topic Re: Duplicate endpoint entries observed in Cortex XDR Discussions

Duplicate endpoint entries observed

MithunKT — Sat, 23 Jul 2022 06:22:08 GMT

Hi All,

We have started noticing duplicate endpoint entries in the "All Endpoints" section.

After checking all the fields we found that there are different endpoint_ids for the same endpoint name.

What could be the reason behind the creation of these multiple/duplicate entries and how can we clean up these entries?

Thanks!!

Re: Duplicate endpoint entries observed

creddy — Sat, 23 Jul 2022 07:34:20 GMT

There could be various reasons for duplicate endpoints in XDR console.
How are the agents being deployed on endpoints.
Are the agents connected XDR server using any proxy server other than broker VM?
If yes, you need to make sure caching is disabled for XDR urls in proxy servers. This will help to make sure proper communication happening between agent and server.

Re: Duplicate endpoint entries observed

Cyber1985 — Sun, 24 Jul 2022 13:21:14 GMT

We have a simmilar behaviour. One PC 32 bit WIN 10 4GB RAM is going out pf ressources. So it is reinstalled by its own couple of times. 😞

Rob

Re: Duplicate endpoint entries observed

MarvinC — Mon, 25 Jul 2022 01:26:21 GMT

Hi MithunKT again,

The duplication can be a part of another installation retry on the same endpoint (e.g. reimaging)

What I usually do is to create a widget in Cortex XDR with the dedup filter.

| dedup hostname desc by last_seen

The dedup will deduplicate same hostname but will retain who reported latest in the Cortex XDR console.

Re: Duplicate endpoint entries observed

MithunKT — Mon, 25 Jul 2022 04:15:20 GMT

Hey @MarvinC

I have tried creating a custom widget and I'm getting report of duplicate entries every day. But how do you remove the entries which are not needed?

I have tried the "delete endpoint" option, it will remove the entry from the "All endpoints" but in the next day's report, it will reappear again.

What's the best solution to clean up all these unnecessary entries permanently?

Re: Duplicate endpoint entries observed

MithunKT — Mon, 25 Jul 2022 09:58:30 GMT

Hi @creddy

There is no proxy server placed between agent and XDR tenant communication. I too investigated from the user end to find out what actually is creating duplicate entries.

I found out the below reasons;
1) whenever multiple users login to the same endpoint(Shared host) then duplicate entries are created.
2) whenever the same user connects from different IPs(VPN, office network) then duplicate entries are created for the same endpoint.

I just wanted to understand Is this the natural behavior of XDR creating duplicate entries for the same endpoint whenever user authority or IP changes? If so;
How licensing will be affected for these duplicate entries?
How do we clean up the unnecessary duplicates automatically?

Thanks!!

Re: Duplicate endpoint entries observed

creddy — Wed, 27 Jul 2022 09:29:05 GMT

Hi Mithun,
Each agent have its own unique ID to communicate to XDR server. XDR server communicate to each endpoint agent based on this unique ID. XDR server cant communicate to multiple agents (that have same unique ID) at same time. But it communicate to multiple agents where its service started recently which could be happening in your case.

From your statements, I can understand that agent might have received same unique ID to multiple endpoints when they registered to XDR server.
There could be a possibility where a multiple endpoint XDR Agents can receive same agent ID during its registration process.
So when a endpoint agent services getting started, it is able to start communicating to XDR server. The other endpoint already connected stop any connections with XDR server at this stage.

This can happen because of two reasons.

1.SSL inspection enabled on firewall.
If SSL decryption is enabled in the firewall, we recommend adding the Resources required for Cortex XDR access to your SSL Decryption Exclusion list for proper communication between agent and server. Refer step #7 in Enable Access to Cortex XDR

2.Caching enabled on proxy servers.
Disable cache for all PAN URLs in the proxy server for proper communication and response between agent and server.
Since you already mentioned there is no proxy, you can ignore this point.

After above settings are fixed, you can verify if a new agent installed is getting unique agent ID from XDR server or not.

Coming to cleanup existing duplicate endpoints, machines which are already affected with this duplicate agent ID, we can force the agent to get a new agent ID(unique ID) to resolve the issue on affected machines with the following steps:

1.Uninstall agent from the machine.
2.Locate and Delete agent id file from the machine using below steps.
For Windows: Delete agent.id file under the path C:\ProgramData\Cyvera\LocalSystem\OSPersistence\

For Linux: Delete the agent.id file under the path /etc/traps/

For Mac: Delete the agent.id file under the path /etc/traps/

3.Delete the Endpoint entry from Endpoints -> All Endpoints section in the XDR Management Console.
4.Restart the endpoint.
5.Install the agent package on the endpoint and verify agent ID on the XDR console.
6.Verify the Agent ID value under the Endpoint ID column for the particular endpoint from Endpoints -> All Endpoints section in the XDR Management Console. It shows the unique agent ID for each endpoint.

Coming to license portion, if there are any duplicates showing up in XDR console, all these duplicate may consume license.

If you found this post helpful, please mark this as Answer/Solution.

Re: Duplicate endpoint entries observed

bbarmanroy — Wed, 27 Jul 2022 09:30:15 GMT

Hi @creddy

I am referring to the steps you listed here:

1.Uninstall agent from the machine.
2.Delete agent id file from the machine using below command.
3.Disable Agent Tampering Protection and perform the below step.

We do not need to disable agent tamper protection as the agent is already uninstalled.

What can be done as an alternative is:

1. disable all processes (cytool runtime stop all)

2. disable tamper protection (for Windows only)

3. delete/rename the agent.id file

4. enable tamper protection (for Windows only)

5. restart all processes (cytool runtime start all)

6. delete the old entry from Cortex XDR console.

That'll get the agent a new agent ID. See an example below:

Re: Duplicate endpoint entries observed

creddy — Wed, 27 Jul 2022 09:23:01 GMT

Thank @bbarmanroy
There was a typo in my steps shared earlier. I have corrected it.

Re: Duplicate endpoint entries observed

bbarmanroy — Thu, 28 Jul 2022 06:07:26 GMT

Thank you @creddy !

Re: Duplicate endpoint entries observed

bbarmanroy — Thu, 28 Jul 2022 06:15:58 GMT

With XDR 3.4, there is a new feature to automatically cleanup duplicate entries.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-release-notes/release-information/features-introduced/features-introduced-in-2022