topic Re: IP Address Range - Under network configurations in Cortex XDR Discussions

IP Address Range - Under network configurations

RamyashreeMada — Tue, 27 Jun 2023 12:18:58 GMT

Hello Team,

We have noticed a feature in XDR console as "IP Address Range" under network configurations.

- We need more details on this feature.

- How this feature can we utilized?

- How its is usefull?

Re: IP Address Range - Under network configurations

nsinghvirk — Tue, 27 Jun 2023 13:39:25 GMT

Hello @RamyashreeMada

"IP Address Range" allow you to define various internal IP address ranges that belongs to particular department or device types. It helps Cortex XDR to track and identify assets in your network. XDR uses this information to analyse, locate, and display assets.

Following are the few uses cases which utilise this information.

1. To identify which all machines have XDR agent installed and which are remaining.

If you have thousands of machines and you want to check your deployment status, you can take help from "Network Mapper" applet of Broker VM. In which you need to define the IP address range you want to scan and configure some scan parameters. Network Mapper will scan the IP address range and you can see the output data under Assets->Asset Inventory. There you can apply filter for column "Has XDR Agent" and find out which machines have XDR agent installed.

Activate Network Mapper

2. IP address range is also used by "Pathfinder" applet of Broker VM, which is a non persistent data collector which can collect EDR data from machines which do not have XDR agent installed for limited period of time. While activating this applet you need to define the IP address range.

Activate Pathfinder

Re: IP Address Range - Under network configurations

RFeyertag — Sat, 01 Jul 2023 13:48:28 GMT

Hey @nsinghvirk,

do we have the possibility to get an alert, when a asset is in the client range and has no agent for one or more days?

As I have seen the network configuration affects the asset inventory. But are there more possibilites, like getting alerted?

Rob

Re: IP Address Range - Under network configurations

nsinghvirk — Tue, 04 Jul 2023 16:54:04 GMT

Hello @RFeyertag

You can create a correlation rule that should identify the assets without XDR agent installed. Dataset you need is "panw_network_mapper_raw", which contain output of Network Mapper scans. You can compare this dataset with "endpoints" dataset mainly with reference to IP address. So basically, first dataset will have completed list of assets and you can subtract assets from second dataset which are having agent installed on them.

Below is an example query that you can refer and build something according to your use case.

dataset = panw_network_mapper_raw
| filter ip not in (dataset = endpoints | arrayexpand ip_address |fields ip_address )
|fields ip,hostname

Re: IP Address Range - Under network configurations

RFeyertag — Fri, 07 Jul 2023 21:40:12 GMT

@nsinghvirk: A very good explanation and a nice XQL! Thank you very much!!!

Rob

Re: IP Address Range - Under network configurations

RamyashreeMada — Thu, 13 Jul 2023 07:12:36 GMT

How we can utilize this?