- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-31-2021 01:39 PM
Has anyone come up with a reliable method to report on devices without xdr running on it?
11-01-2021 06:17 AM
if you don't have any sort of RMM tool and your running prevent you can do a dump out of cortex and and dump out of AD and run a compare. if your running xdr pro look farther down in the topics and there is a good discussion on how to do this.
11-01-2021 06:59 AM
Ive dumped all devices that asset manager reports as no cortex XDR and run a script to reverse DNS. What I found was hundreds of false negatives. In other words, cortex asset manager reports no xdr but xdr is indeed running. So for us anyway, asset manager is erroneous. Perhaps something on our firewall side.
We are running Pro, what discussion are you referring to?
Ive spoken to a sales engineer and several support tickets. No real solution. Ive been pointing down futile paths however.
Ive tried pathfinder and it does not detect non cortex xdr devices only high alerts.
We wont run "open source" software on our network so the DHCP logger is a no go. Not to mention we have many dhcp servers so this would be a large deploy.
Options left are perhaps the new 7.5 agent which does a peer to peer discovery. However no documentation on the amount of traffic it generates so we wont enable it on our network without proper docs. And I guess global protect HIP detection. Looking into that.
11-01-2021 07:12 AM
Thanks. I have posted in that thread.. there is no solution, just a link to this vague document.
And it is marked as a answer. Funny. What is really funny is it refers to pathfinder as a solution but after several tickets on this, cortex support says it does not work. Honestly, I dont think anyone at cortex knows how pathfinder works.. When I run a "test" in pathfinder on an IP, it does EXACTLY what I need in the log, it does a reverse lookup and determines if cortex is installed. But yet network mapper does not pass on the IPs it finds to pathfinder to interrogate.
Bottom line... has anyone gotten cortex PRO to report names of devices and or platforms name into asset manager that do NOT have xdr installed? If so, how did you do it? This should be doable.. the field is there..
11-14-2021 12:36 AM
Maybe the Network Mapper could help you?
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-vm/...
11-15-2021 07:20 AM
thank you I am going to try this
03-06-2022 08:37 AM
Wanted to update this.. what we found is in our environment the solution was to install cortex dhcp log collector on all Windows dhcp servers and make sure the global protect HIP data was being sent to the cortex lake. This have us all DHCP devices into asset manager so we could report on devices with the agent.
However, currently the match between asset manager and endpoint admin is IP.. So it is the "join" if you will. Problem is the IP is not updated in endpoint admin when it changes for a long time so we have many false positives. working on a xql report to resolve but dont know if this will be possible yet. But at least we have devices to audit.
03-06-2022 10:52 AM
hello I am very interested in doing this. not too sure what the "cortex dhcp log collector"? I will look it up, also can you do this with the prevent subscription? vs the pro subscription?
03-06-2022 11:16 AM
Might be pro only but not sure. The filebeat.yml is a bear.. be wary of SPACES!! You will know what I mean if you proceed 🙂
03-22-2023 07:28 AM
Incase anyone else has this issue, here is an XQL Query that will result in which DHCP Devices are not in the Cortex Endpoints Dataset
dataset = microsoft_dhcp_raw
| filter hostName != "" and ipAddress != "" //first few lines are same as OP
| alter FormattedName = if (hostname contains ".domain.local",replace(hostname,".domain.local",""),hostname)//replace .domain.local with your domain when running
| join conflict_strategy = left type = left (dataset = endpoints ) as ed ed.endpoint_name = FormattedName //left join ensures that all is returned from DHCP, and only matches from Endpoint
| alter conditional = if(FormattedName = endpoint_name, 1, 0)//if there is a match, it returns 1, otherwise, 0
| fields FormattedName , endpoint_name, conditional
| comp sum(conditional) as totalconnections by FormattedName // by summing on the conditional, if the sum is 0, that means there are 0 logs where DHCP matched with one of your endpoints
| filter (totalconnections = 0) // if you changed this to >0, you will get all devices in DHCP that ARE matched in the Cortex List
03-22-2023 08:30 AM
This is a great solution, it's a shame that it's Pro/TB and MS DHCP but it's a great solution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!