This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Periodic Endpoint Scanning Report

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Periodic Endpoint Scanning Report

Go to solution
MithunKT
L2 Linker

‎01-03-2023 03:59 AM

Hi All,

 

We have configured periodic endpoint scanning in all the malware profiles in our infrastructure. We needed to get the scanning report, or at the very least, the scan's status, such as how many systems got scanned or failed. How and where can I obtain this information?

 

Thank you!!

Cortex XDR 

Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
neelrohit
L5 Sessionator

‎01-03-2023 04:52 AM - edited ‎01-03-2023 04:57 AM

Hi  @MithunKT ,

 

Thank you for writing to Live Community!

 

As per your requirements, scan status can be checked in multiple ways in Cortex XDR. Following are the methods  to do so:

  1. Endpoints Administration: In the Endpoints Tab, go to All Endpoints. We have two columns as "Scan status" and "Last Successful Scan". These can be used in parallel to map which endpoints had the scanning with result in the columns. Scan status can be described as below:Screenshot 2023-01-03 at 8.19.31 PM.png
  2. Agent audit logs: In the agent audit logs, under the "Sub-Type" column, we can filter our "Scan" and find the status of the endpoints with malware scans with description. You can also set notifications forwarding as per your used cases to emails or syslog servers for this in form of agent logs.
  3. XQL Search: You can write your own XQL queries to query the scan status of the endpoints. XQL query also gives you the leverage to create multiple items based on your used cases from generating reports to alerts(eg. generate an alert for endpoints with cancelled scan, or failed scans etc.). A sample XQL query below will list you the list of endpoints with their scan status and last successful scans

 

 

dataset = endpoints 

| fields scan_status , last_successful_scan , endpoint_name , agent_version , last_seen , ip_address , platform , operating_system

 

 

 

You can also schedule the queries or choose to create reports or widgets in your dashboards to be used in XDR dashboards for your auditing and reporting purposes by sorting endpoints counts on basis of scan status etc. as a sample shown below:

Screenshot 2023-01-03 at 8.51.34 PM.png

 

Hope this helps!Please mark this as "Accept as Solution" if it resolves your query

 

Regards

View solution in original post

(1)
6 REPLIES 6

Go to solution
neelrohit
L5 Sessionator

‎01-03-2023 04:52 AM - edited ‎01-03-2023 04:57 AM

Hi  @MithunKT ,

 

Thank you for writing to Live Community!

 

As per your requirements, scan status can be checked in multiple ways in Cortex XDR. Following are the methods  to do so:

  1. Endpoints Administration: In the Endpoints Tab, go to All Endpoints. We have two columns as "Scan status" and "Last Successful Scan". These can be used in parallel to map which endpoints had the scanning with result in the columns. Scan status can be described as below:Screenshot 2023-01-03 at 8.19.31 PM.png
  2. Agent audit logs: In the agent audit logs, under the "Sub-Type" column, we can filter our "Scan" and find the status of the endpoints with malware scans with description. You can also set notifications forwarding as per your used cases to emails or syslog servers for this in form of agent logs.
  3. XQL Search: You can write your own XQL queries to query the scan status of the endpoints. XQL query also gives you the leverage to create multiple items based on your used cases from generating reports to alerts(eg. generate an alert for endpoints with cancelled scan, or failed scans etc.). A sample XQL query below will list you the list of endpoints with their scan status and last successful scans

 

 

dataset = endpoints 

| fields scan_status , last_successful_scan , endpoint_name , agent_version , last_seen , ip_address , platform , operating_system

 

 

 

You can also schedule the queries or choose to create reports or widgets in your dashboards to be used in XDR dashboards for your auditing and reporting purposes by sorting endpoints counts on basis of scan status etc. as a sample shown below:

Screenshot 2023-01-03 at 8.51.34 PM.png

 

Hope this helps!Please mark this as "Accept as Solution" if it resolves your query

 

Regards

(1)

Go to solution
MithunKT
L2 Linker

‎01-03-2023 05:14 AM

Hi @neelrohit ,

 

I just wanted to thank you for your lightning-fast response to my query. The solution you provided was not only effective but also incredibly well-described. I really appreciate the effort you put into helping me out.

Your assistance is greatly appreciated. 

Go to solution
UlisesRendon
L0 Member
In response to neelrohit

‎10-11-2023 03:17 PM

Hello all,

 

Can you help me to build the graph you mention here in this article?

I have the query with your exaple, but I couln't obtein the graph.

 

Thanks.

 

Ulises Rendón

0 Likes Likes

Go to solution
neelrohit
L5 Sessionator
In response to UlisesRendon

‎10-11-2023 09:46 PM

Hi @UlisesRendon ,


Hope this helps!

dataset = endpoints 
| filter endpoint_status in (ENUM.CONNECTED , ENUM.DISCONNECTED )
| comp count(endpoint_name ) as counter by scan_status
| view graph type = pie xaxis = scan_status yaxis = counter


 

0 Likes Likes

Go to solution
Thendral_Arasu
L1 Bithead
In response to neelrohit

‎12-26-2023 04:38 AM

Hi Neelrohit,

Thanks your Query, 

Its realy helpful for me, This query only able to see the of the scan, But I need to get the data from clicking the count.

Thanks
Thendral M
0 Likes Likes

Go to solution
emartinez
L0 Member

‎04-01-2024 07:03 AM

Hola Buenas tardes, excelentes respuestas me han servido de mucha ayuda, pero tengo una duda, se puede detener un scan mensual programado? este esta agendado para ejecutarse el primer lunes de mes. Cuando se ejecuta no se visualiza en ninguna parte, solo en alertas como detected scanned. hay alguna manera de matar o cancelar ese scan? Gracias

0 Likes Likes
  • 1 accepted solution
  • 4130 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks