Devices that are down cortex XDR

cancel
Showing results for 
Search instead for 
Did you mean: 

Devices that are down cortex XDR

L1 Bithead

 

Hi,
I have devices that are down, how can I find them? In the interface, I only see the devices in status connected or disconnected
Thanks.
1 ACCEPTED SOLUTION

Accepted Solutions

L1 Bithead
Hello everyone
I'm updating that after a conversation with support at the moment there is no way to find devices that are not on a management panel and are in the status disabled.
Thank you 

View solution in original post

5 REPLIES 5

L3 Networker

Hi Shmuel,

Not sure what you mean by down?

 

We will show the xdr agent status as below. 

  • Connected
    —The Cortex XDR agent has checked in within 10 minutes for standard endpoints, and within 3 hours for mobile endpoints.
  • Connection Lost
    —The Cortex XDR agent has not checked in within 30 to 180 days for standard endpoints, and between 90 minutes and 6 hours for VDI and temporary sessions.
  • Disconnected
    —The Cortex XDR agent has checked in within the defined inactivity window: between 10 minutes and 30 days for standard and mobile endpoints, and between 10 minutes and 90 minutes for VDI and temporary sessions.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-respo...

 

You can also create a filter from endpoint administration using Last Seen. ex. screenshot below with endpoint status disconnected and last seen 7 Days

jcandelaria_0-1627572518328.png

I'll explain. I have a user's computer that has Traps in place but is disabled.  I am looking for a computer name in an administrative interface I do not see the computer. That's why I want to scan my network and find stations that don't communicate with the server
I'm uploading, you a screenshot.
 Thank you.

L3 Networker

This is a little bit tricky, since the agent is disconnected for a long time probably more than 180 or either some issue with agent itself that cause it to be disconnected to the tenant. Once its past 180 days, the endpoint is gone on from the table.

I believe your issue might be that most of these endpoints have older-older 🙂 version possibly 7.1

A possible workaround is looking at agent audit logs then filter Sub-Type = Stop, then from there you can filter XDR Agent Version Contains contains 7.1 . That will give you the list of the agents to start with. Then you can compare the list with connected.

 

Other option is to use a tool like sccm to check the protection status of the agent. You can submit a support case on this and ask for the registry that you can use.

Thank you


L1 Bithead
Hello everyone
I'm updating that after a conversation with support at the moment there is no way to find devices that are not on a management panel and are in the status disabled.
Thank you 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!