Pause endpoint protection - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Disable the Cortex XDR agent protection capabilities on an endpoint.

As of agent 7.7 and above, you can pause the agent protection capabilities on one or more endpoints while maintaining connectivity with Cortex XSIAM. By only pausing the protection and retaining connectivity, the agent will run with all the profiles disabled, but continue to send data and take actions from the server. After you are ready, you can resume the endpoint protection.

Note

Pausing your endpoint protection modules leaves your machines exposed to risks.

How to pause endpoint protection modules
  1. Go to EndpointsAll Endpoints.

  2. In the All Endpoints page, select the endpoints you want to pause protection on, right-click and select Endpoint ControlPause Endpoint Protection.

  3. Verify the endpoints, add an optional comment that appears in the Management Audit log, and Pause the protection.

    Endpoints that have been paused appear with a pause icon in the Endpoint Name field, and depending on the action progress, one of the following statuses in Manual Protection Pause field:

    • Protection Active

    • Pending Pause

    • Protection Paused

    • Pending Activation

  4. When you are ready to resume protection, select the endpoints, right-click and select Endpoint ControlResume Endpoint Protection and Resume protection on the listed endpoints.

    The All Endpoint table fields are updated accordingly.

  5. (Optional) Track your pause and resume endpoint protection actions.

    Go to Incident ResponseResponseAction Center and locate Action Type Pause Endpoint Protection or Resume Endpoint Protection.