topic Re: Discovering unprotected devices in Cortex XDR Discussions

Discovering unprotected devices

ESJosephPrinz — Sun, 31 Oct 2021 20:39:45 GMT

Has anyone come up with a reliable method to report on devices without xdr running on it?

Re: Discovering unprotected devices

P.Jacob — Mon, 01 Nov 2021 13:17:00 GMT

if you don't have any sort of RMM tool and your running prevent you can do a dump out of cortex and and dump out of AD and run a compare. if your running xdr pro look farther down in the topics and there is a good discussion on how to do this.

Re: Discovering unprotected devices

ESJosephPrinz — Mon, 01 Nov 2021 13:59:33 GMT

Ive dumped all devices that asset manager reports as no cortex XDR and run a script to reverse DNS. What I found was hundreds of false negatives. In other words, cortex asset manager reports no xdr but xdr is indeed running. So for us anyway, asset manager is erroneous. Perhaps something on our firewall side.

We are running Pro, what discussion are you referring to?

Ive spoken to a sales engineer and several support tickets. No real solution. Ive been pointing down futile paths however.

Ive tried pathfinder and it does not detect non cortex xdr devices only high alerts.

We wont run "open source" software on our network so the DHCP logger is a no go. Not to mention we have many dhcp servers so this would be a large deploy.

Options left are perhaps the new 7.5 agent which does a peer to peer discovery. However no documentation on the amount of traffic it generates so we wont enable it on our network without proper docs. And I guess global protect HIP detection. Looking into that.

Re: Discovering unprotected devices

P.Jacob — Mon, 01 Nov 2021 14:01:22 GMT

https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/best-way-to-detect-endpoints-that-do-not-yet-have-cortex-xdr/td-p/381151

Re: Discovering unprotected devices

ESJosephPrinz — Mon, 01 Nov 2021 14:12:37 GMT

Thanks. I have posted in that thread.. there is no solution, just a link to this vague document.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/asset-management/about-asset-management.html

And it is marked as a answer. Funny. What is really funny is it refers to pathfinder as a solution but after several tickets on this, cortex support says it does not work. Honestly, I dont think anyone at cortex knows how pathfinder works.. When I run a "test" in pathfinder on an IP, it does EXACTLY what I need in the log, it does a reverse lookup and determines if cortex is installed. But yet network mapper does not pass on the IPs it finds to pathfinder to interrogate.

Bottom line... has anyone gotten cortex PRO to report names of devices and or platforms name into asset manager that do NOT have xdr installed? If so, how did you do it? This should be doable.. the field is there..

Re: Discovering unprotected devices

eumbach — Sat, 13 Nov 2021 02:51:39 GMT

Have you looked at network discovery from 7.5?

About Asset Management (paloaltonetworks.com)

Re: Discovering unprotected devices

epalcev — Sun, 14 Nov 2021 08:36:40 GMT

Hi @ESJosephPrinz

Maybe the Network Mapper could help you?
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-vm/activate-the-network-mapper

Re: Discovering unprotected devices

P.Jacob — Mon, 15 Nov 2021 15:20:20 GMT

thank you I am going to try this

Re: Discovering unprotected devices

ESJosephPrinz — Sun, 06 Mar 2022 16:37:03 GMT

Wanted to update this.. what we found is in our environment the solution was to install cortex dhcp log collector on all Windows dhcp servers and make sure the global protect HIP data was being sent to the cortex lake. This have us all DHCP devices into asset manager so we could report on devices with the agent.

However, currently the match between asset manager and endpoint admin is IP.. So it is the "join" if you will. Problem is the IP is not updated in endpoint admin when it changes for a long time so we have many false positives. working on a xql report to resolve but dont know if this will be possible yet. But at least we have devices to audit.

Re: Discovering unprotected devices

P.Jacob — Sun, 06 Mar 2022 18:52:58 GMT

hello I am very interested in doing this. not too sure what the "cortex dhcp log collector"? I will look it up, also can you do this with the prevent subscription? vs the pro subscription?

Re: Discovering unprotected devices

ESJosephPrinz — Sun, 06 Mar 2022 19:16:26 GMT

Might be pro only but not sure. The filebeat.yml is a bear.. be wary of SPACES!! You will know what I mean if you proceed 🙂

Re: Discovering unprotected devices

nigsmi51 — Wed, 22 Mar 2023 14:28:22 GMT

Incase anyone else has this issue, here is an XQL Query that will result in which DHCP Devices are not in the Cortex Endpoints Dataset

dataset = microsoft_dhcp_raw | filter hostName != "" and ipAddress != "" //first few lines are same as OP | alter FormattedName = if (hostname contains ".domain.local",replace(hostname,".domain.local",""),hostname)//replace .domain.local with your domain when running | join conflict_strategy = left type = left (dataset = endpoints ) as ed ed.endpoint_name = FormattedName //left join ensures that all is returned from DHCP, and only matches from Endpoint | alter conditional = if(FormattedName = endpoint_name, 1, 0)//if there is a match, it returns 1, otherwise, 0 | fields FormattedName , endpoint_name, conditional | comp sum(conditional) as totalconnections by FormattedName // by summing on the conditional, if the sum is 0, that means there are 0 logs where DHCP matched with one of your endpoints | filter (totalconnections = 0) // if you changed this to >0, you will get all devices in DHCP that ARE matched in the Cortex List

Re: Discovering unprotected devices

eumbach — Wed, 22 Mar 2023 15:30:36 GMT

This is a great solution, it's a shame that it's Pro/TB and MS DHCP but it's a great solution.