Device Control - Configure Device Control permission for Endpoints. - Administrator Guide - Cortex XSIAM - Cortex

Device Control - Configure Device Control permission for Endpoints. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-04

Caution

Device Control is critical for data loss prevention. Overly restrictive policies may impact productivity, while permissive policies may enable data exfiltration. Balance security requirements with operational needs.

Permissions	Description	Roles Example
None	Cannot view the following pages under Inventory → Endpoints: Device Control Violations Disk Encryption Visibility Under Policy Management: Device Permanent/Temporary Exceptions Settings: Device Management Extensions: Policy Rules Extensions: Profiles	SOC Tier-1 Analyst: Not part of daily triage.
View	Read-only access for the pages listed above.	SOC- Tier 2 Analyst: Understanding device control helps investigate data exfiltration or unauthorized device usage. Critical for insider threat investigations SOC Tier-3 Analyst: View, but may need view/edit for emergency containment of data exfiltration (blocking all USB devices), but should require approval Threat Hunter: Device control visibility helps understand potential data exfiltration vectors. Hunters need to know what devices are allowed.
View/Edit	All view capabilities, plus managing policies and exceptions. Additional action permissions with View/Edit permissions, such as Device Control Rules and Device Control Exceptions.	Security Engineer: Responsible for device control rule development and maintenance. Creates and optimizes device policies.

Device Control sub-permissions

Sub-permission	Description	Roles Example
Device Control Rules	Enables users to permit/prevent device connection, prevent data writing, and allow connection but log all activity. Checked: Users can create, edit, delete, and enable/disable device control rules (Inventory → Endpoints → Policy Management → Extensions → Policy Rules). Unchecked: Rule actions are disabled within profiles. To manage device control rules, users also need the Agent Extension Policies permission to access the profiles where rules are configured.	Security Engineer: Responsible for device control rule development and maintenance. Creates rules for different device types, vendors, and use cases.
Device Control Exceptions	Create exceptions to device control rules for specific devices or users. Users can create, edit, and delete permanent or temporary exceptions that override device control rules (Inventory → Endpoints → Policy Management → Extensions → Device Permanent Exceptions, or Device Temporary Execptions). Note Exceptions bypass device control rules and can create security gaps. Implement approval workflows and regular exception reviews. Consider requiring business justification for all exceptions. Checked: Users can add device exceptions. Unchecked: The Add Exception action is disabled. Tip Consider adding Device Control Rules. Understanding existing rules is essential before creating exceptions. Exceptions should be targeted to specific rules to minimize security impact.	Security Engineer: Responsible for exception management with proper documentation. Creates exceptions based on approved business requests with appropriate scope and expiration.

Sub-permission

Description

Roles Example

Device Control Rules

Enables users to permit/prevent device connection, prevent data writing, and allow connection but log all activity.

Checked: Users can create, edit, delete, and enable/disable device control rules (Inventory → Endpoints → Policy Management → Extensions → Policy Rules).
Unchecked: Rule actions are disabled within profiles.

To manage device control rules, users also need the Agent Extension Policies permission to access the profiles where rules are configured.

Security Engineer: Responsible for device control rule development and maintenance. Creates rules for different device types, vendors, and use cases.

Device Control Exceptions

Create exceptions to device control rules for specific devices or users.

Users can create, edit, and delete permanent or temporary exceptions that override device control rules (Inventory → Endpoints → Policy Management → Extensions → Device Permanent Exceptions, or Device Temporary Execptions).

Note

Exceptions bypass device control rules and can create security gaps. Implement approval workflows and regular exception reviews. Consider requiring business justification for all exceptions.

Checked: Users can add device exceptions.
Unchecked: The Add Exception action is disabled.

Tip

Consider adding Device Control Rules. Understanding existing rules is essential before creating exceptions. Exceptions should be targeted to specific rules to minimize security impact.

Security Engineer: Responsible for exception management with proper documentation. Creates exceptions based on approved business requests with appropriate scope and expiration.

Consider adding the following permissions:

Permission	Permission Level	Reasons
Agent Groups	View	Required. Must understand group structure to target device control rules and policies correctly. Incorrect targeting can block legitimate devices or allow unauthorized ones.
Agent Extension Policies	View	Strongly Recommended. Device Control rules and profiles are managed through extension policies. An extension policy context is needed to understand the full device control configuration.
Agent Administrations	View	Strongly Recommended. View endpoints to correlate device violations with endpoint data and understand which endpoints are generating events.
Cases & Issues	View	Strongly Recommended. Review device-related security events to inform policy decisions. Understanding data exfiltration attempts helps create effective rules and policies.
Host Insights	View	Recommended. View detailed endpoint device information, including connected devices, USB history, and compliance status.