This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Endpoint administrative cleanup

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Endpoint administrative cleanup

Go to solution
Shashanksinha
L3 Networker

‎10-10-2022 09:46 PM

Based on what parameter is cortex XDR removing endpoints under endpoint administrative cleanup?
Eg if we chose hostname then will it remove the hostname found first or will delete the hostname XDR found last checked in?
And if we have 2 mac addresses and 2 IPs on what basis will it delete the endpoint?
We also observed that when we select the option of mac address while configuring the endpoint periodic clean-up settings it automatically selects hostname as well. What should we do in order to only remove duplicates using the mac address or IP and not via hostname.

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
mfakhouri
L3 Networker

‎10-18-2022 07:55 AM

Hello @Shashanksinha,

 

Endpoint Administrative Cleanup will delete duplicate entries based on the listed parameters, being the Host Name, Host IP (IPv4 only), and MAC address. This will leave only one entry, being the last endpoint that has reported to the Cortex XDR server. 

 

To answer your first question, it will delete the hostname XDR found to be last checked in. 

 

To answer your second question regarding duplicate IP/MAC addresses, duplications will only be removed if they contain all of the parameters selected. For your example, the endpoints would need an identical Hostname AND MAC address to be removed. This is further clarified in the gray text below the parameter selection in the Endpoint Administration Cleanup menu.

 

mfakhouri_0-1666104469191.png

 

 

As for your issue regarding selecting only the MAC address or Host IP, are you not able to uncheck the Host Name box and check the MAC Address or Host IP box? From my personal testing, the Host Name box is checked by default when enabling the Periodic duplicate cleanup but can be disabled by clicking on its checkmark box.

 

mfakhouri_1-1666104469174.gif

 



For more information regarding Endpoint Administration Cleanup, please refer to the documentation along with our latest How-To Video on the topic:

 

View Details About an Endpoint:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-respo...

 

Cortex XDR How-To Video: Endpoint Administration Cleanup:

https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-endpoint-admin...

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
mfakhouri
L3 Networker

‎10-18-2022 07:55 AM

Hello @Shashanksinha,

 

Endpoint Administrative Cleanup will delete duplicate entries based on the listed parameters, being the Host Name, Host IP (IPv4 only), and MAC address. This will leave only one entry, being the last endpoint that has reported to the Cortex XDR server. 

 

To answer your first question, it will delete the hostname XDR found to be last checked in. 

 

To answer your second question regarding duplicate IP/MAC addresses, duplications will only be removed if they contain all of the parameters selected. For your example, the endpoints would need an identical Hostname AND MAC address to be removed. This is further clarified in the gray text below the parameter selection in the Endpoint Administration Cleanup menu.

 

mfakhouri_0-1666104469191.png

 

 

As for your issue regarding selecting only the MAC address or Host IP, are you not able to uncheck the Host Name box and check the MAC Address or Host IP box? From my personal testing, the Host Name box is checked by default when enabling the Periodic duplicate cleanup but can be disabled by clicking on its checkmark box.

 

mfakhouri_1-1666104469174.gif

 



For more information regarding Endpoint Administration Cleanup, please refer to the documentation along with our latest How-To Video on the topic:

 

View Details About an Endpoint:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-respo...

 

Cortex XDR How-To Video: Endpoint Administration Cleanup:

https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-endpoint-admin...

0 Likes Likes

Go to solution
Shashanksinha
L3 Networker
In response to mfakhouri

‎01-23-2023 08:13 AM

Hello @mfakhouri,

Can you please answer one more query regarding Endpoint administration? 

Can we see deleted duplicate entries because of using this feature? In management logs or audit logs or anywhere else?

0 Likes Likes

Go to solution
anlynch
L4 Transporter
In response to Shashanksinha

‎01-24-2023 06:26 AM

Hi @Shashanksinha,

 

You would be able to see the information about any duplicate removed entries in the audit log.  Please see the link below for further information on the audit log and what can be viewed there that may be of use to you.
ref: 
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Monitor...

0 Likes Likes
  • 1 accepted solution
  • 2406 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks