cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

L5 Sessionator

Hi  @MithunKT ,

 

Thank you for writing to Live Community!

 

As per your requirements, scan status can be checked in multiple ways in Cortex XDR. Following are the methods  to do so:

  1. Endpoints Administration: In the Endpoints Tab, go to All Endpoints. We have two columns as "Scan status" and "Last Successful Scan". These can be used in parallel to map which endpoints had the scanning with result in the columns. Scan status can be described as below:Screenshot 2023-01-03 at 8.19.31 PM.png
  2. Agent audit logs: In the agent audit logs, under the "Sub-Type" column, we can filter our "Scan" and find the status of the endpoints with malware scans with description. You can also set notifications forwarding as per your used cases to emails or syslog servers for this in form of agent logs.
  3. XQL Search: You can write your own XQL queries to query the scan status of the endpoints. XQL query also gives you the leverage to create multiple items based on your used cases from generating reports to alerts(eg. generate an alert for endpoints with cancelled scan, or failed scans etc.). A sample XQL query below will list you the list of endpoints with their scan status and last successful scans

 

 

dataset = endpoints 
| fields scan_status , last_successful_scan , endpoint_name , agent_version , last_seen , ip_address , platform , operating_system 

 

 

 

You can also schedule the queries or choose to create reports or widgets in your dashboards to be used in XDR dashboards for your auditing and reporting purposes by sorting endpoints counts on basis of scan status etc. as a sample shown below:

Screenshot 2023-01-03 at 8.51.34 PM.png

 

Hope this helps!Please mark this as "Accept as Solution" if it resolves your query

 

Regards

View solution in original post

Who rated this post