Cortex XDR: Profiles and Policy Rules

Cortex XDR: Profiles and Policy Rules

This course describes Cortex® XDR profile types and policy rules
management and how to configure agent settings and restriction profiles on
various endpoints.
Course Objectives
After completing this course, you should be able to:

 Create and manage profile types

 Create and manage policy rules
 Create and configure Agent Settings profiles
 Create and configure Restrictions profiles
Lesson Topics
This course comprises four lessons and takes about 20 minutes to complete.
We recommend that you take the lessons in numerical order, but you can
use the menu for quick access to any lesson at any time.

Click the lesson title buttons to go to each lesson. You can also navigate the
course using the navigation arrows below or the menu bar at the top left of
the screen.
Lesson 1: Profiles
Lesson 2: Policy Rules
Lesson 3: Agent Settings Profiles
Lesson 4: Restrictions Profiles

1 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

Lesson 1: Profiles

This lesson describes various sets of rules, profiles, and exceptions on the
Policy Management page, and how to create, import, and export profiles.

1. Policy Management Page

From Endpoint > Policy Management, Cortex XDR offers three sections to
manage rules and policies: Prevent, Extension, and Settings.

The Policy Management menu provides the following groups of options:

1.2 Prevention
The Prevention objects are directly related to the agents’ activities to prevent
threats such as malware and exploits.
1.3 Extensions
The Extensions objects are related to the agent activities to further tighten
the endpoint security by reducing the attack surface, such as through USB
device control or host firewall configuration.
1.4 Settings
The Settings > Device Management option allows you to add a custom USB-
connected device class.

2 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

2. Prevention
Navigate to Endpoint > Policy Management > Prevention. From here you
can create or manage profiles, policy rules and configure options for
exceptions in Global Exceptions.
Na

2.1 Policy Rules

A policy rule is an if-condition-then-action-like object to convey some
associated profiles to the matching endpoints. Here, the rule condition is
criteria built from some endpoint characteristics, and the rule action is to
apply the associated profiles to the matching endpoint. Policy rules also are
identified by their names.
2.2 Profiles
A profile is a named object that encapsulates a collection of related settings
that enforce agents' working parameters.
2.3 Global Exceptions
Unlike Profiles and Policy Rules, Global Exceptions is not a named object,
instead it is a singleton, and hence it cannot be instantiated. Global
Exceptions does not need policy rules to be enforced because its content is
globally enforced without being subjected to a condition. You set
configuration options in Global Exceptions to fine-tune some specific
settings that are globally enabled in the other profiles.

3 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

2.2.1 Default Prevention Profiles

Cortex XDR provides a default out-of-the-box profile for each profile type to
immediately start protection of the endpoints. You can edit and delete a
custom profile if the profile is not linked to policy rules. You can also edit a
custom profile if it is attached to a policy rule, but you cannot to delete it.

You can clone but you cannot delete a default profile. The name of the out-
of-the-box profile is "Default," and it cannot be renamed. The default profiles
can be updated only by the Palo Alto Networks content updates.

2.2.2 Prevention Profile Types

The five different prevention profile types are: Agent Settings, Exploit,
Malware, Restrictions, and Exceptions. The Exploit, Malware, and
Restrictions profiles contain direct security-related settings.
Note: The profile type availability depends on the platform. For example, the
Exploit profiles are not available for Android.
A. Agent Settings
The Agent Settings profile contains settings that specify how the Cortex XDR
agents normally operate, such as setting the log space limits on the
endpoints, enabling the enhanced endpoint data (EED) collection, or setting
a new supervisor password.
4 ETHIOPIAN ELECTRIC POWER
Cortex XDR: Profiles and Policy Rules

B. Exploit
When enabled, the Exploit profile can block system flaws in browsers, such
as exploit kits.
C. Malware
The Malware profile can disable file uploads to WildFire (if desired) or
enable file quarantining.
D. Restrictions
The Restrictions profile can block attempts to run any files from a USB drive
or from the well-known folders such as C:\Temp.
E. Exceptions
The Exceptions profile is created to granularly tune some settings in other
profiles, such as disabling an exploit protection module for a specific process
that was globally enabled in an Exploit Profile.

2.2.3 Navigate to Managing Prevention Profiles

You can add a new Prevention profile, import, and export a profile
from Endpoints > Policy Management > Prevention > Profiles.
Click the arrows for more information about how to add, import, and export
a Prevention profile. Click the images to enlarge them.
A. Add a prevention profile
Click + New Profile at the top-right corner of the Prevention Profile page.
Select Create New and select a platform and a profile type available for the
platform selected. Note that available profile types are platform-dependent.

