topic Re: Tracking Cortex XDR Corrupted Agents in Cortex XDR Discussions

Tracking Cortex XDR Corrupted Agents

AmmarJi — Mon, 12 Jun 2023 21:28:03 GMT

Dear Community,

When I first started the Cortex XDR Project and started installing the agents, I made a mistake and deleted the outdated installation packages from the portal.

After that I started getting a lot of disconnected agents as if they try to connect to the portal and the ID is already deleted. Since it will be hard to know which asset is turned off and which is now not able to connect, I created a powershell script with the help of the support team which checks for the version and force reconnect the agent to the corresponding agent ID. But still suspect that there are agents that didn't receive the script and didnt force reconnect.

Is there a way I can utilize the BrokerVM and an XQL Query to check for agents that are pingable and has a recent last_seen data and compare it with the last seen info in the endpoint page to check for corrupted agents and work on fixing them.

If not, any idea how we can accomplish this using Cortex XDR. This could also help to track the endpoints that had its files corrupted for any reason such as a failed upgrade.

Noting that we have more that 10000 endpoints and most of them are laptops, so checking the disconnected alone may not be an indicator.

Appreciate your Support.

Regards,

Ammar,

Re: Tracking Cortex XDR Corrupted Agents

bbarmanroy — Tue, 13 Jun 2023 03:47:59 GMT

Hi @AmmarJi here's what I'd suggest

1. Enable Cloud Identity Engine to ingest AD information which will include all domain-joined devices.

2. Cross-reference the CIE data with the endpoints dataset to identify assets that are
a) not present in the endpoints dataset - that means you'd need to install XDR on those endpoints

b) present but running the outdated or deleted versions of XDR agents - you'll need to run that powershell script on those assets. Do remember to update the script to include a currently supported version of XDR installer which is present in the XDR management console.

You can use Broker VM's to scan the networks but that'd also mean trying to identify switches, routers and other devices present on the network that do not require Cortex XDR agents. The CIE would return you precise results for you to work on.

Re: Tracking Cortex XDR Corrupted Agents

AmmarJi — Tue, 13 Jun 2023 07:21:21 GMT

Hi @bbarmanroy

Thank you for your reply.

This seems like a good option, after trying to write the code, the last logon timestamp format needs to be viewed as a different value, and I can't find a command that could convert it:

Any way we can change the view of it?

Regards,
Ammar,

Re: Tracking Cortex XDR Corrupted Agents

AmmarJi — Tue, 13 Jun 2023 08:08:03 GMT

It seems that I was able to convert it, but the values are not accurate.

I used the below command to do this:

|alter last_logon_timestamp = to_timestamp(last_logon_timestamp, "MILLIS")

Thank you for your help.

Re: Tracking Cortex XDR Corrupted Agents

bbarmanroy — Wed, 14 Jun 2023 09:05:24 GMT

@AmmarJi Is it timezone issue? Try parse_timestamp with the result of to_timestamp() if that's the case.