topic Re: Periodic Endpoint Scanning Report in Cortex XDR Discussions

Periodic Endpoint Scanning Report

MithunKT — Tue, 03 Jan 2023 11:59:50 GMT

Hi All,

We have configured periodic endpoint scanning in all the malware profiles in our infrastructure. We needed to get the scanning report, or at the very least, the scan's status, such as how many systems got scanned or failed. How and where can I obtain this information?

Thank you!!

Re: Periodic Endpoint Scanning Report

neelrohit — Tue, 03 Jan 2023 12:57:56 GMT

Hi @MithunKT ,

Thank you for writing to Live Community!

As per your requirements, scan status can be checked in multiple ways in Cortex XDR. Following are the methods to do so:

Endpoints Administration: In the Endpoints Tab, go to All Endpoints. We have two columns as "Scan status" and "Last Successful Scan". These can be used in parallel to map which endpoints had the scanning with result in the columns. Scan status can be described as below:
Agent audit logs: In the agent audit logs, under the "Sub-Type" column, we can filter our "Scan" and find the status of the endpoints with malware scans with description. You can also set notifications forwarding as per your used cases to emails or syslog servers for this in form of agent logs.
XQL Search: You can write your own XQL queries to query the scan status of the endpoints. XQL query also gives you the leverage to create multiple items based on your used cases from generating reports to alerts(eg. generate an alert for endpoints with cancelled scan, or failed scans etc.). A sample XQL query below will list you the list of endpoints with their scan status and last successful scans

dataset = endpoints

| fields scan_status , last_successful_scan , endpoint_name , agent_version , last_seen , ip_address , platform , operating_system

You can also schedule the queries or choose to create reports or widgets in your dashboards to be used in XDR dashboards for your auditing and reporting purposes by sorting endpoints counts on basis of scan status etc. as a sample shown below:

Hope this helps!Please mark this as "Accept as Solution" if it resolves your query

Regards

Re: Periodic Endpoint Scanning Report

MithunKT — Tue, 03 Jan 2023 13:14:37 GMT

Hi @neelrohit ,

I just wanted to thank you for your lightning-fast response to my query. The solution you provided was not only effective but also incredibly well-described. I really appreciate the effort you put into helping me out.

Your assistance is greatly appreciated.

Re: Periodic Endpoint Scanning Report

UlisesRendon — Wed, 11 Oct 2023 22:17:34 GMT

Hello all,

Can you help me to build the graph you mention here in this article?

I have the query with your exaple, but I couln't obtein the graph.

Thanks.

Ulises Rendón

Re: Periodic Endpoint Scanning Report

neelrohit — Thu, 12 Oct 2023 04:46:04 GMT

Hi @UlisesRendon ,

Hope this helps!

dataset = endpoints | filter endpoint_status in (ENUM.CONNECTED , ENUM.DISCONNECTED ) | comp count(endpoint_name ) as counter by scan_status | view graph type = pie xaxis = scan_status yaxis = counter

Re: Periodic Endpoint Scanning Report

Thendral_Arasu — Tue, 26 Dec 2023 12:38:04 GMT

Hi Neelrohit,

Thanks your Query,

Its realy helpful for me, This query only able to see the of the scan, But I need to get the data from clicking the count.

Re: Periodic Endpoint Scanning Report

emartinez — Mon, 01 Apr 2024 14:03:08 GMT

Hola Buenas tardes, excelentes respuestas me han servido de mucha ayuda, pero tengo una duda, se puede detener un scan mensual programado? este esta agendado para ejecutarse el primer lunes de mes. Cuando se ejecuta no se visualiza en ninguna parte, solo en alertas como detected scanned. hay alguna manera de matar o cancelar ese scan? Gracias