As different Cortex XDR Policy profiles can be pushed to different users, it is sometime required to find out what is the current XDR Policy Profile used by a particular endpoint.
If the endpoint has local administrator privilege, we could just search in the *.ldb files in the following folder for the name of the profile used. C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db\
The pattern to look for is in JSON like below: "mpm":"Xxxxx","agset":"Xxxxxxxxxxxxxxx","restr":"Xxxxxxxxxxxxx","name":"Xxxxxxxxxxxxxx","epm":"Xxxxxx","exceptions":"Xxxxxx)"
If the endpoint does not have local administrator privilege, there seems to be no legitimate method to find current XDR Policy Profile used.
Before version 7.8, we could at least "Generate Support File" on the XDR client and find the *.ldb files in the generated archive file. But newer versions of XDR after 7.8 encrypts the generated support file.
Does anyone know if it is possible to find out the current XDR Policy Profile used by a particular client endpoint without local administrator privilege?
... View more