Automatic endpoint isolation after an unauthorized attempt to delete an agent.

Ramiz_Kiyalov — Thu, 22 May 2025 07:11:07 GMT

Hi. Maybe someone know, if there is such an opportunity to create a rule that will automatically isolate the hosts on which attempts have been made to remove the agent in a non-traditional way?

Re: Automatic endpoint isolation after an unauthorized attempt to delete an agent.

aspatil — Tue, 27 May 2025 09:36:18 GMT

Hello @Ramiz_Kiyalov .

In Cortex XDR you can create automated response rules that trigger host isolation based on certain suspicious behaviors—like attempts to tamper with or remove the agent using non-standard methods.

How to do this:
1. Identify the Detection

First, ensure that the Cortex XDR agent or analytics detects the suspicious activity related to agent tampering or removal attempts.

This could be an alert like "Anti Tampering protection" or a custom detection triggered by suspicious process execution, file deletion, or registry changes related to the agent.

Create an Automation Rule

Go to Incident Response > Automation in Cortex XDR.

Create a new Automation Rule triggered by the specific alert or detection that indicates agent removal attempts.

Set Isolation Action

In the automation rule, add an action to Isolate Host automatically when the alert fires.

Test and Fine-tune

Test the automation carefully to avoid false positives that could unnecessarily isolate healthy endpoints.

Optionally, set the rule to first notify SOC analysts for verification before isolation (depending on your risk tolerance).

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

topic Automatic endpoint isolation after an unauthorized attempt to delete an agent. in Cortex XDR Discussions

Automatic endpoint isolation after an unauthorized attempt to delete an agent.

Re: Automatic endpoint isolation after an unauthorized attempt to delete an agent.