Agent Administrations

Abstract

Configure Agent Administration, which includes actions, such as Agent Management, retrieve Agent Management, and Change Management Server.

Agent Administration provides comprehensive endpoint and agent management capabilities, such as viewing all managed endpoints and their status, monitoring agent health, version, and connectivity, and performing agent operations (upgrade, uninstall, restart).

Permissions

Description

Roles Example

None

No access to the Endpoints menu (InventoryEndpoints, including access to the All Endpoints page. Limited access to endpoint data in cases and in widgets.

View

Read-only access to the Endpoints menu, including the All Endpoints page, which enables users to view, for example, endpoint lists, details, upgrade, and uninstall.

  • SOC Tier-1 Analyst: Should focus on triage and escalation, not endpoint management. Accidental changes could impact protection.

  • Threat Hunter: Focus on detection, not endpoint management. Should request actions through proper channels.

View/Edit

All view capabilities. When selecting View/Edit, you can select separate permissions, such as Agent Management, Retrieve Agent Data, and Agent Scan.

  • SOC Tier-2 and 3 Analysts: May need specific sub-options (like Isolate) for incident response, but full edit access is not required.

  • Security Engineer: Responsible for agent lifecycle management, upgrades, and configuration.

Agent Administrations sub-permissions

Sub-permission

Description

Roles Example

Agent Management

High risk. Controls core agent lifecycle and the following configuration operations by right-clicking an endpoint from the All Endpoints page (InventoryEndpointsAll EndpointsEndpoint Control):

  • Open in Interactive Mode

    Note

    Opens an interactive terminal session on the selected endpoint where you can run scripts in real-time. You need to add View/Edit permission for Agent Script and Scripts under Investigation and Response permissions.

  • Perform Heartbeat

  • Change Endpoint Alias

  • Upgrade Agent version

  • Set/Disable Agent Proxy

  • Uninstall Agent

  • Delete Endpoint

  • Disable Capabilities

  • Force Check-in

  • Restart Agent

  • Clear Agent Database

  • Exclude/Include endpoints from auto upgrade

  • Assign/Remove Endpoint Tags

Note

To access advanced endpoint actions like Force Check-in, Restart, and Clear Agent Database, users must hold Alt/Option while right-clicking the endpoint to open the advanced Endpoint Control menu.

  • Security Engineer: Primary responsibility for agent deployment, upgrades, and maintenance.

Retrieve Agent Data

Enables retrieval of detailed agent diagnostic information, logs, and operational data by right-clicking an endpoint and selecting Endpoint ControlRetrieve from Support File from the ALL Endpoints page.

Users can also select Retrieve Support File Password from the Key icon on the All Endpoints page (top right-hand corner).

SOC 2 and 3 Analysts, and Security Engineer: Agent troubleshooting and support.

Agent Scan

Initiate on-demand malware scans on endpoints by right-clicking an endpoint,Security OperationsInitiate Malware Scan.

All roles. SOC Tier-1 Analysts may need View permission with approval workflow. Initiating scans can impact endpoint performance. Should escalate to Tier-2.

Change Managing Server

Reassign agents to different Cortex XSIAM management servers by right-clicking an endpoint and selecting Endpoint ControlChange managing server. Useful for disaster recovery, load balancing across management infrastructure, and migrating endpoints between environments (development/production). For more information, seeMove agents between managing servers.

Security Engineer: May be needed for infrastructure changes or disaster recovery (with change management approval).

Pause Protection

High risk. Temporarily disable agent protection modules on endpoints by right-clicking an endpoint and selecting Endpoint ControlPause Endpoint Protection.

Caution

Pausing protection leaves endpoints vulnerable to threats. This should only be used for troubleshooting or software installation that conflicts with protection.

Agent Token Management

High risk. Manage agent authentication tokens and credentials by right-clicking an endpoint and selecting Endpoint ControlView Token, or Set Temporary Token. Tokens can also be managed on the All Endpoints page when clicking the Key button (top right-hand side of the page). For more information, see Manage agent tokens.

Caution

Token regeneration will temporarily disconnect agents until they receive the new token. Token revocation will permanently disconnect agents until they are manually re-enrolled.