Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-27-2023 06:39 AM
Hello @RamyashreeMada
"IP Address Range" allow you to define various internal IP address ranges that belongs to particular department or device types. It helps Cortex XDR to track and identify assets in your network. XDR uses this information to analyse, locate, and display assets.
Following are the few uses cases which utilise this information.
1. To identify which all machines have XDR agent installed and which are remaining.
If you have thousands of machines and you want to check your deployment status, you can take help from "Network Mapper" applet of Broker VM. In which you need to define the IP address range you want to scan and configure some scan parameters. Network Mapper will scan the IP address range and you can see the output data under Assets->Asset Inventory. There you can apply filter for column "Has XDR Agent" and find out which machines have XDR agent installed.
2. IP address range is also used by "Pathfinder" applet of Broker VM, which is a non persistent data collector which can collect EDR data from machines which do not have XDR agent installed for limited period of time. While activating this applet you need to define the IP address range.
06-27-2023 06:39 AM
Hello @RamyashreeMada
"IP Address Range" allow you to define various internal IP address ranges that belongs to particular department or device types. It helps Cortex XDR to track and identify assets in your network. XDR uses this information to analyse, locate, and display assets.
Following are the few uses cases which utilise this information.
1. To identify which all machines have XDR agent installed and which are remaining.
If you have thousands of machines and you want to check your deployment status, you can take help from "Network Mapper" applet of Broker VM. In which you need to define the IP address range you want to scan and configure some scan parameters. Network Mapper will scan the IP address range and you can see the output data under Assets->Asset Inventory. There you can apply filter for column "Has XDR Agent" and find out which machines have XDR agent installed.
2. IP address range is also used by "Pathfinder" applet of Broker VM, which is a non persistent data collector which can collect EDR data from machines which do not have XDR agent installed for limited period of time. While activating this applet you need to define the IP address range.
07-01-2023 06:48 AM
Hey @nsinghvirk,
do we have the possibility to get an alert, when a asset is in the client range and has no agent for one or more days?
As I have seen the network configuration affects the asset inventory. But are there more possibilites, like getting alerted?
BR
Rob
07-04-2023 09:54 AM
Hello @RFeyertag
You can create a correlation rule that should identify the assets without XDR agent installed. Dataset you need is "panw_network_mapper_raw", which contain output of Network Mapper scans. You can compare this dataset with "endpoints" dataset mainly with reference to IP address. So basically, first dataset will have completed list of assets and you can subtract assets from second dataset which are having agent installed on them.
Below is an example query that you can refer and build something according to your use case.
dataset = panw_network_mapper_raw
| filter ip not in (dataset = endpoints | arrayexpand ip_address |fields ip_address )
|fields ip,hostname
07-13-2023 12:12 AM
How we can utilize this?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
