Cortex + Global Protect Deactivation

Hello network / security admins,

We recently moved to Prisma Access and I got a question for you :

Now that Prisma Access is the main security layer on remote computers (with Cortex XDR), I'm trying to find a way to detect and alert via a correlation or IoC if someone tries to kill the GlobalProtect service (PanGPS).

For now, I can find when the service is stopped, but I'm unable to see if it's OS related or user manipulation.

What I'm trying to do for now :

Detect if the user type net stop pangps
Detect if the user type stop-process pangps
Detect if the user opens services.msc console and stop pangps

The idea behind this is to give us an alert whenever an user is trying to bypass Prisma Access Mobile User security.

If anybody played a bit with XQL, I would be glad to read if someone did this actually.

Best regards,

Madison Howard

Share Your Mood

Banin

Cortex + Global Protect Deactivation