Professional Documents
Culture Documents
Cortex XDR Profiles and Policy Rules
Cortex XDR Profiles and Policy Rules
Cortex XDR Profiles and Policy Rules
Click the lesson title buttons to go to each lesson. You can also navigate the
course using the navigation arrows below or the menu bar at the top left of
the screen.
Lesson 1: Profiles
Lesson 2: Policy Rules
Lesson 3: Agent Settings Profiles
Lesson 4: Restrictions Profiles
Lesson 1: Profiles
This lesson describes various sets of rules, profiles, and exceptions on the
Policy Management page, and how to create, import, and export profiles.
2. Prevention
Navigate to Endpoint > Policy Management > Prevention. From here you
can create or manage profiles, policy rules and configure options for
exceptions in Global Exceptions.
Na
You can clone but you cannot delete a default profile. The name of the out-
of-the-box profile is "Default," and it cannot be renamed. The default profiles
can be updated only by the Palo Alto Networks content updates.
B. Exploit
When enabled, the Exploit profile can block system flaws in browsers, such
as exploit kits.
C. Malware
The Malware profile can disable file uploads to WildFire (if desired) or
enable file quarantining.
D. Restrictions
The Restrictions profile can block attempts to run any files from a USB drive
or from the well-known folders such as C:\Temp.
E. Exceptions
The Exceptions profile is created to granularly tune some settings in other
profiles, such as disabling an exploit protection module for a specific process
that was globally enabled in an Exploit Profile.
Cortex XDR opens a new profile page with configuration options. You need
to specify a profile name, adjust the settings, and then save the profile.
To enforce the settings on the newly created profile to some endpoints, you
must associate your profile with a policy rule
Note: The rules work from the top then proceeding down. The order doesn't
really matter, but if you wish the policy to hit your servers or development
environment first, set it as the top rule.
Click the image to enlarge it.
For example, to associate with this rule for Windows, you must select a
profile for each of the types Exploit, Malware, Restrictions, Agent Settings, or
Exceptions. You can specify the default profiles for the unchanged profile
types.
2.5.2 Target
In Target, you specify scope or coverage of the rule in the form of targeted
endpoints using filters or by manually selecting the endpoints. To build
filtering criteria, you can use any fields defined on endpoints, but endpoint
group names or Active Directory (AD) domain objects, typically, are the
most useful fields to specify large groups of endpoints. Click Next to
continue once all target endpoints are selected.
2.5.3 Summary
In Summary, you can review your specifications and click Done.
2.5.4 Save
Once a policy rule is added, in the Prevention Policy Rules table, you must
click Save to complete the policy configuration. Then, consider changing the
position of your newly created policy rule because Cortex XDR evaluates
policy rules from the top to bottom. You can drag your rule to re-order it
relative to the existing rules. The first matched rule is applied as the active
policy rule.
The image shows different options between Linux and Windows agent
settings.
Setting Description
XDR Pro Endpoints XDR Pro Endpoints is to enable the Cortex XDR Pro
agents’ capabilities including enhanced endpoint data
collection and add-on features such as those in Host
Setting Description
Insights.
If the XDR Agent Tampering Protection is enabled, you can refine the
following options:
To set the type of agents in this profile’s coverage to either Pro or Prevent
respectively, enable the XDR Pro Endpoints Capabilities option. This
setting is disabled by default.
When this option is enabled, the dialog box displays other Pro feature
settings, such as Monitor and Collect Enhanced Endpoint Data and Enable
Host Insight Capabilities.
The global agent settings in Settings > Configurations > General > Agent
Configuration cover three main areas:
This lesson describes the Restrictions profile and its configuration options
that you can define to prevent potentially malicious executions.
18 ETHIOPIAN ELECTRIC POWER
Cortex XDR: Profiles and Policy Rules
The Executable Files option is used to restrict folders, such as the local Temp
or Downloads folder, from which executable files can run. Many attack
scenarios include the upload of malicious executable files written to these
Temp and Downloads folders and then running of those executable files.
You can restrict access to common local folders by adding the folders to the
block list. In Execution Files, you can configure Cortex XDR to allow
legitimate files to run from a restricted folder by Restrictions profiles. For
example, if you block executables that are run from a browser’s
%USERPROFILE%\Downloads folder but you need to run specific just-in-
time launchers in that folder, you can allow those legitimate files.
The Network Location Files option is used to prevent attacks that include
uploading malware to remote folders. You can restrict access to all network
folders except for those that you explicitly trust in the allow list.
The Removable Media Files option is used to prevent malicious code from
gaining access to endpoints using external media such as a removable drive.
You can restrict the executable files that users can launch from external
drives attached to the endpoints in your network.
The Optical Drive Files options is used to prevent malicious code from
gaining access to endpoints using optical disk drives (CD, DVD, and Blu-
ray).
Note: The Custom Prevention Rules option requires agent 7.2 or higher.
Note that the Executable Files, Network Locations Files, Removable Media
Files, and Optical Drive Files options are only available for Windows. The
If you use Executable Files to limit execution of the files on hard drives, you
will specify the following settings.
Action Mode specifies the action taken by the Cortex XDR agent when
monitored criteria given in this group are met.
The following table lists the implementation of an action mode by the agent,
whether the attempted file is allowed to run, notification is sent to the user,
and a report is sent to Cortex XDR. For Executable Files, the Action Mode is
applied to the files and folders specified in the block list.
Select the Use Default checkbox if you want to use the default action for
this group of settings.
You can specify the list of files or folders to block. When a folder is block-
listed, the executable in this folder is blocked.
Note that in the allow and block list specifications, you can use wildcards
and Windows environment variables.
You can specify exceptions in block lists. For example, if you want a
subfolder whose parent folder is added to the block list to be exempt from
blocking, you can add the subfolder to the allow list.
To limit execution of the files on non-hard drives, you can configure the
following options: Network Location Files, Removable Media Files, and
Optical Drive Files.
These groups have the same set of settings: Action Mode, Use Default, and
Files/Folders in Allow List. There is no block listing. Therefore, the action
applies to all the files and folders in the drives except for those specified in
the allow list.
Knowledge Check
Malware
Agent Settings
Restrictions
Exceptions
2. Which profile type can you use to limit executions from the
Downloads folder?
Agent Settings
Restrictions
Malware
Exceptions
3. Which profile type can you use to enable the Pro features of XDR
agents?
Exceptions
Restrictions
Agent Settings
Malware
Exceptions
Restrictions
Agent Settings
Malware
Malware profile
Exemptions
Policy rules
6. Where in the management console can you set the Global Uninstall
Password?