https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-tamper-protection-notification/m-p/460808#M1483 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/191065">@RahulPrajapati</a>&nbsp;users cannot uninstall or disable any functionalities without the Agent password defined globally or in Agent settings profile applied to a host. If you have a PoC to demonstrate the bypass, we can definitely take a deep dive at it to fix the issue.</P><P>In short, you won't get a notification for such behavior at this point in time.</P> Tue, 25 Jan 2022 06:16:29 GMT bbarmanroy 2022-01-25T06:16:29Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-tamper-protection-notification/m-p/460796#M1481 <P>Hi everyone,</P><P>&nbsp;</P><P>Can we get the notification on Cortex XDR Management console, if any user is trying to disable the XDR Agent protection and services ?</P><P>&nbsp;</P><P>Regards</P> Tue, 25 Jan 2022 04:46:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-tamper-protection-notification/m-p/460796#M1481 RahulPrajapati 2022-01-25T04:46:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-tamper-protection-notification/m-p/460808#M1483 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/191065">@RahulPrajapati</a>&nbsp;users cannot uninstall or disable any functionalities without the Agent password defined globally or in Agent settings profile applied to a host. If you have a PoC to demonstrate the bypass, we can definitely take a deep dive at it to fix the issue.</P><P>In short, you won't get a notification for such behavior at this point in time.</P> Tue, 25 Jan 2022 06:16:29 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-tamper-protection-notification/m-p/460808#M1483 bbarmanroy 2022-01-25T06:16:29Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-tamper-protection-notification/m-p/460850#M1489 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192661">@bbarmanroy</a>&nbsp;,</P><P>&nbsp;</P><P>Some local engineers had the uninstall password so we have changed it. I can see the Agent service stop logs from Agent Audit logs. But many of them can possibly means that system got shutdown and so Agent service got stop. But if any user tries to disable the agent service using cytool command. Can we know that information from the Agent audit logs?</P><P>&nbsp;</P><P>Regards</P> Tue, 25 Jan 2022 08:50:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-tamper-protection-notification/m-p/460850#M1489 RahulPrajapati 2022-01-25T08:50:43Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-tamper-protection-notification/m-p/461055#M1491 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/191065">@RahulPrajapati</a>&nbsp;you are correct - a shutdown will stop Agent services.</P><P>If a user is successfully able to stop one or more XDR agent services, that will be listed as an event in the Agent Audit logs. Unsuccessful attempts won't be listed.&nbsp;</P> Wed, 26 Jan 2022 01:40:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-tamper-protection-notification/m-p/461055#M1491 bbarmanroy 2022-01-26T01:40:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-tamper-protection-notification/m-p/509814#M2389 <P>There must be a way :). Since the agent is watching every process, there must be a way to throw an alert, when something irregular happens to the Services??</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Mon, 25 Jul 2022 17:02:34 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-tamper-protection-notification/m-p/509814#M2389 Cyber1985 2022-07-25T17:02:34Z