Cortex Endpoint Isolation - Allowing Microsoft Intune

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex Endpoint Isolation - Allowing Microsoft Intune

L0 Member

Anyone have tips on figuring out how to allow exceptions to successfully communication over the internet while an endpoint is in isolation? I would like Microsoft Intune to be able to continue to reach the device while the device is in isolation for the purpose of lock-down policy enforcement and location tracking. While I understand the isolation feature is designed for mitigation of a security compromised device, I would like to explorer using this feature as a method to ensure a user doesn't attempt to data dump their laptop upon an abrupt termination.

 

Any insight would be greatly appreciated! Thanks all!

2 REPLIES 2

L3 Networker

@rkaltenbach You can achieve this by using the agent profile under Prevention settings for policy management:

Policy Management > Prevention > Profile > Agent Profile > Response Actions

 

KanwarSingh01_0-1650583532456.png

 

Supporting Documentation: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/custo...

 

Thanks.

 

Kind Regards
KS

Yes, I'm aware of where the exceptions go... Curious as to what the community has put there. Intune seems to rely on services, which are not executables. I believe this is my biggest hang-up here. I'm also not finding any good logging as to what the endpoint is trying to use to access the internet while in isolation.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!