Sr. No.

Security Domain Current Status

1 Threat Intelligence Integration Not Integrated
Third-party threat intelligence feeds

2 Device Control Policy Disk Drive Read-Only Configured

Access Control

3 Host Firewall Rules Not Configured

Network access control and traffic filtering

4 Analytics & Detection Correlation No Rules Configured

Rules for Advanced Threats

5 Remote Desktop Applications No Prevention Rules

Unauthorized remote access tools

6 Optical Drive Files Not Configured

CD/DVD execution control

7 Application Whitelisting Process Not Implemented

and application control

ecurity Policy Implementation Recommendations

prioritize HIGH priority items for immediate implementation.

 Recommendation Implementation Path
Integrate with reputable threat intelligence providers (e.g., AlienVault Settings > Configurations > Threat
OTX, IBM X-Force, Microsoft Threat Intelligence) to enhance detection Intelligence
capabilities

Review and enhance disk drive policies. Consider implementing granular Inventory > Endpoints > Policy
controls based on user roles and business requirements Management > Extensions > Policy Rules

Implement essential firewall rules: Inventory > Endpoints > Host Firewall
• Allow RDP from Admin IPs Only

• Block Outbound to Malicious IPs

• Restrict unnecessary network services

Create correlation rules, for example: Threat Management > Detection Rules >
• Foreign Login + PowerShell Execution Correlation Rules

• Multiple Failed Logins + Successful Login

• Malicious File Drop + Outbound Connection

• Suspicious Process Chain Detection

Block unauthorized remote tools: Inventory > Endpoint > Policy

• AnyDesk, TeamViewer, LogMeIn Management > Prevention Rules >
Windows > Restrictions
• ConnectWise Control, Supremo

• Ammyy Admin, AeroAdmin

• UltraViewer, RustDesk
• Chrome Remote Desktop

Enable restriction to block execution from optical media. Configure Inventory > Endpoint > Policy
alerts for optical media insertion attempts Management > Prevention Rules >
Windows > Restrictions

Implement comprehensive application allowlisting: Inventory > Endpoint > Policy

• Block risky execution paths Management > Prevention Rules >
Windows > Restrictions
• Whitelist approved applications
• Monitor and log blocked attempts
• Regular policy updates
 Priority Business Impact
Remark
HIGH Enhanced threat detection and
proactive security posture

Prakash Sir
MEDIUM Prevents data exfiltration and
unauthorized data access

Client recommendated Read only

HIGH Critical for preventing lateral
movement and external threats

HIGH Advanced persistent threat

detection and incident response

HIGH Prevents unauthorized access and

potential data breaches

LOW Additional layer of protection

against physical media threats

HIGH Significantly reduces malware

execution and unauthorized
software
Policies Rule Name

Antivirus Real-Time Malware Scanning

Antivirus Behavioral Threat Protection

Antivirus Child Process Protection

Antivirus Network/External Drive Restrictions

Antivirus Highly Trusted Signers

Antivirus Hash Exceptions

Antivirus Unauthorized Application Detection

Antivirus Suspicious Command-Line Activity

Antivirus Disk Encryption Integration

Antivirus Host Firewall Rules

Enforce BitLocker Encryption on OS Volume

Disk Encryption

Monitor Encryption Status

Disk Encryption

Store BitLocker Recovery Keys

Disk Encryption

Block Network Access for Non-Encrypted

Endpoints
Disk Encryption
 Exception: Allow Manual Decryption for
Specific Endpoints

Disk Encryption

Periodic Encryption Compliance Check

Disk Encryption
Software Restriction Rule Name

Block Unspecified Software Execution

(Default Deny)
Software Restriction

Allow Trusted Signers

Software Restriction

Block Specific File Paths

Software Restriction

Allow Specific Applications by Hash

Software Restriction

Block Known Malicious Software by Hash

Software Restriction

Behavioral Restriction for Suspicious

Processes
Software Restriction

Exception: Allow Admin-Approved

Applications
Software Restriction

Audit Account Management Events

Audit

Audit Process Creation with Command-Line

Audit
 Audit Failed Logon Attempts
Audit

Audit Privilege Escalation Attempts

Audit

Audit File and Registry Changes

Audit

Audit Cortex XDR Agent Events

Audit

Exception: Suppress Low-Risk Alerts

Audit

Monitor Suspicious User Logins

IAM (Identity access management)

Restrict USB Access by AD Identity

IAM (Identity access management)

Enforce RBAC for Cortex XDR Console

IAM (Identity access management)

 Detect Privilege Escalation Attempts

IAM (Identity access management)

Block Non-Compliant User Endpoints

IAM (Identity access management)

Audit Account Management Events

IAM (Identity access management)

Detect Cloud IAM Misuse (if applicable)

IAM (Identity access management)

Restrict Local Admin Privileges

IAM (Identity access management)

Exception: Allow Trusted Admin Actions

IAM (Identity access management)

Default Deny Host Firewall Rule

NetXgate Firewall Intergation

 Allow Critical Application Traffic

NetXgate Firewall Intergation

Restrict RDP Access

NetXgate Firewall Intergation

Integrate NGFW Logs

NetXgate Firewall Intergation

Exception: Allow Trusted Third-Party Traffic

NetXgate Firewall Intergation

NetXgate Firewall Intergation
NetXgate Firewall Intergation Rule Name

Network Location-Based Rules

NetXgate Firewall Intergation

Prisma Access/GlobalProtect Enforcement

NetXgate Firewall Intergation

 Monitor Suspicious Access Point Connections

NetXgate Firewall Intergation

Block Non-Compliant Endpoints on Access

Points

NetXgate Firewall Intergation

Exception: Allow Trusted Access Point Traffic

NetXgate Firewall Intergation

NetXgate Firewall Intergation
NetXgate Firewall Intergation Rule Name

Detect Suspicious File Hashes

NetXgate Firewall Intergation

Detect Rogue Access Point Connections

NetXgate Firewall Intergation

Block Non-VPN Access Point Traffic

NetXgate Firewall Intergation

 Monitor Suspicious Registry Changes (Access
Points)

NetXgate Firewall Intergation

Detect Malicious Process Execution

NetXgate Firewall Intergation

Monitor Failed Login Attempts

NetXgate Firewall Intergation

Detect Suspicious Command-Line Activity

NetXgate Firewall Intergation

Monitor Anomalous User Behavior

NetXgate Firewall Intergation

Detect Suspicious USB Activity

NetXgate Firewall Intergation

Exception: Allow Trusted IOCs for Services

NetXgate Firewall Intergation

Description Action

Scans executables (.exe), DLLs (.dll), and macros

Block malicious files, report to Cortex XDR
(.docm, .xlsm, .pptm) in real time using the Local Analysis Engine
Console.
and WildFire threat intelligence to detect malware.

Monitors file and process behavior to detect anomalies, such as

Block high-confidence threats, alert on low-
ransomware-like encryption or process injection, using machine
confidence threats.
learning and behavioral analysis.

Blocks unauthorized child processes spawned by trusted

applications (e.g., winword.exe spawning powershell.exe) to Block child process, report to Console.
prevent exploitation.

Prevents execution of executable files from network locations or

Block execution, report event.
external drives to reduce malware risks.

Allows files signed by trusted certificates (e.g., Microsoft, Adobe)

Permit execution.
to bypass scanning, reducing performance overhead.

Overrides verdicts for specific files using SHA-256 hashes to

Allow/block based on hash.
address false positives or block known malicious files.
Detects and blocks unauthorized installers (e.g.,
ZoomInstallerFull.exe) to prevent unapproved software Alert and block execution.
installations.

Detects malicious use of system tools (e.g., regsvr32.exe or

rundll32.exe loading malicious DLLs) via command-line Alert, investigate; block after validation.
arguments.

Enforces BitLocker encryption on OS volumes and blocks

Block network access, report to Console.
unencrypted endpoints to protect data at rest.

Restricts network traffic to authorized applications and ports to

Block unauthorized traffic, log events.
prevent unauthorized access.

Enforces BitLocker encryption on the operating system volume Enable BitLocker; block non-compliant
for all Windows endpoints. endpoints.

Monitors BitLocker encryption status and reports non-compliant Alert on non-encrypted endpoints; report to
endpoints. Console.

Stores BitLocker recovery keys securely in Cortex XDR for

Store keys in Cortex Data Lake; restrict access.
recovery purposes.

Blocks network access for endpoints without BitLocker encryption

Deny network access; report to Console.
enabled.
Allows manual decryption for specific endpoints (e.g., for
Allow decryption; log action.
maintenance) while maintaining monitoring.

Schedules periodic checks to ensure ongoing BitLocker

Alert on non-compliance; report to Console.
compliance.

Description Action

Blocks all executable files (.exe, .dll, .scr) unless explicitly

Block execution; report to Console.
allowed, reducing the risk of unauthorized software.

Permits execution of files signed by trusted certificates (e.g.,

Allow execution.
Microsoft, Adobe).

Prevents execution of files from untrusted locations (e.g., user

Block execution; report to Console.
temp folders, external drives).

Permits execution of known benign applications using SHA-256

Allow execution.
hashes to address false positives.

Blocks execution of files with known malicious SHA-256 hashes. Block execution; report to Console.

Blocks processes exhibiting suspicious behavior (e.g.,

Block execution; alert.
unauthorized installers).

Allows specific applications for administrative or operational

Allow execution; log action.
needs (e.g., IT tools).

Monitors account creation, modification, and deletion (e.g., user

Log events; alert on suspicious changes.
accounts, groups).

Logs process creation events with command-line arguments to

Log events; alert on anomalies.
detect malicious activities (e.g., PowerShell abuse).
Tracks failed logon attempts to identify potential brute-force
Log events; alert on threshold violations.
attacks.

Monitors attempts to elevate privileges (e.g., UAC bypass, token

Log events; alert on suspicious behavior.
theft).

Tracks modifications to critical files and registry keys (e.g., Log changes; alert on unauthorized
system binaries, startup keys). modifications.

Monitors agent-specific events (e.g., uninstall attempts, policy

Log events; alert on tampering.
changes).

Suppresses alerts for low-risk, known benign activities to reduce

Suppress alerts; log events.
noise (e.g., trusted admin scripts).

Detects anomalous login activities (e.g., impossible travel,

excessive failed logins) using Identity Analytics and Windows Alert on anomalies; log to Console.
Event Logs.

Limits USB device access to authorized Active Directory (AD)

Block unauthorized access; notify users.
users or groups to prevent data exfiltration.

Restricts access to the Cortex XDR Console using role-based

Allow access for defined roles; block others.
access control and IP whitelisting.
Monitors attempts to elevate privileges (e.g., UAC bypass, token
Alert on suspicious behavior; log to Console.
theft) tied to user identities.

