Set rules for the execution (or running) of particular files on your endpoints in Cortex XSIAM.
You can manage file execution on your endpoints by adding file hashes to your allow and block lists. If you trust a certain file and know it to be benign, you can add the file hash to the allow list. This allows the file to be executed on all your endpoints regardless of the WildFire or local analysis verdict. Similarly, if you want to always block a file from running on your endpoints, you can add the associated hash to the block list.
Adding files to the allow and block lists takes precedence of any other policy rules that are applied to these files. In the Action Center, you can monitor the allow and block list actions performed in your network, and add or remove files from these lists.
Supported file types are:
Operating system | Supported file types |
---|---|
Windows |
|
Mac | macho, DMG |
Linux | ELF |
Go to
→ → → .Select Add to Block List or Add to Allow List.
Enter the SHA-256 hash of the file and click .
You can add up to 100 file hashes at one time. If you add a comment, it is added to all the hashes you added in this action.
Click Next.
Review the summary and click Done.
In the next heartbeat, the agent retrieves the updated lists from Cortex XSIAM .
You are automatically redirected to the Block List or Allow List that corresponds to the action in the Action Center.
To manage the file hashes on the Block List or the Allow List, right-click a file to see the available actions.