Manage Asset Roles for Endpoints - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn how to edit the host lists assigned to asset roles.


Endpoint Role Management is available only if the Identity Threat Module add-on is enabled.

The Edit Endpoint Role page enables you to edit the host lists assigned to asset roles. You may want to exclude some endpoints from certain asset roles even if Cortex XSIAM automatically detected the endpoint as having this asset role. For example, if an endpoint is reassigned to another user and you want their Analytics to be adjusted accordingly.

The Endpoints list on the page displays the endpoints classified under the asset role, if the asset role was assigned automatically or edited manually for the endpoint, the last modification date, and the modifier.

To access the Edit Endpoint Role page, from AssetsAsset Role Configuration, right click to select the endpoint asset role and click Edit Asset Role.

INCLUDED ENDPOINTS displays all the endpoints Cortex XSIAM automatically detects as having this asset role and the endpoints you specify manually as having this asset role. EXCLUDED ENDPOINTS displays the endpoints that were manually removed from an asset role. When you exclude an endpoint, it remains in the Excluded Endpoints list and if detected automatically again in the future as having this role, will not be included in the role list.

If you want to remove an endpoint from the list of endpoints with this asset role, right click the endpoint and select Exclude Endpoint. The endpoint is then listed under EXCLUDED ENDPOINTS for this asset role. When you exclude an endpoint from an asset role, by default Cortex XSIAM also removes the endpoint from the parent asset roles of the current asset role. To remove the endpoint from the child asset role, but to leave it in any of its parent asset roles, click Advanced Exclusion Settings, and select Don't Exclude next to the name of the parent asset role(s).

To include an Excluded endpoint back in the asset role, in the EXCLUDED ENDPOINTS list, right click the endpoint and select Delete Endpoint. If the endpoint was automatically detected as having this asset role. it will be added back to the INCLUDED ENDPOINTS list again. Otherwise, the next time Cortex XSIAM scans the assets and automatically detects their asset roles, this endpoint will be included in the asset role list.

To include endpoints from your system manually in an asset role list, in the asset role page, click Add Endpoint. Select the endpoint from the displayed endpoint list, which displays the endpoints managed by the tenant. You can only add endpoints that have the Cortex XDR agent installed on them.

Manually added endpoints are analyzed by Analytics when it runs next and are displayed in the Incident view and the Host Risk view.

To delete a manually added endpoint from the Included Endpoints list, right click and Delete Endpoint.


Deleting a manually added endpoint removes the endpoint from the INCLUDED ENDPOINTS list. If this endpoint is detected automatically as having this asset role in the future, it will appear in the Included Endpoints list.

Excluding a manually added endpoint ensures that even if in the future the endpoint is detected as having this asset role, this detection is overridden and the endpoint isn't included in the asset role.

To change the name of an endpoint, right click the endpoint name and Edit Endpoint.