Manage Endpoint Tags - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Segment your endpoints according to dynamic tags.

Endpoint tags enable multiple layers of segmentation to your endpoints. An endpoint tag is a dynamic entity that is created and assigned to one or more endpoints. The assigned endpoint tags can then be used to create Endpoint Groups, Policies, and Actions.

Note

The following uses Windows operating system installation parameters and Cytool argument examples.

Create an Endpoint Tag

An endpoint tag can be created during installation of the Cortex XDR agent.

An endpoint tag can be created after installation either from the Cortex XDR agent or from the Cortex XDR management console.

  • Add an endpoint tag as an installation parameter of the Cortex XDR agent's installer:

    1. Installer parameter: run msiexec /i ... ENDPOINT_TAGS="Name1, Name 2, Name3".

      Cytool argument: cytool endpoint_tags add "tag1 [,tag2,...,tagN]".

      Note

      Tag names are case sensitive.

      For Windows and Mac, a tag name can contain spaces.

      Linux does not support tag names with spaces as command line arguments to the shell installer. Instead, tags can be set in the /etc/panw/cortex.conf configuration file, which supports all Linux installers.

  • Add an endpoint tag after installation:

    • From the machine where theCortex XDR agent is installed:

      1. Navigate to the Cytool folder location and open the CLI as an administrator.

      2. Cytool argument: cytool endpoint_tags add "tag1 [,tag2, ...,tagN]".

        Note

        Tag names are case sensitive and can contain spaces.

    • From the Cortex XDR management console (Server)

      1. Navigate to EndpointsAll EndpointsTags field.

      2. Select one or more endpoints, right-click, and select Endpoint ControlAssign Endpoint Tags.

      3. Select Add tag... and choose one or more tags from the list of existing tags or begin to type a new tag name to Create tag.

        Note

        Tag names are case sensitive and can contain spaces.

      4. (This step requires administrator permissions) To assign the tag to users or user groups, select Add selected tags to Users or Groups, and select the relevant Users and/or User Groups.

        Note

        When SBAC is enabled, assigning tags may impact user permissions.

      5. Save the tag names you selected.

Remove an Endpoint Tag

Depending on where you created your tag, Server or Agent, you can choose to edit or remove the tags.

  • From the Cortex XDR agent:

    1. Navigate to the Cytool folder location and open the CLI as an administrator.

    2. Cytool Argument: cytool endpoint_tags remove "tag1 [,tag2, ...,tagN]".

  • From the Cortex XDR management console:

    1. Navigate to EndpointsAll EndpointsTags field.

    2. Select one or more endpoints, right-click, and select Endpoint ControlRemove Endpoint Tags.

    3. Save the tag names you removed.

    Note

    If you remove the tag and there are assigned users or user groups with scope settings, this can impact user permissions in the system.

    Track Your Endpoint Tags
    • From the XDR agent:

      1. Navigate to the Cytool folder location and open the CLI as an administrator.

      2. For Cytool: cytool endpoint_tags list.

    • From the Cortex XDR management console:

      1. Navigate to EndpointsAll EndpointsTags field.

        All Server and Agent tags associated with the specific endpoint are displayed. Tags created in the XDR agent are displayed with a shield icon.

      2. Filter and search the Tags field for the endpoint tags you have created and assigned.