Blocks network access for endpoints with non-compliant AD

Deny network access; report to Console.
accounts (e.g., expired or disabled credentials).

Tracks account creation, modification, and deletion in Active

Log events; alert on suspicious changes.
Directory to detect unauthorized changes.

Monitors suspicious use of cloud IAM access keys for Windows

Servers in hybrid/cloud environments (e.g., Azure AD-integrated Alert; isolate endpoint if malicious.
servers).

Limits local administrator account usage to prevent privilege

Block non-authorized local admin actions; alert.
abuse on endpoints.

Suppresses alerts for known benign admin activities (e.g., IT

Suppress alerts; log events.
scripts run by authorized AD users).

Blocks all inbound and outbound traffic unless explicitly allowed,

Block all unspecified traffic.
reducing the attack surface on endpoints.
Permits network traffic for trusted applications (e.g., Microsoft
Allow traffic for specified executables.
Edge, SCCM) to ensure business continuity.

Blocks Remote Desktop Protocol (RDP) traffic by default,

Block RDP; allow for specific groups.
allowing only authorized AD groups (e.g., IT Admins).

Ingests logs from Palo Alto Networks NGFWs to correlate with Log and correlate NGFW events; alert on
endpoint data for enhanced threat detection. threats.

Permits network traffic for third-party agents (e.g., Veeam

Allow specific traffic; log events.
Backup) to avoid disrupting critical services.

Description Action

Applies stricter firewall rules for endpoints connecting via

Enforce stricter rules for external networks.
external access points (e.g., public Wi-Fi) vs. internal networks.

Extends firewall policies to remote endpoints connecting via

Enforce secure traffic policies; log events.
access points using Prisma Access or GlobalProtect.
Detects connections to untrusted or suspicious access points (e.g.,
Alert on anomalies; log to Console.
rogue Wi-Fi networks) using Identity Analytics.

Blocks network access for endpoints connecting via access points

Deny network access; notify users.
without VPN or compliance (e.g., missing GlobalProtect).

Permits traffic for endpoints connecting via trusted corporate

Allow specific traffic; log events.
access points (e.g., corporate Wi-Fi).

Description Action

Identifies and blocks files with known malicious hashes (e.g.,

Block file execution; alert on activity.
malware executables) on Windows system endpoints.

Identifies connections to untrusted access points (e.g., rogue Wi-Fi

SSIDs) as a BIOC on Windows system endpoints, common for Alert on anomalies; log to Console.
laptops.

Blocks network traffic for Windows system endpoints on external

access points without Prisma Access/GlobalProtect, ensuring Deny non-VPN traffic; notify users.
secure connectivity.
Detects registry changes (e.g., Wi-Fi profile modifications) on
Windows system endpoints as a BIOC, indicating potential access Alert on registry changes; log to Console.
point tampering.

Identifies execution of processes with known malicious signatures

or behaviors (e.g., regsvr32.exe loading malicious DLLs) on Block execution; alert on activity.
Windows system endpoints.

Detects excessive failed login attempts as a BIOC, indicating

Alert on threshold violations; log to Console.
potential brute-force attacks on Windows system endpoints.

Identifies malicious use of command-line tools (e.g.,

powershell.exe with obfuscated scripts) as a BIOC on Windows Alert; block after validation.
system endpoints.

Detects unusual user activities (e.g., logins from unexpected

geolocations, abnormal file access) as a BIOC on Windows Alert on anomalies; log to Console.
system endpoints.

Identifies unauthorized USB device activity (e.g., execution of

Alert; block execution.
files from USB drives) as a BIOC on Windows system endpoints.

Suppresses alerts for trusted services (e.g., IT scripts, known IPs)

in the inventory to reduce false positives on Windows system Suppress alerts; log events.
endpoints.
Detailed Settings/Options

In Cortex XDR Console, go to Endpoints > Policy Management > Prevention >
Profiles > Malware > Real-Time Scanning. Enable Local Analysis for immediate
verdicts using machine learning models. Enable WildFire Integration to forward
unknown files for cloud analysis (set Timeout: 60 seconds, Action on Timeout:
Block). Include File Types: .exe, .dll, .docm, .xlsm, .pptm. Enable Quarantine to
isolate malicious files in a secure directory. Set Verdict Reporting to log events to
Cortex Data Lake with MITRE ATT&CK mappings. Enable Automatic Content
Updates for latest signatures. Apply to All Endpoints.

In Malware Security Profile > Behavioral Threat Protection, enable Behavioral

Analysis. Set High-Confidence Threats: Block (e.g., ransomware encryption
patterns). Set Low-Confidence Threats: Alert for investigation. Enable MITRE
ATT&CK Mapping for threat classification (e.g., T1486 for ransomware). Configure
Alert Notifications to email Security Administrators. Log events to Cortex Data
Lake. Test in Alert mode initially to assess false positives. Apply to All Endpoints.

In Detection Rules > BIOC > Process, create a rule for parent-child relationships
(e.g., winword.exe -> powershell.exe, excel.exe -> cmd.exe). Set Condition: Process
creation. Set Action: Block. Enable Verbose Logging for detailed process
information. Apply via Endpoints > Prevention > Policy Rules. Log events to Cortex
Data Lake with MITRE ATT&CK mappings (e.g., T1059). Test in Alert mode to
validate impact. Apply to All Endpoints.

