Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Automatic retrive alert data on VDI XDR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Automatic retrive alert data on VDI XDR

L3 Networker

Hello,
In my company, we have many non-persistent VDIs, and sometimes an alert arises and I couldn't perform the 'Retrieve alert data' because when i see alert the user has already logged out of the VDI.

My question is, is it possible in the Cortex XDR Tenant create an automatic rule so that in the case of the machine being a VDI or being in a specific group, it automatically performs the 'retrieve alert data' for the tenant?

Best regards
Tiago Marques
1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @tlmarques ,

 

Thank you for writing to live community!

 

Technically, VDI instances should ideally not generate alerts as they may have been segregated and fine tuned during the agent deployment when the golden images are scanned. As a result, the VDI images are meant to be provisioned clean so that the same FP does not affect the entire production environment. However, as you cited, there are always corner cases. 

 

In occurences of such situations, you can configure your policy rules for VDI instances(I am assuming you may have separate policy for them as we always recommend a slightly different setting for VDI subgroups), to automatically upload alert data upon alert triggers. Though it is highly subjective to how much time does the user give for the endpoint to be online so that the dump is uploaded, but from Cortex XDR agent side this is very much possible. 

 

The agent settings profile allows you to configure automatic upload of alert data and also choose the size of the dump that you want to upload to the cloud. Considering VDI instances are mostly clean and are meant to behave the same way, an alert spinning up on a VDI instance alert can possibly come across all devices.

 

As a result, you should be able to capture from atleast one of the endpoints automatically.

 

To enable, go to XDR prevention profiles > agent settings> Alerts data.
You can choose the size of alert data dump and then enable "Automatically Upload Alert Data Dump File". 

This should initiate alert dump to be automatically uploaded to the cloud and you should be able to download it next time you navigate to alerts> Retrieve Alert Data

 

Screenshot 2024-03-28 at 12.04.54 AM.png
Hope this helps.

 

Please feel free to mark the response as "Accept as Solution" if it answers your query

View solution in original post

1 REPLY 1

L5 Sessionator

Hi @tlmarques ,

 

Thank you for writing to live community!

 

Technically, VDI instances should ideally not generate alerts as they may have been segregated and fine tuned during the agent deployment when the golden images are scanned. As a result, the VDI images are meant to be provisioned clean so that the same FP does not affect the entire production environment. However, as you cited, there are always corner cases. 

 

In occurences of such situations, you can configure your policy rules for VDI instances(I am assuming you may have separate policy for them as we always recommend a slightly different setting for VDI subgroups), to automatically upload alert data upon alert triggers. Though it is highly subjective to how much time does the user give for the endpoint to be online so that the dump is uploaded, but from Cortex XDR agent side this is very much possible. 

 

The agent settings profile allows you to configure automatic upload of alert data and also choose the size of the dump that you want to upload to the cloud. Considering VDI instances are mostly clean and are meant to behave the same way, an alert spinning up on a VDI instance alert can possibly come across all devices.

 

As a result, you should be able to capture from atleast one of the endpoints automatically.

 

To enable, go to XDR prevention profiles > agent settings> Alerts data.
You can choose the size of alert data dump and then enable "Automatically Upload Alert Data Dump File". 

This should initiate alert dump to be automatically uploaded to the cloud and you should be able to download it next time you navigate to alerts> Retrieve Alert Data

 

Screenshot 2024-03-28 at 12.04.54 AM.png
Hope this helps.

 

Please feel free to mark the response as "Accept as Solution" if it answers your query

  • 1 accepted solution
  • 830 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!