01-24-2022 08:46 PM
Hi everyone,
Can we get the notification on Cortex XDR Management console, if any user is trying to disable the XDR Agent protection and services ?
Regards
01-24-2022 10:16 PM
Hi @RahulPrajapati users cannot uninstall or disable any functionalities without the Agent password defined globally or in Agent settings profile applied to a host. If you have a PoC to demonstrate the bypass, we can definitely take a deep dive at it to fix the issue.
In short, you won't get a notification for such behavior at this point in time.
01-25-2022 12:50 AM
Hi @bbarmanroy ,
Some local engineers had the uninstall password so we have changed it. I can see the Agent service stop logs from Agent Audit logs. But many of them can possibly means that system got shutdown and so Agent service got stop. But if any user tries to disable the agent service using cytool command. Can we know that information from the Agent audit logs?
Regards
01-25-2022 05:40 PM - edited 01-25-2022 05:40 PM
Hi @RahulPrajapati you are correct - a shutdown will stop Agent services.
If a user is successfully able to stop one or more XDR agent services, that will be listed as an event in the Agent Audit logs. Unsuccessful attempts won't be listed.
07-25-2022 10:02 AM
There must be a way :). Since the agent is watching every process, there must be a way to throw an alert, when something irregular happens to the Services??
BR
Rob
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