In Malware Security Profile > Restrictions > File Execution, add restricted paths: \\*
(network shares), E:\*, F:\* (external drives). Set Action: Block. Enable Report
Matched Events to log attempts to Cortex Data Lake. Exclude trusted network paths
(e.g., \\trusted.server\share) if needed via Exceptions. Apply to All Endpoints.
Monitor restricted paths via Cortex XDR analytics to detect unauthorized attempts.

In Malware Security Profile > Highly Trusted Signers, add certificate authorities:
CN=Microsoft Corporation, CN=Adobe Systems Incorporated, CN=Symantec
Corporation. Set Action: Allow. Block self-signed or untrusted certificates unless
explicitly allowed. Enable Periodic Review (quarterly) to validate trusted signers.
Log allowed executions to Cortex Data Lake for auditing. Apply to All Endpoints.

In Malware Security Profile > Hash Exceptions, add SHA-256 hashes for trusted
files (e.g., company_app.exe) or malicious files. Generate hashes using certutil -
hashfile <file> SHA256. Set Action: Allow for benign files, Block for malicious
files. Review hashes quarterly to ensure validity. Log exceptions to Cortex Data
Lake. Apply to All Endpoints or Specific Endpoints as needed.
In Detection Rules > BIOC > Process, create a rule for installer processes (e.g.,
Installer.exe, ZoomInstallerFull.exe). Set Condition: Process creation from non-
trusted paths (e.g., C:\Users\*\Downloads). Set Action: Block. Enable Alert
Notifications for investigation. Apply via Prevention > Policy Rules. Log to Cortex
Data Lake with MITRE ATT&CK mappings (e.g., T1106). Apply to All Endpoints.

In Detection Rules > BIOC > Command Line, create a rule for commands:
regsvr32.exe *, rundll32.exe *. Set Condition: Execution from non-system paths
(e.g., C:\Users\*\*). Set Action: Alert. Enable Verbose Logging for command-line
details. Test in Alert mode, then switch to Block after validation. Log to Cortex Data
Lake with MITRE ATT&CK mappings (e.g., T1218). Apply to All Endpoints.

In Endpoints > Policy Management > Extensions > Profiles > Disk Encryption,
enable Disk Encryption. Set Encryption Type: AES-256. Require TPM + PIN or
TPM + Password. Store recovery keys in Cortex Data Lake with Security
Administrator access only. Enable Network Access Control to block non-encrypted
endpoints (except Cortex XDR communication, TCP 443 to service IPs). Log status
to Cortex Data Lake. Apply to All Endpoints.

In Endpoints > Policy Management > Extensions > Profiles > Host Firewall, create
rules: 1. Block All: Direction: Both, Protocol: Any, Action: Block (lowest priority).
2. Allow Apps: Example: msedge.exe, Outbound, TCP, Ports 80/443; ccmexec.exe,
Both, TCP, Ports 80/445, SCCM IPs (e.g., 10.0.1.10–10.0.1.20). 3. Block RDP:
Both, TCP, Port 3389; Allow for IT group to specific IPs (e.g., 10.0.2.0/24). Enable
Report Matched Traffic. Integrate with Prisma Access/GlobalProtect for remote
endpoints. Log to Cortex Data Lake. Apply to All Endpoints or specific groups.

In Cortex XDR Console, go to Endpoints > Policy Management > Extensions >
Profiles > Disk Encryption. Enable Disk Encryption for OS volume. Set Encryption
Type: AES-256. Require TPM + PIN or TPM + Password for authentication. Apply
to All Endpoints.

In Disk Encryption Profile, enable Encryption Status Monitoring. Set Alert

Threshold: Non-encrypted or partially encrypted OS volumes. Log status to Cortex
Data Lake. Apply to All Endpoints.

In Disk Encryption Profile, enable Recovery Key Storage. Store keys in Cortex Data
Lake with access restricted to Security Administrators. Ensure keys are not stored
locally on endpoints. Apply to All Endpoints.

In Disk Encryption Profile, enable Network Access Control. Set Action: Block all
network traffic (except Cortex XDR agent communication) for non-encrypted
endpoints. Apply to All Endpoints.
In Disk Encryption Profile > Exceptions, create a rule for specific endpoints (e.g., by
Device Group or AD identity). Set Allow Decryption: Enabled. Require Admin
Approval via Cortex XDR Console. Log decryption events to Cortex Data Lake.
Apply to Specific Endpoints.

In Disk Encryption Profile, enable Scheduled Compliance Checks. Set Frequency:

Weekly (e.g., Sunday at 3:00 AM). Alert on non-compliant endpoints. Apply to All
Endpoints.
Settings

In Cortex XDR Console, go to Endpoints > Policy Management > Prevention >
Profiles > Malware > Restrictions. Set Default Action: Block. Include file
types: .exe, .dll, .scr. Apply to All Endpoints.

In Malware Security Profile > Highly Trusted Signers, add trusted certificate
authorities: CN=Microsoft Corporation, CN=Adobe Systems Incorporated. Block
self-signed or untrusted certificates. Apply to All Endpoints.

In Malware Security Profile > Restrictions > File Execution, add paths: C:\Users\*\
AppData\Local\Temp\*, E:\*. Set Action: Block. Apply to All Endpoints.