Cortex XDR opens a new profile page with configuration options. You need
to specify a profile name, adjust the settings, and then save the profile.

To enforce the settings on the newly created profile to some endpoints, you
must associate your profile with a policy rule

5 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

B. Import a Prevention Profile

On the Prevention Profile page, click + Add Profile in the top right and then
click Import from File. You can select or drag-and-drop a previously
exported profile file. Then, click Add.

C. Export a Prevention Profile

On the Prevention Profile page, right-click on a profile, select Export Profile,
and click Export.

6 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

Lesson 2: Policy Rules

2.1 Policy Rules Overview

You use Policy Rules to associate profiles with endpoints. The profiles
associated with a rule can be considered as the "load" of a policy rule to
convey to the targeted endpoints.
Click the tabs for more information about the policy rules.
2.2 Policy Rule Components
A policy rule object has three components: a unique rule name, a targeted
list of endpoints, and a list of profiles with one profile for each profile type
supported by the platform.

7 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

2.3 Rule Order

The rule order matters because Cortex XDR evaluates rules from top to
bottom, and the first matched rule is applied as the active policy rule. You
easily can re-order rules by drag-and-drop.

2.4 Default Policy Rules

Cortex XDR provides out-of-the-box protection for all registered endpoints
with a default policy rule per platform.
A default policy rule is named <Platform> Default (e.g., Windows Default),
and is placed at the end of the rule list for each platform. You cannot reorder
or delete the default rules. A default rule has a Target specification of "Any,"
which always evaluates to true for any endpoint. You can clone a default rule
and modify its profile set.

8 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

Note: The rules work from the top then proceeding down. The order doesn't
really matter, but if you wish the policy to hit your servers or development
environment first, set it as the top rule.
Click the image to enlarge it.

2.5 Creating Policy Rules

To create a new policy rule, navigate to Endpoints > Policy Management >
Prevention > Policy Rules. Click + Add Policy and select Create New.
Follow the three-steps guide on the user interface to specify and then save
the policy rule configuration.
Click the arrows for more information about each step.
2.5.1 General
In General, specify a policy name, select a platform, and select the profiles
created earlier for each profile type. Note that the dialog box populates only
those profiles for the selected platform.

For example, to associate with this rule for Windows, you must select a
profile for each of the types Exploit, Malware, Restrictions, Agent Settings, or
Exceptions. You can specify the default profiles for the unchanged profile
types.

Click Next once all required fields are entered.

9 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

2.5.2 Target
In Target, you specify scope or coverage of the rule in the form of targeted
endpoints using filters or by manually selecting the endpoints. To build
filtering criteria, you can use any fields defined on endpoints, but endpoint
group names or Active Directory (AD) domain objects, typically, are the
most useful fields to specify large groups of endpoints. Click Next to
continue once all target endpoints are selected.

10 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

2.5.3 Summary
In Summary, you can review your specifications and click Done.

11 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

2.5.4 Save
Once a policy rule is added, in the Prevention Policy Rules table, you must
click Save to complete the policy configuration. Then, consider changing the
position of your newly created policy rule because Cortex XDR evaluates
policy rules from the top to bottom. You can drag your rule to re-order it
relative to the existing rules. The first matched rule is applied as the active
policy rule.

12 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

Lesson 3: Agent Settings Profiles

3.1 Agent Settings Profiles Overview

The Agent Settings profile contains settings that affect how the Cortex XDR
agents operate on endpoints. These settings can be regarded as "indirect"
security settings when compared to those found in other profile types such
as Exploit or Malware profiles.
The Agent Settings profile type is available on Windows, macOS, iOS, Linux,
and Android platforms. However, the individual settings presented vary
depending on the platform. For example, the Uninstall Password option is
not available in the Agent Settings profile for Linux endpoints, whereas
Upload Using Cellular Data is available only for Android devices.

The image shows different options between Linux and Windows agent
settings.

13 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

3.2 Agent Settings for Windows Endpoints

The Agent Settings profile for Windows endpoints provides the largest set of
settings.
The following table provides a description of each setting.

Setting Description

Disk Space is to set a limit on Cortex XDR agent disk

Disk Space
usage.

User Interface is to hide or show user notifications, to

User Interface disable access to the agent console, and to hide or
show the tray icon.

