Endpoint Operational Status

Shashanksinha — Tue, 11 Oct 2022 11:31:46 GMT

Currently, our devices are unprotected state and partially protected state due to disk consumption.

Is the data in the cortex xdr incrementive or does it delete itself after sometime ?

What is the possible solution for this issue ?

How do we differentiate the disk consumption error is because of disk full in the user's system or is it because the space assigned for the cortex is filled?

Re: Endpoint Operational Status

bbarmanroy — Thu, 13 Oct 2022 02:25:20 GMT

HI @Shashanksinha the XDR data stored in the endpoint is limited to 5GB (default, and configurable in Agent Settings profiles). You can use standard IT Ops tools to monitor disk sizes, or leverage Live Terminal to do the same. When the quota for XDR agent is exhausted, the agent will automatically start removing older data. Enabling Forensics consumes significant storage, so be mindful of allocating more disk space accordingly (around 3-4GB additionally).
What you should look for is why the space is being filled up, and it could be attributed to being "noisy", i.e., with lots of alerts and incidents being triggered from that endpoint.
I'd first start off by allocating more disk space to the XDR agent on the affected endpoints to ensure operational stability, and then start investigating the root cause.

topic Endpoint Operational Status in Cortex XDR Discussions

Endpoint Operational Status

Re: Endpoint Operational Status