In Malware Security Profile > Hash Exceptions, add SHA-256 hashes for trusted
apps (e.g., company_app.exe). Generate hashes using certutil -hashfile. Apply to
Specific Endpoints or All Endpoints.

In Malware Security Profile > Hash Exceptions, add hashes of known malicious
files. Set Action: Block. Apply to All Endpoints.

Create a BIOC rule in Detection Rules > BIOC > Process. Example: Block
Installer.exe from non-trusted paths. Set Action: Block. Apply via Prevention >
Policy Rules to All Endpoints.

In Malware Security Profile > Exceptions, add specific apps (e.g., it_tool.exe) or
paths (e.g., C:\Program Files\ITTools\). Require Admin Approval via Cortex XDR
Console. Apply to IT Group Endpoints.

In Cortex XDR Console, go to Detection Rules > BIOC > Windows Event Log.
Create a BIOC rule for Event Codes: 4720 (user created), 4731–4735 (group
changes), 4764 (group deletion). Set Action: Alert. Log to Cortex Data Lake. Apply
to All Endpoints.

In Detection Rules > BIOC > Process, enable Command Line Auditing. Include
processes: powershell.exe, cmd.exe, wscript.exe. Set Action: Alert. Enable Verbose
Logging for detailed command-line capture. Apply to All Endpoints.
In Detection Rules > BIOC > Windows Event Log, create a rule for Event Code:
4625 (failed logon). Set Threshold: 5 failed attempts in 5 minutes. Set Action: Alert.
Log to Cortex Data Lake. Apply to All Endpoints.

In Detection Rules > BIOC > Process, create a rule for processes accessing lsass.exe
or invoking SeDebugPrivilege. Set Action: Alert. Enable MITRE ATT&CK
Mapping (e.g., T1134). Log to Cortex Data Lake. Apply to All Endpoints.

In Detection Rules > BIOC > File, create a rule for changes in paths: C:\Windows\
System32\*, HKLM\Software\Microsoft\Windows\CurrentVersion\Run. Set Action:
Alert. Log to Cortex Data Lake. Apply to All Endpoints.

In Endpoints > Policy Management > Audit Management, enable Agent Audit
Logging. Include events: agent uninstall, policy modification. Set Action: Alert.
Restrict actions to Security Administrators. Log to Cortex Data Lake. Apply to All
Endpoints.

In Detection Rules > BIOC > Exceptions, create a rule for trusted processes (e.g.,
admin_script.exe) or paths (e.g., C:\IT\Scripts\). Set Action: Suppress Alert, Log
Only. Apply to Specific Endpoints (e.g., IT Admin group).

In Cortex XDR Console, go to Detection Rules > BIOC > Windows Event Log.
Create a rule for Event Codes: 4624 (successful logon), 4625 (failed logon). Set
Condition: >5 failed logins in 5 minutes or logins from unusual geolocations (via
Identity Analytics). Enable Identity Analytics add-on for user behavior analytics
(UBA). Set Action: Alert. Integrate with Active Directory or Azure AD via Settings
> Integrations > Servers & Services. Log to Cortex Data Lake with MITRE
ATT&CK mapping (e.g., T1110 - Brute Force). Apply to All Windows/Server
Endpoints.

In Endpoints > Policy Management > Extensions > Profiles > Device Control, create
a rule. Set Condition: Restrict USB access by AD group (e.g., Domain Users allowed
read-only, IT-Admins allowed full access). Specify Device Types: USB storage,
portable devices. Set Permissions: Read-only for non-admins, Full for IT Admins.
Set Action: Block for unauthorized users. Enable User Notifications: “USB Device
Was Blocked.” Log events to Cortex Data Lake. Apply to All Windows/Server
Endpoints.

In Settings > Configurations > Users and Roles, define roles: Security Administrator
(full access), Analyst (read-only, view incidents), IT Admin (manage policies).
Enable IP Whitelisting (e.g., 10.0.0.0/24). Require Multi-Factor Authentication
(MFA) for all roles via Azure AD or Okta integration. Set API Key Permissions:
Advanced key for integrations (e.g., XSOAR), restricted to specific actions. Log
access attempts to Cortex Data Lake. Apply to Console Users.
In Detection Rules > BIOC > Process, create a rule for processes accessing lsass.exe
or invoking SeDebugPrivilege. Set Condition: Non-admin user or unusual AD
account activity. Enable Identity Analytics to correlate user identity with behavior.
Set Action: Alert. Log to Cortex Data Lake with MITRE ATT&CK mapping (e.g.,
T1134 - Access Token Manipulation). Apply to All Windows/Server Endpoints.

In Endpoints > Policy Management > Prevention > Policy Rules, create a rule to
check AD account status via integration with Active Directory or Azure AD. Set
Condition: Expired, disabled, or non-existent AD account. Set Action: Block
network traffic (except Cortex XDR communication, TCP 443 to service IPs).
Enable Endpoint Network Isolation Notification: “Cortex XDR agent halted all
network access on your device.” Log to Cortex Data Lake. Apply to All
Windows/Server Endpoints.

In Detection Rules > BIOC > Windows Event Log, create a rule for Event Codes:
4720 (user created), 4731–4735 (group changes), 4764 (group deletion). Set
Condition: Changes by non-admin accounts or unusual times. Set Action: Alert.
Enable Identity Analytics for user context. Log to Cortex Data Lake with MITRE
ATT&CK mapping (e.g., T1098 - Account Manipulation). Apply to All
Windows/Server Endpoints.

