- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-27-2024 07:29 AM
Hello,
In my company, we have many non-persistent VDIs, and sometimes an alert arises and I couldn't perform the 'Retrieve alert data' because when i see alert the user has already logged out of the VDI.
My question is, is it possible in the Cortex XDR Tenant create an automatic rule so that in the case of the machine being a VDI or being in a specific group, it automatically performs the 'retrieve alert data' for the tenant?
03-27-2024 09:09 AM - edited 03-27-2024 09:10 AM
Hi @tlmarques ,
Thank you for writing to live community!
Technically, VDI instances should ideally not generate alerts as they may have been segregated and fine tuned during the agent deployment when the golden images are scanned. As a result, the VDI images are meant to be provisioned clean so that the same FP does not affect the entire production environment. However, as you cited, there are always corner cases.
In occurences of such situations, you can configure your policy rules for VDI instances(I am assuming you may have separate policy for them as we always recommend a slightly different setting for VDI subgroups), to automatically upload alert data upon alert triggers. Though it is highly subjective to how much time does the user give for the endpoint to be online so that the dump is uploaded, but from Cortex XDR agent side this is very much possible.
The agent settings profile allows you to configure automatic upload of alert data and also choose the size of the dump that you want to upload to the cloud. Considering VDI instances are mostly clean and are meant to behave the same way, an alert spinning up on a VDI instance alert can possibly come across all devices.
As a result, you should be able to capture from atleast one of the endpoints automatically.
To enable, go to XDR prevention profiles > agent settings> Alerts data.
You can choose the size of alert data dump and then enable "Automatically Upload Alert Data Dump File".
This should initiate alert dump to be automatically uploaded to the cloud and you should be able to download it next time you navigate to alerts> Retrieve Alert Data
Hope this helps.
Please feel free to mark the response as "Accept as Solution" if it answers your query
03-27-2024 09:09 AM - edited 03-27-2024 09:10 AM
Hi @tlmarques ,
Thank you for writing to live community!
Technically, VDI instances should ideally not generate alerts as they may have been segregated and fine tuned during the agent deployment when the golden images are scanned. As a result, the VDI images are meant to be provisioned clean so that the same FP does not affect the entire production environment. However, as you cited, there are always corner cases.
In occurences of such situations, you can configure your policy rules for VDI instances(I am assuming you may have separate policy for them as we always recommend a slightly different setting for VDI subgroups), to automatically upload alert data upon alert triggers. Though it is highly subjective to how much time does the user give for the endpoint to be online so that the dump is uploaded, but from Cortex XDR agent side this is very much possible.
The agent settings profile allows you to configure automatic upload of alert data and also choose the size of the dump that you want to upload to the cloud. Considering VDI instances are mostly clean and are meant to behave the same way, an alert spinning up on a VDI instance alert can possibly come across all devices.
As a result, you should be able to capture from atleast one of the endpoints automatically.
To enable, go to XDR prevention profiles > agent settings> Alerts data.
You can choose the size of alert data dump and then enable "Automatically Upload Alert Data Dump File".
This should initiate alert dump to be automatically uploaded to the cloud and you should be able to download it next time you navigate to alerts> Retrieve Alert Data
Hope this helps.
Please feel free to mark the response as "Accept as Solution" if it answers your query
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!