Apply profiles to endpoints - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn how to apply security profiles to your endpoints, depending on the platform used.

Cortex XSIAM provides out-of-the-box protection for all registered endpoints with a default security policy customized for each supported platform type. To configure your security policy, customize the settings in a security profile and attach the profile to a policy.

Each policy you create must apply to one or more endpoints or endpoint groups. The Prevention Policy Rules table lists all the policy rules per operating system. Rules associated with one or more targets that are beyond your defined user scope are locked and cannot be edited.

  1. From Cortex XSIAM, create a policy rule.

    Do one of the following:

    • Select EndpointsPolicy ManagementPreventionPolicy Rules, and select + New Policy or Import from File.

      Note

      When importing a policy, select whether to enable the associated policy targets. Rules within the imported policy are managed as follows:

      • New rules are added to the top of the list.

      • Default rules override the default rule in the target tenant.

      • Rules without a defined target are disabled until the target is specified.

    • Select EndpointsPolicy ManagementPreventionProfiles, right-click the profile you want to assign and click Create a new policy rule using this profile.

  2. Define a Policy Name and optional Description that describes the purpose or intent of the policy.

  3. Select the Platform for which you want to create a new policy.

  4. Select the desired Exploit, Malware, Restrictions, and Agent Settings profiles you want to apply in this policy.

    If you do not specify a profile, the Cortex XDR agent uses the default profile.

  5. Click Next.

  6. Use the filters to assign the policy to one or more endpoints or endpoint groups.

    Cortex XSIAM automatically applies the platform filter you selected and, if it exists, the Group Name according to the groups within your defined user scope.

  7. Click Done.

  8. In the Policy Rules table, change the rule position, if needed, to order the policy relative to other policies.

    The Cortex XDR agent evaluates policies from top to bottom. When the Cortex XDR agent finds the first match it applies that policy as the active policy. To move the rule, select the arrows and drag the policy to the desired location in the policy hierarchy.

    Right-click to View Policy Details, Edit, Save as New, Disable, and Delete.

  9. Export policy.

    Select one or more policies, right-click and select Export Policies. You can include the associated Policy Targets, Global Exceptions, and endpoint groups.

    Note

    The exported file is encoded in Base64 and cannot be edited.