Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-21-2021 01:24 AM
Hey guys,
I am curious about if there is a way to find out which Endpoints in certain environment do not yet have XDR Agent installed.
I still two options, but had no practical experience in testing it:
1. Directory Sync with Cortex XDR. Would it detect endpoints (which are in AD) that do not have XDR Agent yet installed?
2. Pathfinder. Would Pathfinder be something useful to detect such cases, even for those that are not in AD?
Any other option?
Thanks.
D
01-21-2021 06:04 AM
Hi @DKasabji
Cortex XDR does use more than Directory Sync -- the key is Asset Management. Please see this doc on how assets are discovered.
01-21-2021 04:35 AM
Hi @DKasabji-
Are you using Prevent or Pro?
01-21-2021 04:55 AM
Hey @dfalcon ,
I am inquiring about Pro. We are PAN partners and I am responsible for Cortex XDR POCs etc. and it often comes this question, how to detect endpoints that do not yet have installed XDR Agent in their environment.
D
01-21-2021 05:23 AM
Hi @DKasabji-
Please see the bottom of this post: https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/directory-sync-usage/td-p/376055
01-21-2021 05:51 AM - edited 01-21-2021 05:52 AM
Yep, aware about this one. However, this only works if all endpoints are joined into to the Domain (AD). It cannot detect endpoints that are not part of the domain.
Was hopping Cortex would have some sort of passive scanner with Pathfinder to detect endpoints in environment and then populate them in Endpoint Administration console and mark them if they do not have agent installed (similarly like Directory Sync does).
Best,
D
Was hopping there was some sort of passive scanner that would di
01-21-2021 06:04 AM
Hi @DKasabji
Cortex XDR does use more than Directory Sync -- the key is Asset Management. Please see this doc on how assets are discovered.
01-21-2021 06:08 AM
This look like a solution I was looking for David, thanks. I will give it a read.
I have to see what else it requires to gain such visibility (Network Mapper, Pathfinder, Directory Sync, etc.).
Thanks.
D
10-28-2021 08:10 AM
Has anyone come up with a solution for this? I have been going round and round with cortex engineers and nothing. Pathfinder, after being told would do this, will not. I recently exported all the assets reported as no cortex agent, ran them through a reverse dns scripts and found hundreds and hundreds of PCs that were false negatives. It seems to me Palo has not solution for this which seems very very fundamental. Looks like we will need to develop our own. FYI we are all palo alto firewall, I dont know why the logs from the firewalls are not providing the names of the devices.
10-28-2021 08:11 AM
This is not a solution unless names can be provided. Anyone have names in their asset manager? Platform even?
10-28-2021 12:38 PM
This stinks that it is for pro only. This should be available to all regardless of license pro or prevent. having the cortex agent loaded is the best way to have the product and your customers most successful.
12-16-2021 10:57 PM
I am also a bit of a loss at this... I checked the asset managment, but indeed, it does not detect the agent on the assets where it is on..
I used lansweeper for now but that seems a bit...
Would be great to have a solution for this!
12-16-2021 11:21 PM
Another alternative is to use the Network Mapper applet from the BrokerVM. You do need Pro per endpoint or TB though.
12-16-2021 11:26 PM
Have the network mapper applet from the BrokerVM , have XDR pro, it detects all the end points, it just doesn't detect in asset managment witch ones have an agent on them...
12-17-2021 01:20 AM
Hi @WRoodhooft
Im not sure of what do you want to detect or discover.
If you want to see the endpoints where you have installed the agent, you can use the management console. You will find your endpoints with xdr agents installed under the Endpoint administration option.
For the ones that you dont have an agent installed on, you can use as @fmoixsante recommended the network mapper which seems you have on your setup
KR,
Luis
12-17-2021 01:36 AM
As said before by someone up in the thread... the network mapper detects indeed all assets on your network. but not if they have an agent installed or not... I tested this with some pc's it found (where the agent said: no) but they all had the agent installed and were all visible in the endpoints section.... I want to see only the ones where it is not installed... I fixed this with Lansweeper for now, but this product should be able to do so itself..?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
