- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-23-2023 06:29 AM - last edited on 04-18-2024 11:43 AM by emgarcia
Hi,
I would like to implement Rogue Device Discovery with Cortex XDR but it is not clear for me what I need to do this. We have Cortex XDR Pro per Endpoint license – do I need anything else (like datalike) to set the solution? Can I expect any issues with it or it is working well?
10-24-2023 05:55 AM
Hi @Piotr_Kowalczyk, thanks for reaching the Live Community.
With your license your should be able to install a Broker VM, which is needed to activate the Network Mapper App that runs the scans:
Here is more info about the Broker VM: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Broker-VM-O...
It should work well, there are not any specific issues reported for now, you need to be sure that the rogue devices respond to the ICMP or TCP port probes from the Broker.
10-24-2023 05:55 AM
Hi @Piotr_Kowalczyk, thanks for reaching the Live Community.
With your license your should be able to install a Broker VM, which is needed to activate the Network Mapper App that runs the scans:
Here is more info about the Broker VM: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Broker-VM-O...
It should work well, there are not any specific issues reported for now, you need to be sure that the rogue devices respond to the ICMP or TCP port probes from the Broker.
10-24-2023 06:26 AM
Thank you for your reply,
Just two additional questions:
1. Is Cortex Data Lake license required for this? I can see it on the Broker VM diagram so I just want to make sure this won't be a problem.
2. Does the discovery scan runs on the Broker VM (what would require the server to have access to all network segments) or on Cortex XDR agents - what would make sure all devices are discovered?
10-24-2023 06:35 AM
1- CDL is not required, it is required to ingest logs from other sources than Agents, like firewalls or Okta.
2- The scan is generated from the Broker VM, so yes, you will need to allow the Broker VM and ports/icmp on every segment.
You can create the IP ranges in Assets - Network Configuration - IP Address Ranges.
You will see the scan results in Assets - Asset Inventory.
Thanks
10-24-2023 06:48 AM
Sorry, one more question. I've just noticed that that Agents discover network devices and they are placed in Asset Inventory. I can see only IP address without any additional information. Does it work together with Network Mapper somehow?
10-24-2023 08:42 AM
Yes @Piotr_Kowalczyk, those are the IPs that the agents connect or lookup inside your network. The Network Mapper findings will show the Source as "Broker Scanner".
You will only see the IP Address and the last time that was detected, then based on your inventory decide to install or not the agent if it is possible.
10-24-2023 08:47 PM
@Piotr_Kowalczyk
Additionally, If you would like to enrich those discovered assets with hostname, mac address or mac address vendor you would have to ingest "Associated DHCP logs covering those assets" to Cortex XDR but that would require Cortex XDR Pro per GB license.
Ref: Asset-Inventory
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!