In Cortex XSOAR > Playbooks, use Cloud IAM User Access Investigation
playbook. Configure to detect alerts for Azure or AWS IAM misuse (e.g., API calls
from unusual IPs). Set Action: Alert for investigation, auto-isolate endpoint via
Security Operations > Isolate Endpoint if malicious. Enrich with AutoFocus Threat
Intelligence. Log to Cortex Data Lake with MITRE ATT&CK mapping (e.g., T1078
- Valid Accounts). Apply to Windows Server Endpoints with cloud integration.

In Detection Rules > BIOC > Windows Event Log, create a rule for Event Code:
4672 (privilege assignment). Set Condition: Local admin account usage outside IT
Admins group. Set Action: Alert. Optionally, block actions via Prevention > Policy
Rules by restricting Administrator account execution of sensitive processes (e.g.,
cmd.exe). Log to Cortex Data Lake with MITRE ATT&CK mapping (e.g., T1078).
Apply to All Windows/Server Endpoints.

In Detection Rules > BIOC > Exceptions, create a rule for trusted AD users (e.g., IT-
Admins group) or processes (e.g., it_script.exe). Set Condition: Actions by specified
AD group or process from trusted paths (e.g., C:\IT\Scripts\). Set Action: Suppress
Alert, Log Only. Log to Cortex Data Lake for audit purposes. Apply to Specific
Endpoints (e.g., IT Admin devices).

In Cortex XDR Console, go to Endpoints > Policy Management > Extensions >
Profiles > Host Firewall. Create a rule: Direction: Both, Protocol: Any, Action:
Block. Set as lowest priority to allow specific allow rules to take precedence. Enable
Report Matched Traffic to log blocked attempts. Log to Cortex Data Lake. Apply to
All Windows/Server Endpoints.
In Host Firewall Profile, create rules: 1. Microsoft Edge: Executable: msedge.exe,
Direction: Outbound, Protocol: TCP, Ports: 80, 443, Destination IP: Any (or trusted
domains via NGFW integration). 2. SCCM: Executable: ccmexec.exe, Direction:
Both, Protocol: TCP, Ports: 80, 445, Destination IP: SCCM server range (e.g.,
10.0.1.10–10.0.1.20). Enable Report Matched Traffic. Log to Cortex Data Lake.
Apply to All Windows/Server Endpoints or specific groups.

In Host Firewall Profile, create rules: 1. Block RDP: Direction: Both, Protocol: TCP,
Port: 3389, Action: Block, apply to All Endpoints. 2. Allow IT Admins: Direction:
Both, Protocol: TCP, Port: 3389, Destination IP: IT server range (e.g., 10.0.2.0/24),
Action: Allow, apply to IT Admin Endpoints. Enable Report Matched Traffic. Log to
Cortex Data Lake with MITRE ATT&CK mapping (e.g., T1021 - Remote Services).
Apply to All Windows/Server Endpoints.

In Settings > Integrations > Servers & Services, configure NGFW integration via
Cortex XDR API. Set Data Source: NGFW logs (traffic, threat, URL filtering).
Enable AutoFocus Threat Intelligence for enrichment. Create a BIOC rule in
Detection Rules > BIOC > Network to detect threats (e.g., malware C2 traffic). Set
Action: Alert. Log to Cortex Data Lake with MITRE ATT&CK mapping (e.g.,
T1071 - Application Layer Protocol). Apply to All Windows/Server Endpoints.

In Host Firewall Profile > Exceptions, create a rule for trusted executables (e.g.,
veeamagent.exe). Set Direction: Outbound, Protocol: TCP, Ports: 10001, 10002,
Destination IP: Backup server range (e.g., 10.0.3.0/24). Set Action: Allow. Enable
Report Matched Traffic. Log to Cortex Data Lake. Apply to Specific
Windows/Server Endpoints.

Detailed Settings/Options

In Endpoints > Policy Management > Agent Settings Profile, enable Network
Location Detection. Internal Network: Allow broader traffic (e.g., TCP 445 to
192.168.0.0/16). External Network: Block all inbound traffic except VPN (e.g., TCP
443 to Prisma Access/GlobalProtect IPs, 203.0.113.0/24). Set Action: Block for non-
VPN external traffic. Enable Endpoint Network Isolation Notification: “Cortex XDR
agent halted all network access on your device.” Log to Cortex Data Lake. Apply to
Laptop Endpoints (Windows).

In Host Firewall Profile, create a rule: Direction: Outbound, Protocol: TCP, Port:
443, Destination IP: Prisma Access/GlobalProtect IPs (e.g., 203.0.113.0/24), Action:
Allow. Block all other external traffic. Configure in Agent Settings Profile to detect
external networks. Enable Report Matched Traffic. Log to Cortex Data Lake. Apply
to Remote Windows/Server Endpoints.
In Detection Rules > BIOC > Network, create a rule for connections to non-corporate
SSIDs or IPs. Set Condition: Connection to unknown SSID or non-trusted IP range.
Enable Identity Analytics to correlate with AD user behavior. Set Action: Alert. Log
to Cortex Data Lake with MITRE ATT&CK mapping (e.g., T1071 - Application
Layer Protocol). Apply to All Windows/Server Endpoints.

