Best way to detect endpoints that do not yet have Cortex XDR Agent installed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Best way to detect endpoints that do not yet have Cortex XDR Agent installed

L2 Linker

Hey guys,

 

I am curious about if there is a way to find out which Endpoints in certain environment do not yet have XDR Agent installed.

I still two options, but had no practical experience in testing it:

 

1. Directory Sync with Cortex XDR. Would it detect endpoints (which are in AD) that do not have XDR Agent yet installed?
2. Pathfinder. Would Pathfinder be something useful to detect such cases, even for those that are not in AD?

 

Any other option?

Thanks.

D

1 accepted solution

Accepted Solutions

Hi @DKasabji 

 

Cortex XDR does use more than Directory Sync -- the key is Asset Management.  Please see this doc on how assets are discovered.

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/asset-management/about-asse...


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

View solution in original post

15 REPLIES 15

L4 Transporter

Hi @DKasabji-

 

Are you using Prevent or Pro?


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

Hey @dfalcon , 

 

I am inquiring about Pro. We are PAN partners and I am responsible for Cortex XDR POCs etc. and it often comes this question, how to detect endpoints that do not yet have installed XDR Agent in their environment.

 

D

Hi @DKasabji-

 

Please see the bottom of this post:  https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/directory-sync-usage/td-p/376055

 


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

Yep, aware about this one. However, this only works if all endpoints are joined into to the Domain (AD). It cannot detect endpoints that are not part of the domain.

 

Was hopping Cortex would have some sort of passive scanner with Pathfinder to detect endpoints in environment and then populate them in Endpoint Administration console and mark them if they do not have agent installed (similarly like Directory Sync does).

 

Best,

D

Was hopping there was some sort of passive scanner that would di

Hi @DKasabji 

 

Cortex XDR does use more than Directory Sync -- the key is Asset Management.  Please see this doc on how assets are discovered.

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/asset-management/about-asse...


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

This look like a solution I was looking for David, thanks. I will give it a read.


I have to see what else it requires to gain such visibility (Network Mapper, Pathfinder, Directory Sync, etc.).

 

Thanks.

D

L2 Linker

Has anyone come up with a solution for this? I have been going round and round with cortex engineers and nothing.  Pathfinder, after being told would do this, will not.  I recently exported all the assets reported as no cortex agent, ran them through a reverse dns scripts and found hundreds and hundreds of PCs that were false negatives.   It seems to me Palo has not solution for this which seems very very fundamental.  Looks like we will need to develop our own.  FYI we are all palo alto firewall, I dont know why the logs from the firewalls are not providing the names of the devices.

This is not a solution unless names can be provided.  Anyone have names in their asset manager? Platform even?

 

This stinks that it is for pro only. This should be available to all regardless of license pro or prevent. having the cortex agent loaded is the best way to have the product and your customers most successful. 

L1 Bithead

I am also a bit of a loss at this... I checked the asset managment, but indeed, it does not detect the agent on the assets where it is on.. 

I used lansweeper for now but that seems a bit... 

Would be great to have a solution for this! 

 

L4 Transporter

Another alternative is to use the Network Mapper applet from the BrokerVM. You do need Pro per endpoint or TB though.

 

L1 Bithead

Have the network mapper applet from the BrokerVM , have XDR pro, it detects all the end points, it just doesn't detect in asset managment witch ones have an agent on them... 

 

L4 Transporter

Hi @WRoodhooft  

Im not sure of what do you want to detect or discover. 

If you want to see the endpoints where you have installed the agent, you can use the management console. You will find your endpoints with xdr agents installed under the Endpoint administration option. 

For the ones that you dont have an agent installed on, you can use as @fmoixsante recommended the network mapper which seems you have on your setup 

KR,

Luis

 

 

L1 Bithead

As said before by someone up in the thread...  the network mapper detects indeed all assets on your network. but not if they have an agent installed or not... I tested this with some pc's it found (where the agent said: no) but they all had the agent installed and were all visible in the endpoints section.... I want to see only the ones where it is not installed... I fixed this with Lansweeper for now, but this product should be able to do so itself..? 

  • 1 accepted solution
  • 9103 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!