Cortex XDR Agent management questions - stragglers and operation status

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR Agent management questions - stragglers and operation status

L2 Linker

I've deployed the cortex agent to all of our servers and now need to find stragglers (servers without agents running).  I also need a method to know that not only are the agents installed and running but they are actually running as designed.

 

I noticed there is a network scan in the portal for cortex but it only shows IPs for the devices, so I dont (easily) what is a server and not a server nor do I know if its simply a switch.  Is there a way to get the scan to use DNS or something to show the names of devices without the agent installed?

 

Lastly, anyone have a method to understand if the agents are actually active, have up to date definitions (is this "content" in cortex?) and are essentially doing what they are supposed to do? We dont want to get caught with pants down just because we know the agent is installed.

 

thanks

1 REPLY 1

Cyber Elite
Cyber Elite

@ESJosephPrinz,

I don't believe there is currently a way to get the DNS name of the host on the Network Mapper results, however you can export that so you can create a simple PowerShell or Python script or whatever to attempt to resolve the IP and run through your export.

 

As to testing the agent, I've not found a good way outside of confirming Network Mapper results with your endpoint results through exports and scripts to ensure that the agents are actually active across your device fleet. You can use wildfire.paloaltonetworks.com/publicapi/test/pe to test a detection on the endpoint and script that download and execution if you want to validate Cortex is actually working, but if an endpoint becomes unregistered it obviously won't trigger anything except on the functional hosts, so a review is what I recommend. 

I have had agents become unregistered from the portal, albeit on a much lesser amount now than previously, that you won't know about unless you review your endpoint list and actively check for "Connection Lost" and manually reviewing your host list. This used to happen much more frequently, but we still run across it occasionally. 

  • 1716 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!