Periodic Endpoint Scanning Report

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Periodic Endpoint Scanning Report

L2 Linker

Hi All,

 

We have configured periodic endpoint scanning in all the malware profiles in our infrastructure. We needed to get the scanning report, or at the very least, the scan's status, such as how many systems got scanned or failed. How and where can I obtain this information?

 

Thank you!!

Cortex XDR 

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi  @MithunKT ,

 

Thank you for writing to Live Community!

 

As per your requirements, scan status can be checked in multiple ways in Cortex XDR. Following are the methods  to do so:

  1. Endpoints Administration: In the Endpoints Tab, go to All Endpoints. We have two columns as "Scan status" and "Last Successful Scan". These can be used in parallel to map which endpoints had the scanning with result in the columns. Scan status can be described as below:Screenshot 2023-01-03 at 8.19.31 PM.png
  2. Agent audit logs: In the agent audit logs, under the "Sub-Type" column, we can filter our "Scan" and find the status of the endpoints with malware scans with description. You can also set notifications forwarding as per your used cases to emails or syslog servers for this in form of agent logs.
  3. XQL Search: You can write your own XQL queries to query the scan status of the endpoints. XQL query also gives you the leverage to create multiple items based on your used cases from generating reports to alerts(eg. generate an alert for endpoints with cancelled scan, or failed scans etc.). A sample XQL query below will list you the list of endpoints with their scan status and last successful scans

 

 

dataset = endpoints 
| fields scan_status , last_successful_scan , endpoint_name , agent_version , last_seen , ip_address , platform , operating_system 

 

 

 

You can also schedule the queries or choose to create reports or widgets in your dashboards to be used in XDR dashboards for your auditing and reporting purposes by sorting endpoints counts on basis of scan status etc. as a sample shown below:

Screenshot 2023-01-03 at 8.51.34 PM.png

 

Hope this helps!Please mark this as "Accept as Solution" if it resolves your query

 

Regards

View solution in original post

5 REPLIES 5

L5 Sessionator

Hi  @MithunKT ,

 

Thank you for writing to Live Community!

 

As per your requirements, scan status can be checked in multiple ways in Cortex XDR. Following are the methods  to do so:

  1. Endpoints Administration: In the Endpoints Tab, go to All Endpoints. We have two columns as "Scan status" and "Last Successful Scan". These can be used in parallel to map which endpoints had the scanning with result in the columns. Scan status can be described as below:Screenshot 2023-01-03 at 8.19.31 PM.png
  2. Agent audit logs: In the agent audit logs, under the "Sub-Type" column, we can filter our "Scan" and find the status of the endpoints with malware scans with description. You can also set notifications forwarding as per your used cases to emails or syslog servers for this in form of agent logs.
  3. XQL Search: You can write your own XQL queries to query the scan status of the endpoints. XQL query also gives you the leverage to create multiple items based on your used cases from generating reports to alerts(eg. generate an alert for endpoints with cancelled scan, or failed scans etc.). A sample XQL query below will list you the list of endpoints with their scan status and last successful scans

 

 

dataset = endpoints 
| fields scan_status , last_successful_scan , endpoint_name , agent_version , last_seen , ip_address , platform , operating_system 

 

 

 

You can also schedule the queries or choose to create reports or widgets in your dashboards to be used in XDR dashboards for your auditing and reporting purposes by sorting endpoints counts on basis of scan status etc. as a sample shown below:

Screenshot 2023-01-03 at 8.51.34 PM.png

 

Hope this helps!Please mark this as "Accept as Solution" if it resolves your query

 

Regards

L2 Linker

Hi @neelrohit ,

 

I just wanted to thank you for your lightning-fast response to my query. The solution you provided was not only effective but also incredibly well-described. I really appreciate the effort you put into helping me out.

Your assistance is greatly appreciated. 

Hello all,

 

Can you help me to build the graph you mention here in this article?

I have the query with your exaple, but I couln't obtein the graph.

 

Thanks.

 

Ulises Rendón

Hi @UlisesRendon ,


Hope this helps!

dataset = endpoints 
| filter endpoint_status in (ENUM.CONNECTED , ENUM.DISCONNECTED )
| comp count(endpoint_name ) as counter by scan_status
| view graph type = pie xaxis = scan_status yaxis = counter


 

Hi Neelrohit,

Thanks your Query, 

Its realy helpful for me, This query only able to see the of the scan, But I need to get the data from clicking the count.

Thanks
Thendral M
  • 1 accepted solution
  • 2680 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!