https://live.paloaltonetworks.com/t5/general-topics/cortex-xdr-agent-management-questions-stragglers-and-operation/m-p/398619#M91526 <P>I've deployed the cortex agent to all of our servers and now need to find stragglers (servers without agents running).&nbsp; I also need a method to know that not only are the agents installed and running but they are actually running as designed.</P><P>&nbsp;</P><P>I noticed there is a network scan in the portal for cortex but it only shows IPs for the devices, so I dont (easily) what is a server and not a server nor do I know if its simply a switch.&nbsp; Is there a way to get the scan to use DNS or something to show the names of devices without the agent installed?</P><P>&nbsp;</P><P>Lastly, anyone have a method to understand if the agents are actually active, have up to date definitions (is this "content" in cortex?) and are essentially doing what they are supposed to do? We dont want to get caught with pants down just because we know the agent is installed.</P><P>&nbsp;</P><P>thanks</P> Thu, 15 Apr 2021 15:27:11 GMT ESJosephPrinz 2021-04-15T15:27:11Z https://live.paloaltonetworks.com/t5/general-topics/cortex-xdr-agent-management-questions-stragglers-and-operation/m-p/398619#M91526 <P>I've deployed the cortex agent to all of our servers and now need to find stragglers (servers without agents running).&nbsp; I also need a method to know that not only are the agents installed and running but they are actually running as designed.</P><P>&nbsp;</P><P>I noticed there is a network scan in the portal for cortex but it only shows IPs for the devices, so I dont (easily) what is a server and not a server nor do I know if its simply a switch.&nbsp; Is there a way to get the scan to use DNS or something to show the names of devices without the agent installed?</P><P>&nbsp;</P><P>Lastly, anyone have a method to understand if the agents are actually active, have up to date definitions (is this "content" in cortex?) and are essentially doing what they are supposed to do? We dont want to get caught with pants down just because we know the agent is installed.</P><P>&nbsp;</P><P>thanks</P> Thu, 15 Apr 2021 15:27:11 GMT https://live.paloaltonetworks.com/t5/general-topics/cortex-xdr-agent-management-questions-stragglers-and-operation/m-p/398619#M91526 ESJosephPrinz 2021-04-15T15:27:11Z https://live.paloaltonetworks.com/t5/general-topics/cortex-xdr-agent-management-questions-stragglers-and-operation/m-p/398820#M91535 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/176081">@ESJosephPrinz</a>,</P> <P>I don't believe there is currently a way to get the DNS name of the host on the Network Mapper results, however you can export that so you can create a simple PowerShell or Python script or whatever to attempt to resolve the IP and run through your export.</P> <P>&nbsp;</P> <P>As to testing the agent, I've not found a good way outside of confirming Network Mapper results with your endpoint results through exports and scripts to ensure that the agents are actually active across your device fleet. You can use&nbsp;<A href="http://wildfire.paloaltonetworks.com/publicapi/test/pe" target="_blank">wildfire.paloaltonetworks.com/publicapi/test/pe</A>&nbsp;to test a detection on the endpoint and script that download and execution if you want to validate Cortex is actually working, but if an endpoint becomes unregistered it obviously won't trigger anything except on the functional hosts, so a review is what I recommend.&nbsp;</P> <P>I have had agents become unregistered from the portal, albeit on a much lesser amount now than previously, that you won't know about unless you review your endpoint list and actively check for "Connection Lost" and manually reviewing your host list. This used to happen much more frequently, but we still run across it occasionally.&nbsp;</P> Thu, 15 Apr 2021 22:34:24 GMT https://live.paloaltonetworks.com/t5/general-topics/cortex-xdr-agent-management-questions-stragglers-and-operation/m-p/398820#M91535 BPry 2021-04-15T22:34:24Z