This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Scan status details of Cortex XDR

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Scan status details of Cortex XDR

Aneesh
L1 Bithead

‎02-28-2024 01:47 AM

Hi Team, 

 

Can I get more information on scan status for below scenarios.

 

. If the scan initiated and before completion the endpoint got disconnected what will be the status?

.. when the endpoint connects back, whether the scan automatically resume from where it stopped ?

... Difference between 'Aborted', 'Error' and 'Cancelled' status?

 

Cortex XDR 

Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes
4 REPLIES 4

nsinghvirk
L4 Transporter

‎02-28-2024 05:45 AM

Hello @Aneesh 

 

Thanks for reaching out on LiveCommunity!

Below are the answers to your questions.

1. Once the scan is initiated then it will be in progress status even if the endpoint got disconnected. Scan will be resumed if endpoint connects back within 24 hours.

2. Scan will resume automatically from where it was interrupted.

3. Below are the definitions for various action status.

  • Aborted—Scan was cancelled after it was started.

  • Error—Scan failed to run. e.g. endpoint got disconnected for more than 24 hours.

  • Canceled—Scan was canceled before it was started.

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

  •  

 

0 Likes Likes

aspatil
L4 Transporter

‎02-28-2024 10:47 PM

Hello @Aneesh 
As per your requirements, scan status can be checked in multiple ways in Cortex XDR. Following are the methods  to do so:

  1. Endpoints Administration: In the Endpoints Tab, go to All Endpoints. We have two columns as "Scan status" and "Last Successful Scan". These can be used in parallel to map which endpoints had the scanning with result in the columns. Scan status can be described as below:
    aspatil_0-1709189181609.png

     

  2. Agent audit logs: In the agent audit logs, under the "Sub-Type" column, we can filter our "Scan" and find the status of the endpoints with malware scans with description. You can also set notifications forwarding as per your used cases to emails or syslog servers for this in form of agent logs.
  3. XQL Search: You can write your own XQL queries to query the scan status of the endpoints. XQL query also gives you the leverage to create multiple items based on your used cases from generating reports to alerts(eg. generate an alert for endpoints with cancelled scan, or failed scans etc.). A sample XQL query below will list you the list of endpoints with their scan status and last successful scans

 

 

dataset = endpoints 

| fields scan_status , last_successful_scan , endpoint_name , agent_version , last_seen , ip_address , platform , operating_system

 

 

 

You can also schedule the queries or choose to create reports or widgets in your dashboards to be used in XDR dashboards for your auditing and reporting purposes by sorting endpoints counts on basis of scan status etc. as a sample shown below:

aspatil_1-1709189181228.png

 


 

Hope this helps!Please mark this as "Accept as Solution" if it resolves your query

Ashutosh Patil
0 Likes Likes

Aneesh
L1 Bithead
In response to nsinghvirk

‎03-05-2024 10:04 PM

Hi @nsinghvirk

 

Thanks for the explanation.

 

As you said, before completion of a scan if the endpoint got disconnected and failed to connect back within 24 hrs, then the scan status will be in 'error' state.

In that case can we configure the waiting period for the endpoint to connect back ? if yes how ?

 

Also, some of the connected endpoints shows aborted scan state in our environment. So, to get some clarity,

aborted status shows when the scan is cancelled either from user or admin side?

what if there is no option for the user to cancel it and admin did not cancelled the scan.

 

Thanks in advance.

Aneesh

0 Likes Likes

Aneesh
L1 Bithead
In response to Aneesh

‎03-18-2024 03:58 AM

Hi @nsinghvirk

Can you help me with the above query?

 

Thanks in advance.

Aneesh

0 Likes Likes
  • 471 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks