06-16-2022 03:14 AM
Hi,
I was looking for an answer in a scenario where only 1 broker VM is available.
What happens when the VM goes down. How does the end point connect to XDR console and how can we get the visibility when VM goes down for long period.
06-17-2022 02:21 AM - edited 06-17-2022 02:26 AM
Hi @RameshShrestha yes, the customer will get the logs once connectivity is resumed (assuming the alloted disk space is not full, else FIFO). Since this is an airgapped environment, the customer should have at least 2 BVM's to ensure the connectivity is maintained. You can also write a Correlation rule to count the number of endpoints that have gone offline. If the count is equal to the total number of endpoints, that should fire off an alert.
You can use this as a sample XQL query:
dataset = endpoints
| filter endpoint_status = ENUM.DISCONNECTED
| comp count(endpoint_name ) as Count by endpoint_status
| filter Count =200 // indicates all endpoints are offline
06-16-2022 07:20 PM
Hi @RameshShrestha having a single Broker VM is not a recommended approach. The official guide indicates 1 Broker VM per 10,000 endpoints. Given that, we also need to keep in mind HA, which is to have minimum of 1 on top of the recommendation to ensure your endpoints continue to operate as usual. You can review the other options for download sources as listed in Step 14 here.
If Direct Server Access is enabled in your tenant, the agents will fallback to connecting directly to the tenant via host proxy configurations.
For your second question, I'd recommend you to leverage your exisitng infrastructure monitoring tools to detect when the BVM IP/domain/landing page is unreachable and trigger an alert.
06-16-2022 08:41 PM
Hi Bbarmanroy,
One of our clients has only around 200 endpoints that don't have direct internet access and have only 1 VM. Those endpoints need Broker VM to access to Cortex Server. So in that case, if the VM goes down for some days, can we get the logs of activities of endpoints after VM comes online?
06-17-2022 02:21 AM - edited 06-17-2022 02:26 AM
Hi @RameshShrestha yes, the customer will get the logs once connectivity is resumed (assuming the alloted disk space is not full, else FIFO). Since this is an airgapped environment, the customer should have at least 2 BVM's to ensure the connectivity is maintained. You can also write a Correlation rule to count the number of endpoints that have gone offline. If the count is equal to the total number of endpoints, that should fire off an alert.
You can use this as a sample XQL query:
dataset = endpoints
| filter endpoint_status = ENUM.DISCONNECTED
| comp count(endpoint_name ) as Count by endpoint_status
| filter Count =200 // indicates all endpoints are offline
06-17-2022 02:40 AM
thank you @bbarmanroy 😊
06-17-2022 08:27 AM
additional info on broker VM losing connectivity.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
