A question from Cortex XDR Active Scanning Webinar: Failed attempt alert

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

A question from Cortex XDR Active Scanning Webinar: Failed attempt alert

L5 Sessionator

Is there an alert for a failed attempt/attempts to stop the Cortex Service on an Endpoint?

 

*Note: This question was asked as part of the Cortex XDR Customer Success Webinar: Active Scanning
We encourage you to review the webinar article for additional resources. 

 

1 accepted solution

Accepted Solutions

L5 Sessionator

A reply by: @neelrohit 

We have tamper protection as a feature, and if someone tries unauthorized access or attempts to disable the agent using the means which is not supposed to be(eg, disabling registry, taskkill commands etc.) Cortex XDR will generate prevention or detection alerts for the same. However, if you disable the agent using cytool commands, we do not get alerts. These events are, however, logged-in agent audit logs and can be forwarded as notifications or created as correlation rules to generate alerts.

View solution in original post

1 REPLY 1

L5 Sessionator

A reply by: @neelrohit 

We have tamper protection as a feature, and if someone tries unauthorized access or attempts to disable the agent using the means which is not supposed to be(eg, disabling registry, taskkill commands etc.) Cortex XDR will generate prevention or detection alerts for the same. However, if you disable the agent using cytool commands, we do not get alerts. These events are, however, logged-in agent audit logs and can be forwarded as notifications or created as correlation rules to generate alerts.

  • 1 accepted solution
  • 863 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!