Move Agents Between Managing Servers - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2023-10-30
Last date published
2024-03-28
Category
Administrator Guide
Abstract

When needed, you can move Cortex XDR agents to other Cortex XSIAM managing servers.

You can move existing agents between Cortex XSIAM managing servers directly from the Cortex XSIAM management console. This can be useful during migration, POCs or to better manage your agent allocation between tenants. When you change the server that manages the agent, the agent transfers to the new managing server as a freshly installed agent, without any data that was stored on the original managing server. After the Cortex XDR agent registers with the new server, it can no longer communicate with the previous one.

Consider the following prerequisites before you change the managing server of a Cortex XDR agent:

  • Ensure that you are running a Cortex XDR agent 7.2 or later release.

  • Endpoint Type is not Kubernetes Node.

  • Installation Type is not VDI.

  • Ensure you have administrator privileges for Cortex XSIAM in the hub.

To register to another managing server, the Cortex XDR agent requires a distribution ID of an installation package on the target server in order to identify itself as a valid Cortex XDR agent. The agent must provide an ID of an installation package that matches the same operating system for the same or a previous agent version. For example, if you want to move a Cortex XDR Agent 7.0.2 for Windows, you can select from the target managing server the ID of an installation package created for a Cortex XDR Agent 5.0.0 for Windows. The operating system version can be different.

Note

Cortex XSIAM does not support moving agents between FedRamp and commercial tenants.

To change the managing server of a Cortex XDR Agent:

  1. Obtain an installation package ID from the target managing server.

    1. Log in to Cortex XSIAM on the target management server, then navigate to EndpointsAgent Installations.

    2. From the agent installations table, locate a valid installation package you can use to register the agent. Alternatively, you can create a new installation package if required.

    3. Right-click the ID field and copy the value. Save this value, as you will need it later for the registration process. If the ID column is not displayed in the table, add it.

  2. Locate the Cortex XDR agent you want to move.

    Log in to the current managing server of the Cortex XDR agent and navigate to EndpointsAll Endpoints.

  3. Change the managing server.

    1. Select one or more agents that you want to move to the target server.

    2. Right-click + Alt to open the options menu in advanced mode, and select Endpoint Control Change managing server. This option is available only for an administrator in Cortex XSIAM and for Cortex XDR agent 7.2 and later.

      change-agent-managing-server-menu.png
    3. Enter the ID number of the installation package you obtained in Step 1. If you selected agents running on different operating systems, for example, Windows and Linux, you must provide an ID for each operating system. When done, click Move.

      change-agent-managing-server.png
  4. Track the action.

    When you track the action in the Action Center, the original managing server will keep displaying In progress (Sent) status also after the action has ended successfully, since the agent no longer reports to this managing server. The new managing server will add this as a new agent registration action.