Ive dumped all devices that asset manager reports as no cortex XDR and run a script to reverse DNS. What I found was hundreds of false negatives. In other words, cortex asset manager reports no xdr but xdr is indeed running. So for us anyway, asset manager is erroneous. Perhaps something on our firewall side.
We are running Pro, what discussion are you referring to?
Ive spoken to a sales engineer and several support tickets. No real solution. Ive been pointing down futile paths however.
Ive tried pathfinder and it does not detect non cortex xdr devices only high alerts.
We wont run "open source" software on our network so the DHCP logger is a no go. Not to mention we have many dhcp servers so this would be a large deploy.
Options left are perhaps the new 7.5 agent which does a peer to peer discovery. However no documentation on the amount of traffic it generates so we wont enable it on our network without proper docs. And I guess global protect HIP detection. Looking into that.
Thanks. I have posted in that thread.. there is no solution, just a link to this vague document.
And it is marked as a answer. Funny. What is really funny is it refers to pathfinder as a solution but after several tickets on this, cortex support says it does not work. Honestly, I dont think anyone at cortex knows how pathfinder works.. When I run a "test" in pathfinder on an IP, it does EXACTLY what I need in the log, it does a reverse lookup and determines if cortex is installed. But yet network mapper does not pass on the IPs it finds to pathfinder to interrogate.
Bottom line... has anyone gotten cortex PRO to report names of devices and or platforms name into asset manager that do NOT have xdr installed? If so, how did you do it? This should be doable.. the field is there..
Maybe the Network Mapper could help you?
Wanted to update this.. what we found is in our environment the solution was to install cortex dhcp log collector on all Windows dhcp servers and make sure the global protect HIP data was being sent to the cortex lake. This have us all DHCP devices into asset manager so we could report on devices with the agent.
However, currently the match between asset manager and endpoint admin is IP.. So it is the "join" if you will. Problem is the IP is not updated in endpoint admin when it changes for a long time so we have many false positives. working on a xql report to resolve but dont know if this will be possible yet. But at least we have devices to audit.
Incase anyone else has this issue, here is an XQL Query that will result in which DHCP Devices are not in the Cortex Endpoints Dataset
dataset = microsoft_dhcp_raw | filter hostName != "" and ipAddress != "" //first few lines are same as OP | alter FormattedName = if (hostname contains ".domain.local",replace(hostname,".domain.local",""),hostname)//replace .domain.local with your domain when running | join conflict_strategy = left type = left (dataset = endpoints ) as ed ed.endpoint_name = FormattedName //left join ensures that all is returned from DHCP, and only matches from Endpoint | alter conditional = if(FormattedName = endpoint_name, 1, 0)//if there is a match, it returns 1, otherwise, 0 | fields FormattedName , endpoint_name, conditional | comp sum(conditional) as totalconnections by FormattedName // by summing on the conditional, if the sum is 0, that means there are 0 logs where DHCP matched with one of your endpoints | filter (totalconnections = 0) // if you changed this to >0, you will get all devices in DHCP that ARE matched in the Cortex List
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!