ITDR
About Endpoint Agents
An endpoint agent continuously scans and monitors the endpoints and Active Directory (AD) domain in real time for secrets, local misconfigurations, and other sensitive data that might be targeted by adversaries. An endpoint agent triggers an Active Directory posture scan or credential exposure scan to collect the data from the AD domain or endpoints, respectively. Some of the AD attacks and credential exposures include DCSync, DCShadow, Zerologon, Saved Browser Credentials, Browser Cookies, etc.
The endpoint agent's CPU consumption is capped at 25%.
Endpoint agents provide the following benefits and enable you to:
- Continuously monitor the endpoints and AD domain to check for identity-based attacks.
- Trigger an AD scan that uses LDAP to communicate with the AD domain to identify vulnerabilities.
- Trigger a credential exposure scan on the endpoints to identify exposed credentials and other identity-related data that can be easily exfiltrated.
Zscaler ITDR components such as CredentialExposure.Console.exe, CredEx.exe, or CredExInstaller.exe are also installed on endpoints as part of Zscaler Client Connector. The processes associated with these components are legitimate processes and will not activate (run) unless the respective functionality is enabled in ITDR.
About the Endpoint Agents Page
On the Agents page (Settings > Endpoint Settings > Agents), you can do the following:
- View a list of systems on which the endpoint agents are installed. For each system, you can view:
- System Name: The name of the system.
- System User Name: The usernames of the system.
- Client Connector User: The usernames in Zscaler Client Connector.
- Matched Policies: The threat detection policies that are applied on the endpoint.
- First Seen: The date and time when the agent was installed on the system.
- Last Seen: The date and time when the agent was last connected to the ITDR Admin Portal.
- OS Version: The operating system (OS) name and version.
- Version: The endpoint agent version number.
- Endpoint Credential Exposure Policy Name: The name of the endpoint credential exposure policy on the endpoint agent.
Endpoint Credential Exposure Policy Status: The status (Completed Successfully, Completed Partially, Failed, Processing, Not Started) of the endpoint credential exposure policy. When an endpoint credential exposure policy for an agent fails or is partially completed, you can view the logs of the error by clicking the Failed or Completed Partially status. The endpoint credential exposure error logs provide the following information:
- Timestamp: The date and timestamp for when the error was generated.
- Type: The type of endpoint credential exposure policy.
- Message: The message of the error.
- Detail: The detailed description of the error.
- IP: The IP address of the system.
- Install endpoint agents.
- Download Troubleshooter to manage the endpoint agents using CLI commands.
- Export endpoint agent configuration details to a file.
- Select any of these options from the Actions drop-down menu:
- Show all agents: Shows or hides inactive agents. Inactive agents are the endpoint agents with last check-in time older than 7 days. By default, this setting is disabled.
- If enabled, all agents (active and inactive) are displayed.
- If disabled, only active agents are displayed.
- Trigger Logs: Trigger the downloading of endpoint agent logs from an endpoint.
- Show all agents: Shows or hides inactive agents. Inactive agents are the endpoint agents with last check-in time older than 7 days. By default, this setting is disabled.
- Perform an action on an agent, such as view policy details, uninstall or delete an agent, and download agent logs.