Define Endpoint Groups - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

To easily apply policy rules and manage specific endpoints, you can define an endpoint group.

To easily apply policy rules and manage specific endpoints, you can define an endpoint group. If you set up Cloud Identity Engine, you can also leverage your Active Directory user, group, and computer information in endpoint groups.

There are two methods you can use to define an endpoint group:

  • Create a dynamic group by enabling Cortex XDR to populate your endpoint group dynamically using endpoint characteristics such as an endpoint tag, partial hostname or alias, full or partial domain, or workgroup name; IP address, range or subnet; installation type (VDI, temporary session, or standard endpoint); agent version; endpoint type (workstation, server, mobile); or operating system version.

  • Create a static group by selecting a list of specific endpoints.

After you define an endpoint group, you can then use it to target policy and actions to specific recipients. The Endpoint Groups page displays all endpoint groups along with the number of endpoints and policy rules linked to the endpoint group.

To define an endpoint static or dynamic group:

  1. From Cortex XDR , select EndpointsEndpoint Groups+Add Group.

  2. Select either Create New to create an endpoint group from scratch, or Upload From File, using plain text files with a new line separator, to populate a static endpoint group from a file containing IP addresses, hostnames, or aliases.

  3. Enter a Group Name and optional Description to identify the endpoint group. The name you assign to the group will be visible when you assign endpoint security profiles to endpoints.

  4. Determine the endpoint properties for creating an endpoint group:

    • Dynamic—Use the filters to define the criteria you want to use to dynamically populate an endpoint group. Dynamic groups support multiple criteria selections and can use AND or OR operators. For endpoint names and aliases, and domains and workgroups, you can use * to match any string of characters. As you apply filters, Cortex XDR displays any registered endpoint matches to help you validate your filter criteria.

    • Static—Select specific registered endpoints that you want to include in the endpoint group. Use the filters, as needed, to reduce the number of results.

      When you create a static endpoint group from a file, the IP address, hostname, or alias of the endpoint must match an existing agent that has registered with Cortex XDR. You can select up to 250 endpoints.


    Disconnecting Cloud Identity Engine in your Cortex XDR deployment can affect existing endpoint groups and policy rules based on Active Directory properties.

  5. Create the endpoint group.

    After you save your endpoint group, it is ready for use to assign security profiles to endpoints and in other places where you can use endpoint groups.

  6. Manage an endpoint group, as needed.

    At any time, you can return to the Endpoint Groups page to view and manage your endpoint groups. To manage a group, right-click the group and select the desired action:

    • Edit—View the endpoints that match the group definition, and optionally refine the membership criteria using filters.

    • Delete the endpoint group.

    • Save as new—Duplicate the endpoint group and save it as a new group.

    • Export group—Export the list of endpoints that match the endpoint group criteria to a tab separated values (TSV) file.

    • View endpoints—Pivot from an endpoint group to a filtered list of endpoints on the Endpoint Administration page where you can quickly view and initiate actions on the endpoints within the group.