Discovering unprotected devices

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Discovering unprotected devices

L2 Linker

Has anyone come up with a reliable method to report on devices without xdr running on it? 

12 REPLIES 12

L3 Networker

if you don't have any sort of RMM tool and your running prevent you can do a dump out of cortex and and dump out of AD and run a compare. if your running xdr pro look farther down in the topics and there is a good discussion on how to do this. 

Ive dumped all devices that asset manager reports as no cortex XDR and run a script to reverse DNS.  What I found was hundreds of false negatives.  In other words, cortex asset manager reports no xdr but xdr is indeed running.  So for us anyway, asset manager is erroneous.  Perhaps something on our firewall side.  

 

We are running Pro,  what discussion are you referring to? 

 

Ive spoken to a sales engineer and several support tickets. No real solution.  Ive been pointing down futile paths however.

 

Ive tried pathfinder and it does not detect non cortex xdr devices only high alerts.

We wont run "open source" software on our network so the DHCP logger is a no go. Not to mention we have many dhcp servers so this would be a large deploy.

 

Options left are perhaps the new 7.5 agent which does a peer to peer discovery. However no documentation on the amount of traffic it generates so we wont enable it on our network without proper docs.  And I guess global protect HIP detection. Looking into that.

 

 

 

Thanks. I have posted in that thread.. there is no solution, just a link to this vague document.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/asset-management/about-asse...

 

And it is marked as a answer. Funny.  What is really funny is it refers to pathfinder as a solution but after several tickets on this, cortex support says it does not work.   Honestly, I dont think anyone at cortex knows how pathfinder works..  When I run a "test" in pathfinder on an IP, it does EXACTLY what I need in the log, it does a reverse lookup and determines if cortex is installed.  But yet network mapper does not pass on the IPs it finds to pathfinder to interrogate.  

 

Bottom line... has anyone gotten cortex PRO to report names of devices and or platforms name into asset manager that do NOT have xdr installed?  If so, how did you do it?  This should be doable.. the field is there.. 

 

 

 

 

L3 Networker

Have you looked at network discovery from 7.5? 

 

About Asset Management (paloaltonetworks.com)

L1 Bithead

Hi @ESJosephPrinz 

Maybe the Network Mapper could help you?
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-vm/...

 

Evgeny (Eugene) Palcev | Senior Customer Success Architect, Cortex

thank you I am going to try this

L2 Linker

Wanted to update this.. what we found is in our environment the solution was to install cortex dhcp log collector on all Windows dhcp servers and make sure the global protect HIP data was being sent to the cortex lake.  This have us all DHCP devices into asset manager so we could report on devices with the agent.

 

However, currently the match between asset manager and endpoint admin is IP.. So it is the "join" if you will. Problem is the IP is not updated in endpoint admin when it changes for a long time so we have many false positives. working on a xql report to resolve but dont know if this will be possible yet. But at least we have devices to audit.

hello I am very interested in doing this. not too sure what the "cortex dhcp log collector"? I will look it up, also can you do this with the prevent subscription? vs the pro subscription? 

Might be pro only but not sure.   The filebeat.yml is a bear.. be wary of SPACES!!    You will know what I mean if you proceed 🙂

L1 Bithead

Incase anyone else has this issue, here is an XQL Query that will result in which DHCP Devices are not in the Cortex Endpoints Dataset

dataset = microsoft_dhcp_raw
| filter hostName != "" and ipAddress != "" //first few lines are same as OP
| alter FormattedName = if (hostname contains ".domain.local",replace(hostname,".domain.local",""),hostname)//replace .domain.local with your domain when running
| join conflict_strategy = left type = left (dataset = endpoints ) as ed ed.endpoint_name = FormattedName //left join ensures that all is returned from DHCP, and only matches from Endpoint
| alter conditional = if(FormattedName = endpoint_name, 1, 0)//if there is a match, it returns 1, otherwise, 0
| fields FormattedName , endpoint_name, conditional
| comp sum(conditional) as totalconnections by FormattedName // by summing on the conditional, if the sum is 0, that means there are 0 logs where DHCP matched with one of your endpoints
| filter (totalconnections = 0) // if you changed this to >0, you will get all devices in DHCP that ARE matched in the Cortex List

This is a great solution, it's a shame that it's Pro/TB and MS DHCP but it's a great solution. 

  • 6716 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!