In Endpoints > Policy Management > Prevention > Policy Rules, create a rule to
check VPN status. Set Condition: Endpoint on external network without Prisma
Access/GlobalProtect connection. Set Action: Block network traffic (except Cortex
XDR communication, TCP 443). Enable Endpoint Network Isolation Notification:
“Cortex XDR agent halted all network access on your device.” Log to Cortex Data
Lake. Apply to All Windows/Server Endpoints.

In Host Firewall Profile > Exceptions, create a rule for trusted SSIDs (e.g., Corp-
WiFi). Set Direction: Both, Protocol: TCP/UDP, Ports: 80, 443, 445, Destination IP:
Internal range (e.g., 192.168.0.0/16). Set Action: Allow. Enable Report Matched
Traffic. Log to Cortex Data Lake. Apply to All Windows/Server Endpoints.

Detailed Settings/Options

In Endpoints > Detection Rules > IOC, add IOC: Type: SHA-256 Hash, Value:
Known malicious hashes (e.g., from WildFire or Unit 42). In Malware Security
Profile, set Action: Block for matching hashes. Create a BIOC rule in Detection
Rules > BIOC > Process: Condition: Execution of files with malicious hashes from
non-system paths (e.g., C:\Users\*\AppData\). Set Action: Alert. Log to Cortex Data
Lake with MITRE ATT&CK mapping (e.g., T1204 - User Execution). Use Cortex
Xpanse inventory for endpoint coverage. Apply to All Windows System Endpoints.

In Detection Rules > BIOC > Network, create a rule: Condition: Connection to non-
corporate SSID (e.g., not Corp-WiFi) or non-trusted IP range (e.g., outside
192.168.0.0/16) from Cortex Xpanse inventory. Enable Identity Analytics to
correlate with Active Directory (AD) user behavior. Set Action: Alert. Log to Cortex
Data Lake with MITRE ATT&CK mapping (e.g., T1071 - Application Layer
Protocol). Optionally, trigger XSOAR playbook to isolate endpoint. Apply to All
Windows System Endpoints.

In Endpoints > Policy Management > Prevention > Policy Rules, create a rule:
Condition: Endpoint on external network (detected via Agent Settings Profile >
Network Location Detection) without Prisma Access/GlobalProtect connection (e.g.,
no TCP 443 to 203.0.113.0/24). Set Action: Block network traffic (except Cortex
XDR communication, TCP 443). Enable Endpoint Network Isolation Notification:
“Cortex XDR agent halted all network access on your device.” Use Cortex Xpanse
inventory for endpoint coverage. Log to Cortex Data Lake. Apply to All Windows
System Endpoints.
In Detection Rules > BIOC > Windows Event Log, create a rule for Event Code:
4657 (registry value modified). Set Condition: Changes to Wi-Fi profiles (e.g.,
HKLM\Software\Microsoft\WlanSvc) or persistence keys (e.g., HKLM\Software\
Microsoft\Windows\CurrentVersion\Run). Set Action: Alert. Use Cortex Xpanse
inventory to correlate with endpoint data. Log to Cortex Data Lake with MITRE
ATT&CK mapping (e.g., T1112 - Modify Registry). Apply to All Windows System
Endpoints.

In Detection Rules > IOC, add IOC: Type: Process, Value: Known malicious process
names (e.g., regsvr32.exe with parameters like /s). Create a BIOC rule in Detection
Rules > BIOC > Process: Condition: Process execution from non-system paths (e.g.,
C:\Users\*\Downloads\). Set Action: Block and Alert. Log to Cortex Data Lake with
MITRE ATT&CK mapping (e.g., T1218 - Signed Binary Proxy Execution). Apply
to All Windows System Endpoints.

In Detection Rules > BIOC > Windows Event Log, create a rule for Event Code:
4625 (failed logon). Set Condition: >5 failed logins in 5 minutes per user. Enable
Identity Analytics to correlate with AD user accounts. Set Action: Alert. Log to
Cortex Data Lake with MITRE ATT&CK mapping (e.g., T1110 - Brute Force).
Apply to All Windows System Endpoints.

In Detection Rules > BIOC > Command Line, create a rule: Condition: Commands
involving powershell.exe, cmd.exe, or wscript.exe with suspicious parameters (e.g., -
enc for encoded PowerShell scripts). Set Action: Alert. Test in Alert mode, then
switch to Block after validation. Log to Cortex Data Lake with MITRE ATT&CK
mapping (e.g., T1059 - Command and Scripting Interpreter). Apply to All Windows
System Endpoints.

In Detection Rules > BIOC > Windows Event Log, create a rule for Event Codes:
4624 (successful logon), 4663 (file access). Set Condition: Logins from non-
corporate IPs or excessive file access outside user’s normal profile (via Identity
Analytics). Set Action: Alert. Log to Cortex Data Lake with MITRE ATT&CK
mapping (e.g., T1078 - Valid Accounts). Apply to All Windows System Endpoints.

In Detection Rules > BIOC > Process, create a rule: Condition: Process execution
from USB paths (e.g., E:\*\*.exe). Set Action: Block and Alert. In Extensions >
Profiles > Device Control, restrict USB access to read-only for non-admins. Enable
User Notifications: “USB Device Was Blocked.” Log to Cortex Data Lake with
MITRE ATT&CK mapping (e.g., T1091 - Replication Through Removable Media).
Apply to All Windows System Endpoints.

