06-25-2021 03:25 PM
Hi Doug,
Hopefully my reply isnt that too late.. as you know XDR have compatibility issue with Cylance so yes, uninstall cylance before install xdr agent. And hopefully, you have done some canary group with no Cylance and XDR in block mode. That way at least you will get somewhere around 60-70% of the executables known to xdr and the rest, you can deal when incident triggers. Also when you remove cylance, usually the defender takes over if the xdr profile is set to report mode but once you switch to blocking mode then xdr will be registered as primary AV in security center.
What I've seen from some customer, remove the cylance, install xdr agent but only specific modules are in blocking mode while the rest are in report mode. That way the SOC doesnt get overwhelm with all new alerts at the same time.. then slowly switching each module to block mode. What i would suggest is get a good understanding of XDR agent as incident source as those are the ones that will get blocked and how to address them so that way even if you deploy xdr agent all modules in block mode, you can easily manage and address those incidents on the right away.
