Rogue Device Discovery with Cortex XDR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Rogue Device Discovery with Cortex XDR

L3 Networker

Hi,

I would like to implement Rogue Device Discovery with Cortex XDR but it is not clear for me what I need to do this. We have Cortex XDR Pro per Endpoint license – do I need anything else (like datalike) to set the solution? Can I expect any issues with it or it is working well?

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @Piotr_Kowalczyk, thanks for reaching the Live Community.

 

With your license your should be able to install a Broker VM, which is needed to activate the Network Mapper App that runs the scans:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Activate-th...

 

Here is more info about the Broker VM: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Broker-VM-O...

 

It should work well, there are not any specific issues reported for now, you need to be sure that the rogue devices respond to the ICMP or TCP port probes from the Broker.

 

JM

View solution in original post

7 REPLIES 7

L5 Sessionator

Hi @Piotr_Kowalczyk, thanks for reaching the Live Community.

 

With your license your should be able to install a Broker VM, which is needed to activate the Network Mapper App that runs the scans:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Activate-th...

 

Here is more info about the Broker VM: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Broker-VM-O...

 

It should work well, there are not any specific issues reported for now, you need to be sure that the rogue devices respond to the ICMP or TCP port probes from the Broker.

 

JM

L3 Networker

Thank you for your reply,

Just two additional questions:

1. Is Cortex Data Lake license required for this? I can see it on the Broker VM diagram so I just want to make sure this won't be a problem.

2. Does the discovery scan runs on the Broker VM (what would require the server to have access to all network segments) or on Cortex XDR agents - what would make sure all devices are discovered?

1- CDL is not required, it is required to ingest logs from other sources than Agents, like firewalls or Okta.

2- The scan is generated from the Broker VM, so yes, you will need to allow the Broker VM and ports/icmp on every segment.

jmazzeo_0-1698154363304.png

You can create the IP ranges in Assets - Network Configuration - IP Address Ranges.

You will see the scan results in Assets - Asset Inventory.

 

Thanks

JM

L3 Networker

Sorry, one more question. I've just noticed that that Agents discover network devices and they are placed in Asset Inventory. I can see only IP address without any additional information. Does it work together with Network Mapper somehow?

 

Piotr_Kowalczyk_0-1698154977744.png

Piotr_Kowalczyk_1-1698155150841.png

 

L5 Sessionator

Yes @Piotr_Kowalczyk, those are the IPs that the agents connect or lookup inside your network. The Network Mapper findings will show the Source as "Broker Scanner".

You will only see the IP Address and the last time that was detected, then based on your inventory decide to install or not the agent if it is possible.

JM

L3 Networker

Thank you!

L4 Transporter

@Piotr_Kowalczyk 
Additionally, If you would like to enrich those discovered assets with hostname, mac address or mac address vendor you would have to ingest "Associated DHCP logs covering those assets" to Cortex XDR but that would require Cortex XDR Pro per GB license

 

PiyushKohli_0-1698205555151.png

 

Ref: Asset-Inventory

 

Hope this helps!

  • 1 accepted solution
  • 4140 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!