topic Endpoint administrative cleanup in Cortex XDR Discussions

Endpoint administrative cleanup

Shashanksinha — Tue, 11 Oct 2022 04:46:20 GMT

Based on what parameter is cortex XDR removing endpoints under endpoint administrative cleanup?
Eg if we chose hostname then will it remove the hostname found first or will delete the hostname XDR found last checked in?
And if we have 2 mac addresses and 2 IPs on what basis will it delete the endpoint?
We also observed that when we select the option of mac address while configuring the endpoint periodic clean-up settings it automatically selects hostname as well. What should we do in order to only remove duplicates using the mac address or IP and not via hostname.

Re: Endpoint administrative cleanup

mfakhouri — Tue, 18 Oct 2022 14:55:11 GMT

Hello @Shashanksinha,

Endpoint Administrative Cleanup will delete duplicate entries based on the listed parameters, being the Host Name, Host IP (IPv4 only), and MAC address. This will leave only one entry, being the last endpoint that has reported to the Cortex XDR server.

To answer your first question, it will delete the hostname XDR found to be last checked in.

To answer your second question regarding duplicate IP/MAC addresses, duplications will only be removed if they contain all of the parameters selected. For your example, the endpoints would need an identical Hostname AND MAC address to be removed. This is further clarified in the gray text below the parameter selection in the Endpoint Administration Cleanup menu.

As for your issue regarding selecting only the MAC address or Host IP, are you not able to uncheck the Host Name box and check the MAC Address or Host IP box? From my personal testing, the Host Name box is checked by default when enabling the Periodic duplicate cleanup but can be disabled by clicking on its checkmark box.

For more information regarding Endpoint Administration Cleanup, please refer to the documentation along with our latest How-To Video on the topic:

View Details About an Endpoint:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-response/investigate-endpoints/view-details-for-an-endpoint

Cortex XDR How-To Video: Endpoint Administration Cleanup:

https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-endpoint-administration-cleanup/ta-p/513765

Re: Endpoint administrative cleanup

Shashanksinha — Mon, 23 Jan 2023 16:13:00 GMT

Hello @mfakhouri,

Can you please answer one more query regarding Endpoint administration?

Can we see deleted duplicate entries because of using this feature? In management logs or audit logs or anywhere else?

Re: Endpoint administrative cleanup

anlynch — Tue, 24 Jan 2023 14:26:47 GMT

Hi @Shashanksinha,

You would be able to see the information about any duplicate removed entries in the audit log. Please see the link below for further information on the audit log and what can be viewed there that may be of use to you.
ref:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Monitor-Administrative-Activity