From the Cortex XDR management console, you can add and configure restriction security profiles to limit the surface of an attack on a Windows endpoint.
Restrictions security profiles limit the surface of an attack on a Windows endpoint by defining where and how your users can run files.
By default, the Cortex XDR agent will receive the default profile that contains a pre-defined configuration for each restrictions capability. To customize the configuration for specific Cortex XDR agents, configure a new Restrictions security profile and assign it to one or more policy rules.
To define a Restrictions security profile:
Add a new profile.
Select the platform to which the profile applies and Restrictions as the profile type.
Click Next.
Define the basic settings.
Select a unique Profile Name to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
To provide additional context for the purpose or business reason for creating the profile, specify a profile Description. For example, you might include an incident identification number or a link to a help desk ticket.
Configure each of the Restrictions Endpoint Protection Capabilities.
Configure the action to take when a file attempts to run from a specified location.
Block—Block the file execution.
Notify—Allow the file to execute but notify the user that the file is attempting to run from a suspicious location. The Cortex XDR agent also reports the event to Cortex XSIAM.
Report—Allow the file to execute but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report execution attempts from restricted locations.
Add files to your allow list or block list, as needed.
The type of protection capability determines whether the capability supports an allow list, block list, or both. With an allow list, the action mode you configure applies to all the paths except for those that you specify. With a block list, the action applies only to the paths that you specify.
Important
Starting with version 1.3, Cortex XSIAM enables you to manage the Restriction Security Profile exceptions from a central location and easily apply them across multiple profiles in the Legacy Agent Exceptions management page.
To manage the prevention profile exceptions from Exception Configuration, you must first migrate your existing exceptions configured via the Prevention profiles.
To create new Restriction Security Profile exceptions using the Legacy Agent Exceptions management page, see Add a Legacy Exception Rule.
If you don't migrate the legacy exceptions, you can continue to add exceptions as described below.
+Add a file or folder.
Enter the path and press Enter or click the check mark when done. You can also use a wildcard to match a partial name for the folder and environment variables. Use
?
to match any single character or*
to match any string of characters. To match a folder, you must terminate the path with * to match all files in the folder (for example,c:\temp\*
).Repeat to add additional folders.
Configure Custom Indicator Prevention Rules.
If you have created custom indicator rules for prevention purposes, you enable their use here in the profile.
Prepare this restriction profile first, make a note of its name for later, but leave this setting disabled.
Prepare the prevention Indicator Rule (go to Prevention when creating the rule), and while preparing it, map it to your restriction profile.
→ , ensuring to selectReturn to this restriction profile to modify it. Set this setting to Enabled.
Save the changes to your profile.
Apply Security Profiles to Endpoints.
You can do this in two ways: You can Create a new policy rule using this profile from the right-click menu or you can launch the new policy wizard from Policy Rules.