Cortex XDR Forensics doesn't display Endpoints

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR Forensics doesn't display Endpoints

L1 Bithead

When I configure Forensics, at the 'Endpoints' step, it doesn't show the name of any endpoint. "Monitor and Collect Forensics Data" is enabled on Agent Settings. User role is Instance Administrator. Triage type is "Online".

1 accepted solution

Accepted Solutions

L1 Bithead

Solved!
I had not added the profile for Forensics to the "Prevention Policy Rule.

View solution in original post

3 REPLIES 3

L4 Transporter

Hello @Aristooo 

 

Thanks for reaching out on LiveCommunity!

On the configuration page, depending on the type of Artifacts, Volatiles and File collection you choose there may be different minimum agent versions requires to perform triage. Hence on the endpoints page please hover your mouse over "Eligible for forensics triage" button to see the conditions required for the eligible endpoints as shown in attached screenshot.

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

Hello @nsinghvirk 
Thank you for your response. The endpoint meets all the requirements. And Forensics is enabled. I have activated 'Forensics' in the agent settings. Could it be that it needs to be activated somewhere else as well? Are 'Forensics' and 'is forensics' different things?
I have added screenshots

L1 Bithead

Solved!
I had not added the profile for Forensics to the "Prevention Policy Rule.

  • 1 accepted solution
  • 649 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!