Manage Asset Roles for Endpoints - Learn how to edit the host lists assigned to asset roles. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Included Endpoints: Displays all the endpoints Cortex XSIAM automatically detects as having this asset role, as well as any endpoints you have manually added.

Excluded Endpoints: Displays the endpoints that were manually removed from the asset role.

Exclude an Endpoint: If you want to remove an endpoint from an asset role, right-click the endpoint in the included list and select Exclude Endpoint. When you exclude an endpoint, it moves to the Excluded Endpoints list. This ensures that even if the endpoint exhibits behavior matching this role in the future, the automatic detection is overridden and the endpoint remains excluded. By default, excluding an endpoint also removes it from any parent asset roles.

Advanced Exclusion Settings: To remove an endpoint from a child asset role but leave it in its parent asset roles, click Advanced Exclusion Settings and select Don't Exclude next to the name of the parent role.

Manually Add an Endpoint: Click Add Endpoint to manually assign a role to a host. You can select the endpoint from a displayed list of hosts managed by your tenant. Note that you can only manually add endpoints that have the Cortex XSIAM agent installed on them. Manually added endpoints are analyzed by the Analytics engine on its next run and appear in the Host Risk View and User Risk View.

Delete vs. Exclude: If you right-click and select Delete Endpoint on a manually added endpoint, it is removed from the included list. If the system automatically detects it acting in that role in the future, it is added back. If you want to prevent it from ever being added back, you must Exclude it instead.

Rename an Endpoint: To change the name of an endpoint, right-click the endpoint name and select Edit Endpoint.