topic Re: Disbaling Agent Notification in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/disbaling-agent-notification/m-p/539515#M4204 <P>Hi&nbsp;RamyashreeMada,</P> <P>&nbsp;</P> <P>Your XDR agent settings determine what your users are allowed do or see, and in general if this is configured correctly they shouldn't not be able disable the agent.</P> <P>&nbsp;</P> <P>To answer your question there is agent audit section, where you can see when Palo Alto XDR agent has been stopped or disabled etc.&nbsp;</P> <P>1) see<FONT color="#339966"> XDR Console --&gt;<SPAN class="guimenu">Settings<SPAN>&nbsp;</SPAN></SPAN><SPAN>→&nbsp;</SPAN></FONT><SPAN class="guimenuitem"><FONT color="#339966">Agent Auditing</FONT> that is if you are on the console. </SPAN></P> <P><SPAN class="guimenuitem">2) <SPAN>To ensure you and your colleagues stay informed about XDR agent activity, you can&nbsp;</SPAN><A class="xref linktype-component ft-internal-link" title="Configure Notification Forwarding" href="https://docs-cortex.paloaltonetworks.com/r/eO~BnNklLa5TQPnZDQC9LQ/T9XJKm11ao42eTJ~j6wNOg" target="_blank" rel="noopener" data-ft-internal-link="intercept-ready"><SPAN class="xreftitle">Configure Notification Forwarding</SPAN></A><SPAN>&nbsp;to forward your Agent Audit log to an&nbsp; 1)email distribution list,&nbsp; 2) Syslog server, 3 ) or Slack channel.</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="guimenuitem"><SPAN>See&nbsp;</SPAN></SPAN></P> <P><SPAN class="guimenuitem"><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Monitor-Agent-Activity" target="_blank">Monitor Agent Activity • Cortex XDR Prevent Administrator Guide • Reader • Palo Alto Networks documentation portal</A></SPAN></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 20 Apr 2023 09:37:33 GMT Y-alwaysMe 2023-04-20T09:37:33Z Disbaling Agent Notification https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/disbaling-agent-notification/m-p/539506#M4202 <P>Hello Team,</P> <P>&nbsp;</P> <P>Is there any way to get a&nbsp;report/notification in XDR console whenever a user disables agent on their system. Do let us know if there is any way to track this activity.</P> <P>&nbsp;</P> Thu, 20 Apr 2023 09:20:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/disbaling-agent-notification/m-p/539506#M4202 RamyashreeMada 2023-04-20T09:20:26Z Re: Disbaling Agent Notification https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/disbaling-agent-notification/m-p/539515#M4204 <P>Hi&nbsp;RamyashreeMada,</P> <P>&nbsp;</P> <P>Your XDR agent settings determine what your users are allowed do or see, and in general if this is configured correctly they shouldn't not be able disable the agent.</P> <P>&nbsp;</P> <P>To answer your question there is agent audit section, where you can see when Palo Alto XDR agent has been stopped or disabled etc.&nbsp;</P> <P>1) see<FONT color="#339966"> XDR Console --&gt;<SPAN class="guimenu">Settings<SPAN>&nbsp;</SPAN></SPAN><SPAN>→&nbsp;</SPAN></FONT><SPAN class="guimenuitem"><FONT color="#339966">Agent Auditing</FONT> that is if you are on the console. </SPAN></P> <P><SPAN class="guimenuitem">2) <SPAN>To ensure you and your colleagues stay informed about XDR agent activity, you can&nbsp;</SPAN><A class="xref linktype-component ft-internal-link" title="Configure Notification Forwarding" href="https://docs-cortex.paloaltonetworks.com/r/eO~BnNklLa5TQPnZDQC9LQ/T9XJKm11ao42eTJ~j6wNOg" target="_blank" rel="noopener" data-ft-internal-link="intercept-ready"><SPAN class="xreftitle">Configure Notification Forwarding</SPAN></A><SPAN>&nbsp;to forward your Agent Audit log to an&nbsp; 1)email distribution list,&nbsp; 2) Syslog server, 3 ) or Slack channel.</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="guimenuitem"><SPAN>See&nbsp;</SPAN></SPAN></P> <P><SPAN class="guimenuitem"><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Monitor-Agent-Activity" target="_blank">Monitor Agent Activity • Cortex XDR Prevent Administrator Guide • Reader • Palo Alto Networks documentation portal</A></SPAN></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 20 Apr 2023 09:37:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/disbaling-agent-notification/m-p/539515#M4204 Y-alwaysMe 2023-04-20T09:37:33Z