10-11-2024 02:46 AM - edited 10-11-2024 02:48 AM
Hi, we're in the process of migrating our endpoint security on servers and PC clients to Cortex XDR. I'm new to Cortex XDR, but have started to walk thru all kinds of documentation/training..
Today's question 🙂 :
If I, or someone else, disables the agent on a client (cytool, or whatever else), will the disconnected client show up in Cortex XDR dashboard as disconnected?
I'd really like to know if a client gets disconnected..
I've tried on one client, but I don't see it other than in list of all endpoints: "Disconnected".
If not by default; is this configurable?
(I might be kickin in open doors - bear with me :))
Regards
Ivar
10-13-2024 11:53 PM
Hi @I.Helland
I guess you'll have to build a BIOC rule using XQL to create an alert if an endpoint is disconnected: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Create-a-BIOC-rule
Best Regards
10-11-2024 09:01 AM
Hello @I.Helland
Thanks for reaching out on LiveCommunity!
Yes, when you disable the XDR agent it will be shown as disconnected in XDR tenant but it will become disconnected after missing consecutive 2 heartbeats i.e. after 10 minutes.
Please click Accept as Solution to acknowledge that the answer to your question has been provided.
10-13-2024 11:53 PM
Hi @I.Helland
I guess you'll have to build a BIOC rule using XQL to create an alert if an endpoint is disconnected: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Create-a-BIOC-rule
Best Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
