topic XDR Capabilities in Cortex XDR Discussions

XDR Capabilities

RamyashreeMada — Wed, 22 Nov 2023 05:21:01 GMT

Does XDR has the capability to identify and block admin access on end user workstation?

Re: XDR Capabilities

nsinghvirk — Thu, 23 Nov 2023 16:47:59 GMT

Thanks for reaching out on Live Community!

Unfortunately XDR do not control the access for endpoint users. It can prevent malicious activity but cannot control user's access directly. You can use "User risk view" to investigate and assess user behaviour.

With the User Risk view, you can do the following.

Assess the user's behavior and score.
Review the user's working hours and past alerts.
Analyze the user's behavior over time and compare to their peers with the same asset role.
Star the user to be included in the watchlist.

Please follow below guide to learn more about investigating a user.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Investigate-a-User

Please mark the response as "Accept as Solution" if it answers your query.

Regards.

Re: XDR Capabilities

Clausj — Mon, 27 Nov 2023 14:28:13 GMT

There are a bunch of solutions that "block" admin access on endpoints. Most of them overtakes the normal Admin account and then provides granular access to all other accounts stripping them for any admin rights and then you can make an approval workflow on a per app basis or for a limited time. There will be a lot of functionality that comes along with those solutions. Often software/inventory management and 3rd party application updates are some of them.