Tracking Cortex XDR Corrupted Agents

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Tracking Cortex XDR Corrupted Agents

L1 Bithead

Dear Community,


When I first started the Cortex XDR Project and started installing the agents, I made a mistake and deleted the outdated installation packages from the portal.

After that I started getting a lot of disconnected agents as if they try to connect to the portal and the ID is already deleted. Since it will be hard to know which asset is turned off and which is now not able to connect, I created a powershell script with the help of the support team which checks for the version and force reconnect the agent to the corresponding agent ID. But still suspect that there are agents that didn't receive the script and didnt force reconnect.


Is there a way I can utilize the BrokerVM and an XQL Query to check for agents that are pingable and has a recent last_seen data and compare it with the last seen info in the endpoint page to check for corrupted agents and work on fixing them.

If not, any idea how we can accomplish this using Cortex XDR. This could also help to track the endpoints that had its files corrupted for any reason such as a failed upgrade.

Noting that we have more that 10000 endpoints and most of them are laptops, so checking the disconnected alone may not be an indicator.


Appreciate your Support.





L5 Sessionator

Hi @AmmarJi here's what I'd suggest

1. Enable Cloud Identity Engine to ingest AD information which will include all domain-joined devices.

2. Cross-reference the CIE data with the endpoints dataset to identify assets that are
  a) not present in the endpoints dataset - that means you'd need to install XDR on those endpoints

  b) present but running the outdated or deleted versions of XDR agents - you'll need to run that powershell script on those assets. Do remember to update the script to include a currently supported version of XDR installer which is present in the XDR management console.


You can use Broker VM's to scan the networks but that'd also mean trying to identify switches, routers and other devices present on the network that do not require Cortex XDR agents. The CIE would return you precise results for you to work on.

Hi @bbarmanroy 


Thank you for your reply.


This seems like a good option, after trying to write the code, the last logon timestamp format needs to be viewed as a different value, and I can't find a command that could convert it:



Any way we can change the view of it?





It seems that I was able to convert it, but the values are not accurate.


I used the below command to do this:

|alter last_logon_timestamp = to_timestamp(last_logon_timestamp, "MILLIS")





Thank you for your help.


@AmmarJi Is it timezone issue? Try parse_timestamp with the result of to_timestamp() if that's the case.

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!