Agent Security is to protect the Cortex XDR agent from

Agent Security
being maliciously modified or tampered with.

Uninstall Password is to set a new uninstall password,

Uninstall Password
also known as a supervisor password.

Windows Security Center Windows Security Center Integration is to register the

Integration Cortex XDR agent as an official antivirus product.

Alerts Data is used to enable the automatic creation of

Alerts Data
an alerts data dump file.

Forensic is to specify memory dump file size and

Forensic
whether to automatically upload it from the endpoint.

XDR Pro Endpoints XDR Pro Endpoints is to enable the Cortex XDR Pro
agents’ capabilities including enhanced endpoint data
collection and add-on features such as those in Host

14 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

Setting Description

Insights.

Response Actions is to configure additional parameters

Response Actions
of the Isolate Endpoint response action.

Content Configuration is where you specify how the

Content Configuration Cortex XDR agents retrieve new content updated by
Palo Alto Networks.

Agent Upgrade is where you configure the auto

Agent Upgrade upgrade scheduler and the number of parallel agent
upgrades to conserve bandwidth.

Download Source is where the source of upgrades and

Download Source
content updates are determined.

Network Location Configuration is to enable and then

Network Location
to define the method to determine internal network
Configuration
location for the agents.

Agent Proxy Settings can be used to define whether an

agent uses a proxy to connect to the Cortex XDR
Agent Proxy Settings
server. Warning: Using this feature may lead to agent
connectivity loss.

15 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

3.3 Agent Security

The Agent Security section in the Agent Settings profile contains settings
that prevent unauthorized access or tampering with Cortex XDR agent
components. When XDR Agent Tampering Protection is enabled, Cortex
XDR protects the agent components from being modified, stopped, or
tampered with in any way.

The XDR Agent Tampering Protection is the main enabled or disabled

option. If it is disabled, all the remaining options are dimmed (not editable).

16 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

If the XDR Agent Tampering Protection is enabled, you can refine the
following options:

3.3.1 Service Protection

This option protects the Cortex XDR agent service called "Cortex XDR."

3.3.2 Process Protection

This option protects the Cortex XDR agent components such as
Cyserver.exe, Cytray.exe, and CyveraConsole.exe

3.3.3 File Protection

This option protects the Cortex XDR agent files stored in the installation
folder (%PROGRAMFILES%\Palo Alto Networks\Traps) and data folder
(%PROGRAMDATA%\Cyvera).

3.3.4 Registry Protection

This option protects all Cortex XDR agent registry keys and values stored in
HKLM\SYSTEM\Cyvera.

3.4 XDR Pro Endpoints

You can use the Agent Settings profiles to determine which endpoints
acquire which license types.
17 ETHIOPIAN ELECTRIC POWER
Cortex XDR: Profiles and Policy Rules

To set the type of agents in this profile’s coverage to either Pro or Prevent
respectively, enable the XDR Pro Endpoints Capabilities option. This
setting is disabled by default.

When this option is enabled, the dialog box displays other Pro feature
settings, such as Monitor and Collect Enhanced Endpoint Data and Enable
Host Insight Capabilities.

3.5 Global and Specific Agent Settings

There are two types of Agent Settings: those unique to a specific operating
system/endpoint and global agent settings.

The global agent settings in Settings > Configurations > General > Agent
Configuration cover three main areas:

 Global Uninstall Password

 Content Management
 Agent Upgrade

Lesson 4: Restrictions Profiles

This lesson describes the Restrictions profile and its configuration options
that you can define to prevent potentially malicious executions.
18 ETHIOPIAN ELECTRIC POWER
Cortex XDR: Profiles and Policy Rules

4.1 Restrictions Profile Configuration Options

The Restrictions profiles limit the attack surface on Windows endpoints by

defining where and how users can run files. This profile type provides
control over potentially malicious execution scenarios that do not involve
exploitation. For example, the Cortex XDR agent can prevent the execution
of files from the Windows Temp folder or prevent the execution of a
particular file type, or even all file types, directly from a USB drive.

4.1.1 Executable Files

The Executable Files option is used to restrict folders, such as the local Temp
or Downloads folder, from which executable files can run. Many attack
scenarios include the upload of malicious executable files written to these
Temp and Downloads folders and then running of those executable files.

You can restrict access to common local folders by adding the folders to the
block list. In Execution Files, you can configure Cortex XDR to allow
legitimate files to run from a restricted folder by Restrictions profiles. For
example, if you block executables that are run from a browser’s
%USERPROFILE%\Downloads folder but you need to run specific just-in-
time launchers in that folder, you can allow those legitimate files.

4.1.2 Network Location Files

The Network Location Files option is used to prevent attacks that include
uploading malware to remote folders. You can restrict access to all network
folders except for those that you explicitly trust in the allow list.

4.1.3 Removable Media Files

The Removable Media Files option is used to prevent malicious code from
gaining access to endpoints using external media such as a removable drive.

19 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

You can restrict the executable files that users can launch from external
drives attached to the endpoints in your network.

The term “candy drop” refers to a technique for infiltrating a company

network. The attacker prepares removable media, such as USB drives, that
appear to contain interesting content but in fact contain malicious software.
The attacker places the media where it is likely to be found by employees of
the targeted company.

4.1.4 Optical Drive Files

The Optical Drive Files options is used to prevent malicious code from
gaining access to endpoints using optical disk drives (CD, DVD, and Blu-
ray).

4.1.5 Custom Prevention Rules

The Custom Prevention Rules option is used to transfer detection rules

created in the management console to endpoints. Then, the Cortex XDR
agents use these rules as prevention rules. These types of rules are not
covered in this course.

Note: The Custom Prevention Rules option requires agent 7.2 or higher.

Note that the Executable Files, Network Locations Files, Removable Media
Files, and Optical Drive Files options are only available for Windows. The

20 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

Custom Prevention Rules option is available for Windows, macOS, and

Linux, under the Pro type licenses.

4.2 Restrictions on Executable Files for Hard Drives

If you use Executable Files to limit execution of the files on hard drives, you
will specify the following settings.

4.2.1 Action Mode

Action Mode specifies the action taken by the Cortex XDR agent when
monitored criteria given in this group are met.

4.2.1.1 Action Mode in Details

The following table lists the implementation of an action mode by the agent,
whether the attempted file is allowed to run, notification is sent to the user,
and a report is sent to Cortex XDR. For Executable Files, the Action Mode is
applied to the files and folders specified in the block list.

21 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

Action Agent Notify Report to

Description
Mode Action the User Cortex XDR

Block Block Yes Yes This blocks the file execution.

This allows the file to execute

but notify the user that the file
is attempting to run from a
Notify Allow Yes Yes
suspicious location. The Cortex
XDR agent also reports the
event to Cortex XDR.

This allows the file to execute

Report Allow No Yes
but report it to Cortex XDR.

This disables the module and

does not analyze or report
Disabled Allow No No
execution attempts from
restricted locations.

4.2.2 Use Default

Select the Use Default checkbox if you want to use the default action for
this group of settings.

22 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

4.2.3 Files/Folders in Block List

You can specify the list of files or folders to block. When a folder is block-
listed, the executable in this folder is blocked.

Note that in the allow and block list specifications, you can use wildcards
and Windows environment variables.

4.2.4 Files/Folders in Allow List

You can specify exceptions in block lists. For example, if you want a
subfolder whose parent folder is added to the block list to be exempt from
blocking, you can add the subfolder to the allow list.

23 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

4.3 Restrictions on Executable Files for Non-Hard Drives

To limit execution of the files on non-hard drives, you can configure the
following options: Network Location Files, Removable Media Files, and
Optical Drive Files.

These groups have the same set of settings: Action Mode, Use Default, and
Files/Folders in Allow List. There is no block listing. Therefore, the action
applies to all the files and folders in the drives except for those specified in
the allow list.

24 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

Knowledge Check

Now that you've completed this course,

let's test your knowledge!

1. Which profile allows you to disable specific protections on certain

processes?

Malware

Agent Settings

Restrictions

Exceptions

2. Which profile type can you use to limit executions from the
Downloads folder?

Agent Settings

Restrictions

Malware

Exceptions

3. Which profile type can you use to enable the Pro features of XDR
agents?

Exceptions

Restrictions

Agent Settings

Malware

25 ETHIOPIAN ELECTRIC POWER

Cortex XDR: Profiles and Policy Rules

4. Which profile type can you use to configure endpoint scanning?

Exceptions

Restrictions

Agent Settings

Malware

5. What do you need to create in the management console to apply the

security settings in the profiles to the endpoints?

Malware profile

Exemptions

Policy rules

Agent Settings profile

6. Where in the management console can you set the Global Uninstall
Password?

Configurations > General > Agent Configuration

Configurations > General > Server Configuration

Configurations > Agent Settings

Configuration > Server Settings

26 ETHIOPIAN ELECTRIC POWER