Agent Administrations ↗
Configure Agent Administration, which includes actions, such as Agent Management, retrieve Agent Management, and Change Management Server.
Agent Administration provides comprehensive endpoint and agent management capabilities, such as viewing all managed endpoints and their status, monitoring agent health, version, and connectivity, and performing agent operations (upgrade, uninstall, restart).
Permissions | Description | Roles Example |
|---|---|---|
None | No access to the Endpoints menu ( → , including access to the All Endpoints page. Limited access to endpoint data in cases and in widgets. | |
View | Read-only access to the Endpoints menu, including the All Endpoints page, which enables users to view, for example, endpoint lists, details, upgrade, and uninstall. |
|
View/Edit | All view capabilities. When selecting View/Edit, you can select separate permissions, such as Agent Management, Retrieve Agent Data, and Agent Scan. |
|
Agent Administrations sub-permissions
Sub-permission | Description | Roles Example |
|---|---|---|
Agent Management | High risk. Controls core agent lifecycle and the following configuration operations by right-clicking an endpoint from the All Endpoints page ( → → → ):
NoteTo access advanced endpoint actions like Force Check-in, Restart, and Clear Agent Database, users must hold Alt/Option while right-clicking the endpoint to open the advanced Endpoint Control menu. |
|
Retrieve Agent Data | Enables retrieval of detailed agent diagnostic information, logs, and operational data by right-clicking an endpoint and selecting → from the ALL Endpoints page. Users can also select Retrieve Support File Password from the Key icon on the All Endpoints page (top right-hand corner). | SOC 2 and 3 Analysts, and Security Engineer: Agent troubleshooting and support. |
Agent Scan | Initiate on-demand malware scans on endpoints by right-clicking an endpoint, → . | All roles. SOC Tier-1 Analysts may need View permission with approval workflow. Initiating scans can impact endpoint performance. Should escalate to Tier-2. |
Change Managing Server | Reassign agents to different Cortex XSIAM management servers by right-clicking an endpoint and selecting → . Useful for disaster recovery, load balancing across management infrastructure, and migrating endpoints between environments (development/production). For more information, seeMove agents between managing servers. | Security Engineer: May be needed for infrastructure changes or disaster recovery (with change management approval). |
Pause Protection | High risk. Temporarily disable agent protection modules on endpoints by right-clicking an endpoint and selecting → . CautionPausing protection leaves endpoints vulnerable to threats. This should only be used for troubleshooting or software installation that conflicts with protection. | |
Agent Token Management | High risk. Manage agent authentication tokens and credentials by right-clicking an endpoint and selecting → , or Set Temporary Token. Tokens can also be managed on the All Endpoints page when clicking the Key button (top right-hand side of the page). For more information, see Manage agent tokens. CautionToken regeneration will temporarily disconnect agents until they receive the new token. Token revocation will permanently disconnect agents until they are manually re-enrolled. |