Cortex XDR Broker VM Down

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cortex XDR Broker VM Down

L1 Bithead

Hi,

 

I was looking for an answer in a scenario where only 1 broker VM is available.

What happens when the VM goes down. How does the end point connect to XDR console and how can we get the visibility when VM goes down for long period.

Ramesh Shrestha
1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @RameshShrestha yes, the customer will get the logs once connectivity is resumed (assuming the alloted disk space is not full, else FIFO). Since this is an airgapped environment, the customer should have at least 2 BVM's to ensure the connectivity is maintained. You can also write a Correlation rule to count the number of endpoints that have gone offline. If the count is equal to the total number of endpoints, that should fire off an alert.

You can use this as a sample XQL query:
dataset = endpoints
| filter endpoint_status = ENUM.DISCONNECTED
| comp count(endpoint_name ) as Count by endpoint_status
| filter Count =200 // indicates all endpoints are offline

View solution in original post

5 REPLIES 5

L5 Sessionator

Hi @RameshShrestha having a single Broker VM is not a recommended approach. The official guide indicates 1 Broker VM per 10,000 endpoints. Given that, we also need to keep in mind HA, which is to have minimum of 1 on top of the recommendation to ensure your endpoints continue to operate as usual. You can review the other options for download sources as listed in Step 14 here.

If Direct Server Access is enabled in your tenant, the agents will fallback to connecting directly to the tenant via host proxy configurations.

bbarmanroy_0-1655431482584.png

 

 

For your second question, I'd recommend you to leverage your exisitng infrastructure monitoring tools to detect when the BVM IP/domain/landing page is unreachable and trigger an alert.

 

Hi Bbarmanroy,

One of our clients has only around 200 endpoints that don't have direct internet access and have only 1 VM. Those endpoints need Broker VM to access to Cortex Server. So in that case, if the VM goes down for some days, can we get the logs of activities of endpoints after VM comes online?

Ramesh Shrestha

L5 Sessionator

Hi @RameshShrestha yes, the customer will get the logs once connectivity is resumed (assuming the alloted disk space is not full, else FIFO). Since this is an airgapped environment, the customer should have at least 2 BVM's to ensure the connectivity is maintained. You can also write a Correlation rule to count the number of endpoints that have gone offline. If the count is equal to the total number of endpoints, that should fire off an alert.

You can use this as a sample XQL query:
dataset = endpoints
| filter endpoint_status = ENUM.DISCONNECTED
| comp count(endpoint_name ) as Count by endpoint_status
| filter Count =200 // indicates all endpoints are offline

L1 Bithead

thank you @bbarmanroy 😊

Ramesh Shrestha

L2 Linker

additional info on broker VM losing connectivity.

jcandelaria_0-1655479665753.png

 

  • 1 accepted solution
  • 2480 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!