Apply Profiles to Collection Machine Policies - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Once a Cortex XDR Collector profile is configured, you must attach the profile to a policy.

Once a Cortex XDR Collector profile is configured, you must attach the profile to a policy. Each policy that you create must apply to one or more collector machines or collector machine groups.

  1. In Cortex XSIAM , create a policy.

    Do either of the following:

    • Select SettingsConfigurationsXDR CollectorsPolicies+Add Policy to create a policy from scratch in the XDR Collectors Policies page.

    • Select SettingsConfigurationsXDR CollectorsProfiles, right-click the profile you want to assign and Create a new policy rule using this profile in the XDR Collectors Profiles page.

  2. Set the General settings for the policy.

    • Policy Name—Specify a unique name for the policy.

    • Description—(Optional) Specify a description that describes the purpose or intent of the policy.

    • Platform—Select the Platform as either Windows or Linux that you want to create the new policy.

    • Collector Profile—Select the applicable Collector Profile from the list available for the Platform designated that you want to apply to the policy. If you do not specify a profile, the XDR Collector uses the Default profile.

  3. Click Next.

  4. Set the Target settings in the XDR Collectors Endpoints screen.

    Use the filters to assign the policy to one or more collector machines (endpoints) or collector machine (endpoint) groups.

    Cortex XSIAM automatically applies a filter for the platform you selected. To change the platform, go Back to the general policy settings.

  5. Click Next.

  6. Review the Summary for the new policy.

    If everything looks fine, click Done. Otherwise, click Back to make your changes.

  7. In the XDR Collectors Policies table, change the policy position, if needed, to order the policy relative to other policies.

    The XDR Collector evaluates policies from top to bottom. When the XDR Collector finds the first match it applies that policy as the active policy. To move the policy order, select the arrows and drag the policy to the desired location in the policy hierarchy.

  8. Other available options.

    As needed, you can return to the XDR Collectors Policies page to manage your XDR Collectors policies. To manage a specific policy, right click anywhere in the XDR Collector policy row, and select the desired action:

    • Disable the XDR Collector policy.

    • Delete the XDR Collector policy.

    • View Policy Details—Opens a new window with the details of the current profile configured for this policy, so you can easily see the Collector Upgrade and Filebeat configuration file details for the profile associated to this policy.

    • Save As New—Enables you to copy the existing policy with its current settings, make any modifications, and save it as a new policy by adding a unique name.

    • Edit the XDR Collector policy settings.

    • Copy text to clipboard to copy the text from a specific field in the row of a XDR Collector policy.

    • Copy entire row to copy the text from the entire row of a XDR Collector policy.