Status of Disabled Cortex XDR Agent

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Status of Disabled Cortex XDR Agent

L3 Networker

Hello,

We are planning to create a dashboard and report to check if the Cortex agent is disabled on endpoints and servers.

We attempted to create but were unsure which template to use. Could you please assist us with this?

1 REPLY 1

L4 Transporter

Hi RamyashreeMada!

My suggestion would be to start with a report template by going into Dashboards & Reports->Customize ->Dashboards Manager->+ New Template. There you should find the 'Agent Management Report' template along with an Agent Status Breakdown  (attached screenshot for your continence) presenting the number of connected and disconnected agents.

mavraham_1-1664732288221.png
Next, you can use the XQL query below to create a new widget displaying Agents which are disconnected or have lost their connection:

dataset = endpoints | filter endpoint_status = CONNECTION_LOST or endpoint_status = DISCONNECTED

After you've finished creating the widget, you can add it to your custom report/dashboard.

Hope this helps!



 

 

 
 
 

 

 



Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

  • 2209 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!