- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-18-2023 09:43 AM
Is there an alert for a failed attempt/attempts to stop the Cortex Service on an Endpoint?
*Note: This question was asked as part of the Cortex XDR Customer Success Webinar: Active Scanning
We encourage you to review the webinar article for additional resources.
04-18-2023 09:44 AM
A reply by: @neelrohit
We have tamper protection as a feature, and if someone tries unauthorized access or attempts to disable the agent using the means which is not supposed to be(eg, disabling registry, taskkill commands etc.) Cortex XDR will generate prevention or detection alerts for the same. However, if you disable the agent using cytool commands, we do not get alerts. These events are, however, logged-in agent audit logs and can be forwarded as notifications or created as correlation rules to generate alerts.
04-18-2023 09:44 AM
A reply by: @neelrohit
We have tamper protection as a feature, and if someone tries unauthorized access or attempts to disable the agent using the means which is not supposed to be(eg, disabling registry, taskkill commands etc.) Cortex XDR will generate prevention or detection alerts for the same. However, if you disable the agent using cytool commands, we do not get alerts. These events are, however, logged-in agent audit logs and can be forwarded as notifications or created as correlation rules to generate alerts.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!