topic Re: Scan status details of Cortex XDR in Cortex XDR Discussions

Scan status details of Cortex XDR

Aneesh — Wed, 28 Feb 2024 09:47:21 GMT

Hi Team,

Can I get more information on scan status for below scenarios.

. If the scan initiated and before completion the endpoint got disconnected what will be the status?

.. when the endpoint connects back, whether the scan automatically resume from where it stopped ?

... Difference between 'Aborted', 'Error' and 'Cancelled' status?

Re: Scan status details of Cortex XDR

nsinghvirk — Wed, 28 Feb 2024 13:45:32 GMT

Hello @Aneesh

Thanks for reaching out on LiveCommunity!

Below are the answers to your questions.

1. Once the scan is initiated then it will be in progress status even if the endpoint got disconnected. Scan will be resumed if endpoint connects back within 24 hours.

2. Scan will resume automatically from where it was interrupted.

3. Below are the definitions for various action status.

Aborted—Scan was cancelled after it was started.
Error—Scan failed to run. e.g. endpoint got disconnected for more than 24 hours.
Canceled—Scan was canceled before it was started.

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

Re: Scan status details of Cortex XDR

aspatil — Thu, 29 Feb 2024 06:47:02 GMT

Hello @Aneesh
As per your requirements, scan status can be checked in multiple ways in Cortex XDR. Following are the methods to do so:

Endpoints Administration: In the Endpoints Tab, go to All Endpoints. We have two columns as "Scan status" and "Last Successful Scan". These can be used in parallel to map which endpoints had the scanning with result in the columns. Scan status can be described as below:
Agent audit logs: In the agent audit logs, under the "Sub-Type" column, we can filter our "Scan" and find the status of the endpoints with malware scans with description. You can also set notifications forwarding as per your used cases to emails or syslog servers for this in form of agent logs.
XQL Search: You can write your own XQL queries to query the scan status of the endpoints. XQL query also gives you the leverage to create multiple items based on your used cases from generating reports to alerts(eg. generate an alert for endpoints with cancelled scan, or failed scans etc.). A sample XQL query below will list you the list of endpoints with their scan status and last successful scans

dataset = endpoints

| fields scan_status , last_successful_scan , endpoint_name , agent_version , last_seen , ip_address , platform , operating_system

You can also schedule the queries or choose to create reports or widgets in your dashboards to be used in XDR dashboards for your auditing and reporting purposes by sorting endpoints counts on basis of scan status etc. as a sample shown below:

Hope this helps!Please mark this as "Accept as Solution" if it resolves your query

Re: Scan status details of Cortex XDR

Aneesh — Wed, 06 Mar 2024 06:04:48 GMT

Hi @nsinghvirk,

Thanks for the explanation.

As you said, before completion of a scan if the endpoint got disconnected and failed to connect back within 24 hrs, then the scan status will be in 'error' state.

In that case can we configure the waiting period for the endpoint to connect back ? if yes how ?

Also, some of the connected endpoints shows aborted scan state in our environment. So, to get some clarity,

aborted status shows when the scan is cancelled either from user or admin side?

what if there is no option for the user to cancel it and admin did not cancelled the scan.

Thanks in advance.

Aneesh

Re: Scan status details of Cortex XDR

Aneesh — Mon, 18 Mar 2024 10:58:19 GMT

Hi @nsinghvirk,

Can you help me with the above query?

Thanks in advance.

Aneesh