Use the Cortex XDR Agent for Mac - Administrator Guide - 7.9 - 7.8 - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Product
Cortex XDR
Cortex XDR Agent
Version
7.8
Creation date
2022-08-31
Last date published
2023-04-30
End_of_Life
EoL
Category
Administrator Guide
  1. Open the Cortex XDR Agent application.

    Use one of the following methods:

    • Browse to the Traps folder in Finder.

    • If you enabled access to the agent console, click the Cortex XDR agent icon in the menu bar, and select Open Console.

  2. View status information about the Cortex XDR agent:

    • Version—Displays the agent version.

    • Protection—Displays the active policies in bold.

      Note

      On Mac endpoints running macOS 10.15.4, the Protection Status in the agent console indicates the status of both Malware and Exploit modules on the endpoint.

    • Connection—Displays the connection status and, if connected, includes the server to which the agent is connected.

    • Last Check-in—Displays the local time on the endpoint of the last check-in with the server.

  3. Manually connect to the server.

    The agent periodically communicates with the server to send status information and retrieve the latest security policy. The agent performs this operation transparently at regular intervals so it is not typically necessary to connect to the server manually. If your Connection status is Not Connected, you can manually retry your connection. This option is available if you do not want to wait for the automated communication interval to begin.

    To initiate a manual check-in with the server: On the home page of the Cortex XDR agent console, click Check In Now. If the agent successfully establishes a connection with the server, the Connection status changes to indicated the service to which the agent is connected.

  4. Collect and view logs.

    • Collect logsGenerate Support File to collect Cortex XDR logs. After the Cortex XDR agent aggregates the logs, you can inspect or send them as needed. The logs can help you analyze any recent security events or Cortex XDR issues that you encounter. For remote endpoints, you can also retrieve logs from the Action Center.Action Center

    • View logs—Click Open Log File to view logs generated by the agent. The logs display in your default text editor in chronological order with the most recent logs at the bottom.

  5. View recent security events that occurred on your endpoint.

    For each event, the agent console displays the local Time an event occurred, the name of the Process that exhibited malicious behavior, the Module that triggered the event, and the mode specified for the type of event (Termination or Notification).

  6. View protected processes on the Mac endpoint.

    The Protection tab of the agent console displays all running processes in which the Cortex XDR agent is injected to prevent malicious execution or behavior. The agent console also indicates the process ID (PID) associated with each process.

  7. Configure proxy communication.

    The agent can communicate with Cortex XDR using the system proxy server that you define for the endpoint. For information on How to Enter Proxy Settings, see the documentation for your Mac operating system version. If you prefer to use an application proxy, configure a Cortex XDR agent specific proxy.

  8. Persistent notification from agent that your machine can’t access the network. Only when the issue is resolved, the notification does not appear.