topic Re: A question from Cortex XDR Active Scanning Webinar: Failed attempt alert in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-from-cortex-xdr-active-scanning-webinar-failed/m-p/539228#M4183 <P>A reply by:&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/142551">@neelrohit</a>&nbsp;</P> <P><SPAN>We have tamper protection as a feature, and if someone tries unauthorized access or attempts to disable the agent using the means which is not supposed to be(eg, disabling registry, taskkill commands etc.) Cortex XDR will generate prevention or detection alerts for the same. However, if you disable the agent using cytool commands, we do not get alerts. These events are, however, logged-in agent audit logs and can be forwarded as notifications or created as correlation rules to generate alerts.</SPAN></P> Tue, 18 Apr 2023 16:44:23 GMT rtsedaka 2023-04-18T16:44:23Z A question from Cortex XDR Active Scanning Webinar: Failed attempt alert https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-from-cortex-xdr-active-scanning-webinar-failed/m-p/539227#M4182 <P>Is there an alert for a failed attempt/attempts to stop the Cortex Service on an Endpoint?</P> <P>&nbsp;</P> <P><SPAN>*Note: This question was asked as part of the&nbsp;<A href="https://live.paloaltonetworks.com/t5/cortex-xdr-webinars/cortex-xdr-customer-success-webinar-active-scanning/ta-p/536976" target="_blank" rel="noopener"><STRONG>Cortex XDR Customer Success Webinar: Active Scanning</STRONG></A><BR />We encourage you to review the webinar article for additional resources.&nbsp;</SPAN></P> <P>&nbsp;</P> Tue, 18 Apr 2023 16:43:29 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-from-cortex-xdr-active-scanning-webinar-failed/m-p/539227#M4182 rtsedaka 2023-04-18T16:43:29Z Re: A question from Cortex XDR Active Scanning Webinar: Failed attempt alert https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-from-cortex-xdr-active-scanning-webinar-failed/m-p/539228#M4183 <P>A reply by:&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/142551">@neelrohit</a>&nbsp;</P> <P><SPAN>We have tamper protection as a feature, and if someone tries unauthorized access or attempts to disable the agent using the means which is not supposed to be(eg, disabling registry, taskkill commands etc.) Cortex XDR will generate prevention or detection alerts for the same. However, if you disable the agent using cytool commands, we do not get alerts. These events are, however, logged-in agent audit logs and can be forwarded as notifications or created as correlation rules to generate alerts.</SPAN></P> Tue, 18 Apr 2023 16:44:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-from-cortex-xdr-active-scanning-webinar-failed/m-p/539228#M4183 rtsedaka 2023-04-18T16:44:23Z