https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/devices-that-are-down-cortex-xdr/m-p/423132#M930 <P>This is a little bit tricky, since the agent is disconnected for a long time probably more than 180 or either some issue with agent itself that cause it to be disconnected to the tenant. Once its past 180 days, the endpoint is gone on from the table.</P><P>I believe your issue might be that most of these endpoints have older-older <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> version possibly 7.1</P><P>A possible workaround is looking at agent audit logs then filter Sub-Type = Stop, then from there you can filter XDR Agent Version Contains contains 7.1 . That will give you the list of the agents to start with. Then you can compare the list with connected.</P><P>&nbsp;</P><P>Other option is to use a tool like sccm to check the protection status of the agent. You can submit a support case on this and ask for the registry that you can use.</P> Thu, 29 Jul 2021 16:57:42 GMT jcandelaria 2021-07-29T16:57:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/devices-that-are-down-cortex-xdr/m-p/423015#M924 <P>&nbsp;</P><DIV class="m2"><DIV class="mrg"><DIV class="client"><DIV class="targetTxt"><DIV class="txtDiv border3d">Hi,<DIV class="m2"><DIV class="mrg"><DIV class="client"><DIV><DIV><DIV class="targetTxt"><DIV class="txtDiv border3d"><DIV class="m2"><DIV class="mrg"><DIV class="client"><DIV><DIV><DIV class="targetTxt"><DIV class="txtDiv border3d">I have devices that are down, how can I find them? In the interface, I only see the devices in status connected or disconnected</DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV><DIV class="txtDiv border3d"><DIV class="m2"><DIV class="mrg"><DIV class="client"><DIV><DIV><DIV class="targetTxt"><DIV class="txtDiv border3d">Thanks.</DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV> Thu, 29 Jul 2021 13:48:10 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/devices-that-are-down-cortex-xdr/m-p/423015#M924 Shmuel 2021-07-29T13:48:10Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/devices-that-are-down-cortex-xdr/m-p/423065#M928 <P>Hi Shmuel,</P><P>Not sure what you mean by down?</P><P>&nbsp;</P><P>We will show the xdr agent status as below.&nbsp;</P><DIV><UL><LI><DIV><DIV class="p"><DIV><DIV>Connected</DIV>—The Cortex XDR agent has checked in within 10 minutes for standard endpoints, and within 3 hours for mobile endpoints.</DIV></DIV></DIV></LI><LI><DIV><DIV class="p"><DIV><DIV>Connection Lost</DIV>—The Cortex XDR agent has not checked in within 30 to 180 days for standard endpoints, and between 90 minutes and 6 hours for VDI and temporary sessions.</DIV></DIV></DIV></LI><LI><DIV><DIV class="p"><DIV><DIV>Disconnected</DIV>—The Cortex XDR agent has checked in within the defined inactivity window: between 10 minutes and 30 days for standard and mobile endpoints, and between 10 minutes and 90 minutes for VDI and temporary sessions.</DIV></DIV></DIV></LI></UL></DIV><P><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-response/investigate-endpoints/view-details-for-an-endpoint" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-response/investigate-endpoints/view-details-for-an-endpoint</A></P><P>&nbsp;</P><P>You can also create a filter from endpoint administration using Last Seen. ex. screenshot below with endpoint status disconnected and last seen 7 Days</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jcandelaria_0-1627572518328.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35317i9046BC2B5F6CC370/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jcandelaria_0-1627572518328.png" alt="jcandelaria_0-1627572518328.png" /></span></P> Thu, 29 Jul 2021 15:29:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/devices-that-are-down-cortex-xdr/m-p/423065#M928 jcandelaria 2021-07-29T15:29:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/devices-that-are-down-cortex-xdr/m-p/423089#M929 <DIV class="m2"><DIV class="mrg"><DIV class="client"><DIV><DIV><DIV class="targetTxt"><DIV class="txtDiv border3d">Hi&nbsp;<A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/39296" target="_self"><SPAN class="">Jcandelaria</SPAN></A></DIV><DIV class="txtDiv border3d">I'll explain. I have a user's computer that has Traps in place but is disabled.&nbsp; I am looking for a computer name in an administrative interface I do not see the computer. That's why I want to scan my network and find stations that don't communicate with the server</DIV><DIV class="txtDiv border3d"><DIV class="m2"><DIV class="mrg"><DIV class="client"><DIV><DIV><DIV class="targetTxt"><DIV class="txtDiv border3d">I'm uploading, you a screenshot.</DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV><DIV class="txtDiv border3d">&nbsp;Thank you.</DIV></DIV></DIV></DIV></DIV></DIV></DIV> Thu, 29 Jul 2021 16:08:12 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/devices-that-are-down-cortex-xdr/m-p/423089#M929 Shmuel 2021-07-29T16:08:12Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/devices-that-are-down-cortex-xdr/m-p/423132#M930 <P>This is a little bit tricky, since the agent is disconnected for a long time probably more than 180 or either some issue with agent itself that cause it to be disconnected to the tenant. Once its past 180 days, the endpoint is gone on from the table.</P><P>I believe your issue might be that most of these endpoints have older-older <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> version possibly 7.1</P><P>A possible workaround is looking at agent audit logs then filter Sub-Type = Stop, then from there you can filter XDR Agent Version Contains contains 7.1 . That will give you the list of the agents to start with. Then you can compare the list with connected.</P><P>&nbsp;</P><P>Other option is to use a tool like sccm to check the protection status of the agent. You can submit a support case on this and ask for the registry that you can use.</P> Thu, 29 Jul 2021 16:57:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/devices-that-are-down-cortex-xdr/m-p/423132#M930 jcandelaria 2021-07-29T16:57:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/devices-that-are-down-cortex-xdr/m-p/423188#M932 Thank you<BR /><BR /><BR /> Thu, 29 Jul 2021 18:24:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/devices-that-are-down-cortex-xdr/m-p/423188#M932 Shmuel 2021-07-29T18:24:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/devices-that-are-down-cortex-xdr/m-p/423675#M938 <DIV class="m2"><DIV class="mrg"><DIV class="client"><DIV><DIV><DIV class="targetTxt"><DIV class="txtDiv border3d">Hello everyone</DIV><DIV class="txtDiv border3d">I'm updating that after a conversation with support at the moment there is no way to find devices that are not on a management panel and are in the status&nbsp;<SPAN>disabled.</SPAN></DIV><DIV class="txtDiv border3d">Thank you&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV></DIV> Sun, 01 Aug 2021 17:14:10 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/devices-that-are-down-cortex-xdr/m-p/423675#M938 Shmuel 2021-08-01T17:14:10Z