https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-retrive-alert-data-on-vdi-xdr/m-p/581885#M6424 <P>Hello, <BR />In my company, we have many non-persistent VDIs, and sometimes an alert arises and I couldn't perform the 'Retrieve alert data' because when i see alert the user has already logged out of the VDI.<BR /><BR /></P> <P>My question is, is it possible in the <LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;Tenant create an automatic rule so that in the case of the machine being a VDI or being in a specific group, it automatically performs the 'retrieve alert data' for the tenant?</P> Wed, 27 Mar 2024 14:29:33 GMT tlmarques 2024-03-27T14:29:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-retrive-alert-data-on-vdi-xdr/m-p/581885#M6424 <P>Hello, <BR />In my company, we have many non-persistent VDIs, and sometimes an alert arises and I couldn't perform the 'Retrieve alert data' because when i see alert the user has already logged out of the VDI.<BR /><BR /></P> <P>My question is, is it possible in the <LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;Tenant create an automatic rule so that in the case of the machine being a VDI or being in a specific group, it automatically performs the 'retrieve alert data' for the tenant?</P> Wed, 27 Mar 2024 14:29:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-retrive-alert-data-on-vdi-xdr/m-p/581885#M6424 tlmarques 2024-03-27T14:29:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-retrive-alert-data-on-vdi-xdr/m-p/581904#M6427 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/307134">@tlmarques</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thank you for writing to live community!</P> <P>&nbsp;</P> <P>Technically, VDI instances should ideally not generate alerts as they may have been segregated and fine tuned during the <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/7.7/Cortex-XDR-Agent-Administrator-Guide/Cortex-XDR-Agent-for-Virtual-Environments-and-Desktops" target="_blank" rel="noopener">agent deployment</A> when the golden images are scanned. As a result, the VDI images are meant to be provisioned clean so that the same FP does not affect the entire production environment. However, as you cited, there are always corner cases.&nbsp;</P> <P>&nbsp;</P> <P>In occurences of such situations, you can configure your policy rules for VDI instances(I am assuming you may have separate policy for them as we always recommend a slightly different setting for VDI subgroups), to automatically upload alert data upon alert triggers. Though it is highly subjective to how much time does the user give for the endpoint to be online so that the dump is uploaded, but from Cortex XDR agent side this is very much possible.&nbsp;</P> <P>&nbsp;</P> <P>The agent settings profile allows you to configure automatic upload of alert data and also choose the size of the dump that you want to upload to the cloud. Considering VDI instances are mostly clean and are meant to behave the same way, an alert spinning up on a VDI instance alert can possibly come across all devices.</P> <P>&nbsp;</P> <P>As a result, you should be able to capture from atleast one of the endpoints automatically.</P> <P>&nbsp;</P> <P>To enable, go to XDR prevention profiles &gt; agent settings&gt; Alerts data.<BR />You can choose the size of alert data dump and then enable "Automatically Upload Alert Data Dump File".&nbsp;<BR /><BR />This should initiate alert dump to be automatically uploaded to the cloud and you should be able to download it next time you navigate to alerts&gt; Retrieve Alert Data</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-03-28 at 12.04.54 AM.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/58705i607B8FB37E4B6B25/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Screenshot 2024-03-28 at 12.04.54 AM.png" alt="Screenshot 2024-03-28 at 12.04.54 AM.png" /></span><BR />Hope this helps.</P> <P>&nbsp;</P> <P>Please feel free to mark the response as "Accept as Solution" if it answers your query</P> Wed, 27 Mar 2024 16:10:28 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-retrive-alert-data-on-vdi-xdr/m-p/581904#M6427 neelrohit 2024-03-27T16:10:28Z