Add a New Exploit Security Profile
Exploit security profiles allow you to configure the action the Cortex XDR agent takes when attempts to exploit software vulnerabilities or flaws occur. To protect against specific exploit techniques, you can customize exploit protection capabilities in each Exploit security profile.
By default, the Cortex XDR agent will receive the default profile that contains a pre-defined configuration for each exploit capability supported by the platform. To fine-tune your Exploit security policy, you can override the configuration of each capability to block the exploit behavior, allow the behavior but report it, or disable the module.
To define an Exploit security profile:
- Add a new profile.
- From Cortex XDR, select.EndpointsPolicy ManagementProfiles+ New Profile
- Select the platform to which the profile applies andExploitas the profile type.
- Define the basic settings.
- Enter a uniqueProfile Nameto identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
- To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profileDescription. For example, you might include an incident identification number or a link to a help desk ticket.
- Configure the action to take when the Cortex XDR agent detects an attempt to exploit each type of software flaw.
To view which processes are protected by each capability, see Processes Protected by Exploit Security Policy.ForLogical Exploits Protection, you can also configure a block list for the DLL Hijacking module. The block list enables you to block specific DLLs when run by a protected process. The DLL folder or file must include the complete path. To complete the path, you can use environment variables or the asterisk (*) as a wildcard to match any string of characters (for example,*/windows32/).ForExploit Protection for Additional Processes, you also add one or more additional processes.In Exploit Security profiles, if you change the action mode for processes, you must restart the protected processes for the following security modules to take effect on the process and its forked processes: Brute Force Protection, Java Deserialization, ROP, and SO Hijacking.
- Block—Block the exploit attack.
- Report—Allow the exploit activity but report it to Cortex XDR.
- Disabled—Disable the module and do not analyze or report exploit attempts.
- Default—Use the default configuration to determine the action to take. Cortex XDR displays the current default configuration for each capability in parenthesis. For example,Default (Block).
- Savethe changes to your profile.
- You can do this in two ways: You canCreate a new policy rule using this profilefrom the right-click menu or you can launch the new policy wizard fromPolicy Rules.
Recommended For You
Recommended videos not found.