Hi @tlmarques ,
Thank you for writing to live community!
Technically, VDI instances should ideally not generate alerts as they may have been segregated and fine tuned during the agent deployment when the golden images are scanned. As a result, the VDI images are meant to be provisioned clean so that the same FP does not affect the entire production environment. However, as you cited, there are always corner cases.
In occurences of such situations, you can configure your policy rules for VDI instances(I am assuming you may have separate policy for them as we always recommend a slightly different setting for VDI subgroups), to automatically upload alert data upon alert triggers. Though it is highly subjective to how much time does the user give for the endpoint to be online so that the dump is uploaded, but from Cortex XDR agent side this is very much possible.
The agent settings profile allows you to configure automatic upload of alert data and also choose the size of the dump that you want to upload to the cloud. Considering VDI instances are mostly clean and are meant to behave the same way, an alert spinning up on a VDI instance alert can possibly come across all devices.
As a result, you should be able to capture from atleast one of the endpoints automatically.
To enable, go to XDR prevention profiles > agent settings> Alerts data.
You can choose the size of alert data dump and then enable "Automatically Upload Alert Data Dump File".
This should initiate alert dump to be automatically uploaded to the cloud and you should be able to download it next time you navigate to alerts> Retrieve Alert Data
Hope this helps.
Please feel free to mark the response as "Accept as Solution" if it answers your query
