Endpoint administrative cleanup

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Endpoint administrative cleanup

L3 Networker

Based on what parameter is cortex XDR removing endpoints under endpoint administrative cleanup?
Eg if we chose hostname then will it remove the hostname found first or will delete the hostname XDR found last checked in?
And if we have 2 mac addresses and 2 IPs on what basis will it delete the endpoint?
We also observed that when we select the option of mac address while configuring the endpoint periodic clean-up settings it automatically selects hostname as well. What should we do in order to only remove duplicates using the mac address or IP and not via hostname.

 

1 accepted solution

Accepted Solutions

L3 Networker

Hello @Shashanksinha,

 

Endpoint Administrative Cleanup will delete duplicate entries based on the listed parameters, being the Host Name, Host IP (IPv4 only), and MAC address. This will leave only one entry, being the last endpoint that has reported to the Cortex XDR server. 

 

To answer your first question, it will delete the hostname XDR found to be last checked in. 

 

To answer your second question regarding duplicate IP/MAC addresses, duplications will only be removed if they contain all of the parameters selected. For your example, the endpoints would need an identical Hostname AND MAC address to be removed. This is further clarified in the gray text below the parameter selection in the Endpoint Administration Cleanup menu.

 

mfakhouri_0-1666104469191.png

 

 

As for your issue regarding selecting only the MAC address or Host IP, are you not able to uncheck the Host Name box and check the MAC Address or Host IP box? From my personal testing, the Host Name box is checked by default when enabling the Periodic duplicate cleanup but can be disabled by clicking on its checkmark box.

 

mfakhouri_1-1666104469174.gif

 



For more information regarding Endpoint Administration Cleanup, please refer to the documentation along with our latest How-To Video on the topic:

 

View Details About an Endpoint:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-respo...

 

Cortex XDR How-To Video: Endpoint Administration Cleanup:

https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-endpoint-admin...

View solution in original post

3 REPLIES 3

L3 Networker

Hello @Shashanksinha,

 

Endpoint Administrative Cleanup will delete duplicate entries based on the listed parameters, being the Host Name, Host IP (IPv4 only), and MAC address. This will leave only one entry, being the last endpoint that has reported to the Cortex XDR server. 

 

To answer your first question, it will delete the hostname XDR found to be last checked in. 

 

To answer your second question regarding duplicate IP/MAC addresses, duplications will only be removed if they contain all of the parameters selected. For your example, the endpoints would need an identical Hostname AND MAC address to be removed. This is further clarified in the gray text below the parameter selection in the Endpoint Administration Cleanup menu.

 

mfakhouri_0-1666104469191.png

 

 

As for your issue regarding selecting only the MAC address or Host IP, are you not able to uncheck the Host Name box and check the MAC Address or Host IP box? From my personal testing, the Host Name box is checked by default when enabling the Periodic duplicate cleanup but can be disabled by clicking on its checkmark box.

 

mfakhouri_1-1666104469174.gif

 



For more information regarding Endpoint Administration Cleanup, please refer to the documentation along with our latest How-To Video on the topic:

 

View Details About an Endpoint:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-respo...

 

Cortex XDR How-To Video: Endpoint Administration Cleanup:

https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-endpoint-admin...

Hello @mfakhouri,

Can you please answer one more query regarding Endpoint administration? 

Can we see deleted duplicate entries because of using this feature? In management logs or audit logs or anywhere else?

Hi @Shashanksinha,

 

You would be able to see the information about any duplicate removed entries in the audit log.  Please see the link below for further information on the audit log and what can be viewed there that may be of use to you.
ref: 
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Monitor...

  • 1 accepted solution
  • 2109 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!