Cortex XDR Agent Tamper Protection Notification

cancel
Showing results for 
Search instead for 
Did you mean: 

Cortex XDR Agent Tamper Protection Notification

L2 Linker

Hi everyone,

 

Can we get the notification on Cortex XDR Management console, if any user is trying to disable the XDR Agent protection and services ?

 

Regards

3 REPLIES 3

L4 Transporter

Hi @RahulPrajapati users cannot uninstall or disable any functionalities without the Agent password defined globally or in Agent settings profile applied to a host. If you have a PoC to demonstrate the bypass, we can definitely take a deep dive at it to fix the issue.

In short, you won't get a notification for such behavior at this point in time.

Hi @bbarmanroy ,

 

Some local engineers had the uninstall password so we have changed it. I can see the Agent service stop logs from Agent Audit logs. But many of them can possibly means that system got shutdown and so Agent service got stop. But if any user tries to disable the agent service using cytool command. Can we know that information from the Agent audit logs?

 

Regards

Hi @RahulPrajapati you are correct - a shutdown will stop Agent services.

If a user is successfully able to stop one or more XDR agent services, that will be listed as an event in the Agent Audit logs. Unsuccessful attempts won't be listed. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!