Disable the Cortex XDR agent protection capabilities on an endpoint.
As of agent 7.7 and above, you can pause the agent protection capabilities on one or more endpoints while maintaining connectivity with Cortex XSIAM. By only pausing the protection and retaining connectivity, the agent will run with all the profiles disabled, but continue to send data and take actions from the server. When you are ready, you can resume the endpoint protection.
Note
Pausing your endpoint protection modules leaves your machines exposed to risks.
Go to → .
In the All Endpoints page, select the endpoints on which you want to pause protection, right-click and select → .
Verify the endpoints, add an optional comment that appears in the Management Audit log, and Pause the protection.
Paused endpoints display a pause icon in the Endpoint Name field, and one of the following the action statuses in Manual Protection Pause field:
Protection Active
Pending Pause
Protection Paused
Pending Activation
When you are ready to resume protection, select the paused endpoints, right-click and select → and Resume protection on the listed endpoints.
The All Endpoint table fields are updated accordingly.
Track your pause and resume endpoint protection actions.
Go to → → and locate Action Type Pause Endpoint Protection or Resume Endpoint Protection.