In Detection Rules > IOC > Exceptions, create a rule for trusted IOCs (e.g., IP
10.0.3.10 for backup server, SHA-256 hash for it_script.exe). Set Condition: Actions
by trusted AD group (e.g., IT-Admins) or processes in Cortex Xpanse inventory. Set
Action: Suppress Alert, Log Only. Log to Cortex Data Lake for audit purposes.
Apply to All Windows System Endpoints.
SOC 2 Relevance Column1

Security: Prevents malware execution (e.g.,

T1574.002 - DLL Side-Loading). Processing
Integrity: Ensures only legitimate files run. Enabled
Confidentiality: Blocks data exfiltration. Audit
Support: Logs verdicts for SOC 2 audits.

Security: Detects sophisticated threats like DLL side-

loading. Processing Integrity: Prevents unauthorized
Enabled
file/process changes. Confidentiality: Mitigates data
leaks. Audit Support: Logs behaviors for audits.

Security: Prevents exploitation via child processes.

Processing Integrity: Maintains trusted app behavior.
Confidentiality: Blocks data access by malicious
processes. Audit Support: Logs blocked processes.

Security: Reduces malware introduction risks.

Confidentiality: Prevents data exfiltration via
external drives. Processing Integrity: Ensures
authorized execution. Audit Support: Logs blocked
attempts.

Security: Balances security/performance by allowing

trusted files. Processing Integrity: Ensures legitimate
software runs. Audit Support: Logs allowed
executions.

Security: Blocks known malicious hashes or allows

trusted files. Processing Integrity: Prevents
erroneous blocks/allows. Audit Support: Logs
exceptions.
Security: Prevents unapproved software. Processing
Integrity: Maintains system stability.
Confidentiality: Reduces data leak risks. Audit
Support: Logs blocked installers.

Security: Detects DLL side-loading (e.g., T1218).

Processing Integrity: Prevents unauthorized
commands. Confidentiality: Mitigates data
exfiltration. Audit Support: Logs command-line
activity.

Security: Protects data at rest. Confidentiality:

Ensures data encryption. Processing Integrity:
No Access
Maintains data integrity. Audit Support: Logs
encryption status.

Security: Prevents unauthorized access.

Confidentiality: Restricts data flows. Processing
Integrity: Ensures legitimate traffic. Audit Support: firewall Rule
Logs traffic. Note: Excluded per request but included
for completeness.

Protects data at rest, ensuring confidentiality and

Enabled
privacy.

Ensures visibility into compliance status

(Confidentiality, Privacy criteria).

Facilitates secure key management for data recovery

Enabled
(Confidentiality criterion).

Enforces encryption compliance, reducing data

exposure risk (Security, Confidentiality criteria).
Balances operational needs with security controls
(Confidentiality, Availability criteria).

Maintains ongoing compliance with encryption

policies (Confidentiality, Privacy criteria).

SOC 2 Relevance

The Known
Prevents unauthorized software execution (Security
DLL files
criterion).
cannot run

Balances security and performance for trusted

software (Security, Availability criteria).

External
Drivers are
blcoked,
Reduces risk of malware from untrusted locations
Temp files
(Security criterion).
few process
run from
Temp

Minimizes false positives for legitimate software

(Security criterion).

Prevents known threats from executing (Security

criterion).

Detects and prevents malicious behavior (Security

criterion).

Balances operational needs with security controls

(Security, Availability criteria).

Tracks unauthorized account changes (Security,

Processing Integrity criteria).

Detects fileless attacks and malicious scripts (Security

criterion).
Identifies unauthorized access attempts (Security
criterion).

Detects privilege escalation attacks (Security

criterion).

Ensures system integrity (Security, Processing

Integrity criteria).

Protects audit integrity and agent security (Security

criterion).

Improves audit focus by reducing false positives

(Processing Integrity criterion).

Detects compromised credentials or brute-force

attacks (Security criterion).

Prevents unauthorized data access (Confidentiality,

Security criteria).

Limits unauthorized console access (Security,

Confidentiality criteria).
Detects unauthorized privilege escalation (Security
criterion).

Enforces user account compliance (Security,

Confidentiality criteria).

Ensures visibility into account changes (Security,

Processing Integrity criteria).

Detects cloud-based identity threats (Security

criterion).

Reduces risk of local privilege abuse (Security

criterion).

Reduces false positives while maintaining auditability

(Processing Integrity criterion).

Minimizes unauthorized access (Security criterion).

Balances security and business continuity (Security,
Availability criteria).

Restricts unauthorized remote access (Security

criterion).

Enhances threat visibility across network and

endpoints (Security, Processing Integrity criteria).

Ensures availability of critical services (Availability

criterion).

SOC 2 Relevance

Enhances security for devices on untrusted access

points (Security criterion).

Secures remote access via access points (Security,

Confidentiality criteria).
Detects connections to malicious access points
(Security criterion).

Enforces secure access point connectivity (Security

criterion).

Ensures connectivity via trusted access points

(Availability criterion).

SOC 2 Relevance

Detects and blocks known malware (Security,

Processing Integrity criteria).

Detects connections to malicious access points

(Security criterion).

Enforces secure access point connectivity (Security

criterion).
Detects persistence via registry tampering (Security
criterion).

Prevents malicious process execution (Security

criterion).

Detects unauthorized access attempts (Security

criterion).

Detects fileless attacks (Security criterion).

Detects compromised credentials or insider threats

(Security, Confidentiality criteria).

Prevents data exfiltration via USB devices

(Confidentiality, Security criteria).

Reduces false positives while maintaining auditability

(Processing Integrity criterion).