Set up restrictions prevention profiles - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-11-28
Category
Administrator Guide
Abstract

Restrictions prevention profiles limit where executables can run on an endpoint.

Restrictions prevention profiles limit the locations from which executables can run on an endpoint.

By default, the Cortex XDR agent receives a default profile that contains a pre-defined configuration for each restriction capability. The default setting for each capability is shown in parentheses in the user interface. To fine-tune your restrictions prevention policy, you can override the default configuration of each capability as follows. For each setting that you override, clear the Use Default option, and select the setting of your choice.

  • Block: Block file execution.

  • Notify: Allow file execution, but notify the user that the file is attempting to run from a suspicious location. The Cortex XDR agent also reports the event to Cortex XSIAM.

  • Report: Allow file execution, but report it to Cortex XSIAM.

  • Disabled: Disable the module, and do not analyze or report execution attempts from restricted locations.

Example 17. 

To customize the configuration for specific Cortex XDR agents, configure a new restrictions prevention profile and assign it to one or more policy rules. You can restrict files from running from specific local folders, or from removable media.


  1. Add a new profile and define basic settings.

    1. From Cortex XSIAM, select EndpointsPolicy ManagementPreventionProfiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.

      Note

      New profiles based on imported profiles are added, and do not replace existing ones.

    2. Select the Windows platform, and Restrictions as the profile type.

    3. Click Next.

    4. For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    5. For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.

  2. Configure Executable Files to restrict file execution to pre-defined locations.

    Item

    Option

    More details

    Action Mode

    • Block

    • Notify

    • Report

    • Disabled

    When the Cortex XDR agent detects execution of files from outside the pre-defined locations, it performs the configured action.

    • To add files or folders to the Block List, click +Add, enter the path, and press Enter. To add more files or folders, click +Add again.

      • You can use a wildcard to match a partial name for the folder and environment variables.

      • Use ? to match any single character, or * to match any string of characters.

      • To match a folder, you must terminate the path with * to match all files in the folder (for example, c:\temp\*).

    • To add files or folders to the Allow List, define a list on the Legacy Agent Exceptions page.

  3. Configure Network Location Files to restrict access to all network locations except for explicitly trusted ones.

    Item

    Option

    More details

    Action Mode

    • Block

    • Notify

    • Report

    • Disabled

    When the Cortex XDR agent detects execution of files from network locations that are not trusted, it performs the configured action.

    To add files or folders to the Allow List, define a list on the Legacy Agent Exceptions page.

  4. Configure Removable Media Files to restrict file execution launched from external drives that are attached to endpoints in your network.

    Item

    Option

    More details

    Action Mode

    • Block

    • Notify

    • Report

    • Disabled

    When the Cortex XDR agent detects execution of files from removable media,it performs the configured action.

    To add files or folders to the Allow List, define a list on the Legacy Agent Exceptions page.

  5. Configure Optical Drive Files to restrict file execution launched from optical disc drives that are attached to endpoints in your network.

    Item

    Option

    More details

    Action Mode

    • Block

    • Notify

    • Report

    • Disabled

    When the Cortex XDR agent detects execution of files from an optical disc drive, it performs the configured action.

    To add files or folders to the Allow List, define a list on the Legacy Agent Exceptions page.

  6. Configure Custom Prevention Rules.

    Item

    Option

    More details

    Action Mode

    • Enabled

    • Disabled

    When user-defined BIOC prevention rules are present in the system, you can enable them here.

    Note

    Configure custom BIOC prevention rules here:

    Detection & Threat IntelDetection RulesBIOC

  7. Configure Custom Indicator Prevention Rules.

    If you want to create custom indicator rules for prevention purposes, you enable their use here in the profile, and then create them in the Detection & Threat Intel area of Cortex XSIAM.

    Notice

    A Threat Intel Management (TIM) license is required for this feature.

    Item

    Option

    More details

    Action Mode

    • Enabled

    • Disabled

    When user-defined prevention Indicator Rules are present in the system, you can enable them here.

    Note

    Configure this as follows:

    1. Prepare this restriction profile first, make a note of its name for later, and set it to Enabled.

    2. Prepare the prevention Indicator Rule (go to Detection & Threat IntelIndicator Rules, ensuring to select Prevention when creating the rule), and while preparing it, map it to your restriction profile.

  8. To save the profile, click Create.

  1. Add a new profile and define basic settings.

    1. From Cortex XSIAM, select EndpointsPolicy ManagementPreventionProfiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.

      Note

      New profiles based on imported profiles are added, and do not replace existing ones.

    2. Select the macOS platform, and Restrictions as the profile type.

    3. Click Next.

    4. For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    5. For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.

  2. Configure Custom Prevention Rules.

    Item

    Option

    More details

    Action Mode

    • Enabled

    • Disabled

    When user-defined BIOC prevention rules are present in the system, you can enable them here.

    Note

    Configure custom BIOC prevention rules here:

    Detection & Threat IntelDetection RulesBIOC

  3. Configure Custom Indicator Prevention Rules.

    If you want to create custom indicator rules for prevention purposes, you enable their use here in the profile, and then create them in the Detection & Threat Intel area of Cortex XSIAM.

    Notice

    A Threat Intel Management (TIM) license is required for this feature.

    Item

    Option

    More details

    Action Mode

    • Enabled

    • Disabled

    When user-defined prevention Indicator Rules are present in the system, you can enable them here.

    Note

    Configure this as follows:

    1. Prepare this restriction profile first, make a note of its name for later, and set it to Enabled.

    2. Prepare the prevention Indicator Rule (go to Detection & Threat IntelIndicator Rules, ensuring to select Prevention when creating the rule), and while preparing it, map it to your restriction profile.

  4. To save the profile, click Create.

  1. Add a new profile and define basic settings.

    1. From Cortex XSIAM, select EndpointsPolicy ManagementPreventionProfiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.

      Note

      New profiles based on imported profiles are added, and do not replace existing ones.

    2. Select the Linux platform, and Restrictions as the profile type.

    3. Click Next.

    4. For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    5. For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.

  2. Configure Custom Prevention Rules.

    Item

    Option

    More details

    Action Mode

    • Enabled

    • Disabled

    When user-defined BIOC prevention rules are present in the system, you can enable them here.

    Note

    Configure custom BIOC prevention rules here:

    Detection & Threat IntelDetection RulesBIOC

  3. Configure Custom Indicator Prevention Rules.

    If you want to create custom indicator rules for prevention purposes, you enable their use here in the profile, and then create them in the Detection & Threat Intel area of Cortex XSIAM.

    Notice

    A Threat Intel Management (TIM) license is required for this feature.

    Item

    Option

    More details

    Action Mode

    • Enabled

    • Disabled

    When user-defined prevention Indicator Rules are present in the system, you can enable them here.

    Note

    Configure this as follows:

    1. Prepare this restriction profile first, make a note of its name for later, and set it to Enabled.

    2. Prepare the prevention Indicator Rule (go to Detection & Threat IntelIndicator Rules, ensuring to select Prevention when creating the rule), and while preparing it, map it to your restriction profile.

  4. To save the profile, click Create.