vendor.

        3. (Optional) Select a specific product and/or enter a specific serial number for the device.

        4. Click the adjacent arrow and Save. The exception is added to the Permanent Exceptions list and will be applied in the next heartbeat.

      • Otherwise, you can create a permanent exception directly from the violation event that blocked the device in your network:

        1. On the Device Control Violations page, right-click the violation event triggered by the device you want to permanently allow.

        2. Select Add device to permanent exceptions. Review the exception data and change the defaults if necessary.

        3. Click Save.

    2. Create a temporary exception.

      1. On the Device Control Violations page, right-click the violation event triggered by the device you want to temporarily allow.

      2. Select Add device to temporary exceptions. Review the exception data and change the defaults if necessary. For example, you can configure the exception to this endpoint only or to all endpoints in your network, or set which device identifiers will be included in the exception.

      3. Configure the exception Time Frame by defining the number of days or number of hours during which the exception will be applied, up to 30 days.

      4. Click Save. The exception is added to the Device Temporary Exceptions list and will be applied in the next heartbeat.

    3. Create an exception within a profile.

      1. On the Device Control Violations page, right-click the violation event triggered by the device you want to add to a Device Exceptions profile.

      2. Select the Profile from the list.

      3. Save. The exception is added to the exceptions profile and will be applied in the next heartbeat.

(Windows only) You can include custom USB-connected device classes beyond Disk Drive, CD-ROM, Windows Portable Devices, and Floppy Disk Drives, such as USB connected network adapters. When you create a custom device class, you must supply Cortex XDR the official ClassGuid identifier used by Microsoft. Alternatively, if you configured a GUID value to a specific USB connected device, you must use this value for the new device class. After you add a custom device class, you can view it in Device Management and enforce any device control rules and exceptions on this device class.

  1. Go to Endpoints Policy ManagementSettings Device Management.

    This is the list of all your custom USB-connected devices.

  2. Create the new device class.

    Select +New Device. Set a Name for the new device class, and supply a valid and unique GUID Identifier. For each GUID value, you can define one class type only.

  3. Save.

    The new device class is now available in Cortex XDR as all other device classes.

You can personalize the Cortex XDR notification pop-up on the endpoint when the user attempts to connect a USB device that is either blocked on the endpoint or allowed in read-only mode. To edit the notifications, refer to Set up agent settings profiles.

Notice

This feature requires a Cortex XDR Pro license.

The Cortex Query Language (XQL) supports the ingestion of connect and disconnect events of USB devices that are reported by the agent. To view these USB device events in XQL Search, you must set the Device Configuration of the endpoint profile to Block. Otherwise, the USB events are not captured. The events are also captured when a group of device types are blocked on the endpoints with a permanent or temporary exception in place. For more information, see Add a new configuration profile.

You can use XQL Search to query for this data and build widgets based on the xdr_data dataset, where the following use cases are supported:

  • Displaying devices by Vendor ID, Vendor Name, Product ID, and Product Name.

  • Displaying hosts that a specific device, based on the serial number, is connected.

  • Query for USB devices that are connected to specific hosts or groups of hosts.

Examples of XQL queries that query the USB device data.

  • This query returns the action_device_usb_product_name field from all xdr_data records, where the event_type is DEVICE and the event_sub_type is DEVICE_PLUG.

    dataset = xdr_data
    | filter event_type = DEVICE and event_sub_type = DEVICE_PLUG
    | fields action_device_usb_product_name
  • This query returns the action_device_usb_vendor_name field from all device_control records (preset of the xdr_data dataset) where the event_type is DEVICE.

    preset = device_control
    | filter event_type = DEVICE
    | fields action_device_usb_vendor_name