topic Re: Rogue Device Discovery with Cortex XDR in Strata Logging Service Discussions

Rogue Device Discovery with Cortex XDR

Piotr_Kowalczyk — Thu, 18 Apr 2024 18:43:57 GMT

Hi,

I would like to implement Rogue Device Discovery with Cortex XDR but it is not clear for me what I need to do this. We have Cortex XDR Pro per Endpoint license – do I need anything else (like datalike) to set the solution? Can I expect any issues with it or it is working well?

Re: Rogue Device Discovery with Cortex XDR

jmazzeo — Tue, 24 Oct 2023 12:55:49 GMT

Hi @Piotr_Kowalczyk, thanks for reaching the Live Community.

With your license your should be able to install a Broker VM, which is needed to activate the Network Mapper App that runs the scans:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Activate-the-Network-Mapper

Here is more info about the Broker VM: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Broker-VM-Overview

It should work well, there are not any specific issues reported for now, you need to be sure that the rogue devices respond to the ICMP or TCP port probes from the Broker.

Re: Rogue Device Discovery with Cortex XDR

Piotr_Kowalczyk — Tue, 24 Oct 2023 13:26:41 GMT

Thank you for your reply,

Just two additional questions:

1. Is Cortex Data Lake license required for this? I can see it on the Broker VM diagram so I just want to make sure this won't be a problem.

2. Does the discovery scan runs on the Broker VM (what would require the server to have access to all network segments) or on Cortex XDR agents - what would make sure all devices are discovered?

Re: Rogue Device Discovery with Cortex XDR

jmazzeo — Tue, 24 Oct 2023 13:35:48 GMT

1- CDL is not required, it is required to ingest logs from other sources than Agents, like firewalls or Okta.

2- The scan is generated from the Broker VM, so yes, you will need to allow the Broker VM and ports/icmp on every segment.

You can create the IP ranges in Assets - Network Configuration - IP Address Ranges.

You will see the scan results in Assets - Asset Inventory.

Thanks

Re: Rogue Device Discovery with Cortex XDR

Piotr_Kowalczyk — Tue, 24 Oct 2023 13:48:32 GMT

Sorry, one more question. I've just noticed that that Agents discover network devices and they are placed in Asset Inventory. I can see only IP address without any additional information. Does it work together with Network Mapper somehow?

Re: Rogue Device Discovery with Cortex XDR

jmazzeo — Tue, 24 Oct 2023 15:42:32 GMT

Yes @Piotr_Kowalczyk, those are the IPs that the agents connect or lookup inside your network. The Network Mapper findings will show the Source as "Broker Scanner".

You will only see the IP Address and the last time that was detected, then based on your inventory decide to install or not the agent if it is possible.

Re: Rogue Device Discovery with Cortex XDR

Piotr_Kowalczyk — Tue, 24 Oct 2023 15:55:20 GMT

Thank you!

Re: Rogue Device Discovery with Cortex XDR

PiyushKohli — Wed, 25 Oct 2023 03:47:34 GMT

@Piotr_Kowalczyk
Additionally, If you would like to enrich those discovered assets with hostname, mac address or mac address vendor you would have to ingest "Associated DHCP logs covering those assets" to Cortex XDR but that would require Cortex XDR Pro per GB license.

Ref: Asset-Inventory

Hope this helps!