Manage endpoints - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

You can view and take actions on endpoints on the All Endpoints page.

The All Endpoints page provides a central location from which you can view and manage the endpoints on which the agent is installed.

To ensure the All Endpoints table is displaying the most useful list of endpoints, you can perform a one-time or periodic cleanup of duplicated entities of the same endpoint from the table. After the cleanup, duplicated entities are removed leaving only one endpoint entry - the last endpoint to connect with the server. Deleted endpoint data is retained for 90 days from the last connection timestamp. If a deleted endpoint reconnects, Cortex XDR recovers and redisplays the endpoint’s existing data.

Navigate to SettingsConfigurationsGeneralAgent ConfigurationsEndpoint Administration Cleanup. Enable the Periodic duplicate cleanup and select to either run one-time cleanup or define to run according to the Host Name, Host IP Address, and/or MAC Address fields every 6 hours, 12 hours, 1 day, or 7 days.

The right-click pivot menu displays the actions you can perform. The following table describes the list of actions you can perform on your endpoints.

Field

Action

Endpoint Control

  • Open in interactive mode

  • Perform Heartbeat

  • Set an alias for an endpoint

  • Upgrade Cortex XDR agents

  • Retrieve Support File

  • Collect Detailed Host Firewall Logs

  • Triage Endpoint

  • Set Endpoint Proxy

  • Uninstall the Cortex XDR agent

  • Delete Endpoint

  • Disable Capabilities (Live Terminal, Script Execution, and File Retrieval)

  • Include/Exclude endpoints from auto upgrade

    Note

    You cannot enable auto upgrade for Mobile, VDI, and TS installations.

  • Clear the Agent database

    Available only when using debugging mode (Alt+Right-Click)

  • Manage endpoint tags

  • Send Push Notification (iOS App)

  • Manage Agent Tokens

Security Operations

Endpoint Data

  • Open Asset View

  • View Incidents (in same tab or new tab)

  • View Endpoint Policy

  • View Actions

  • View Endpoint Logs

The following table describes both the default and additional optional fields that you can view in the All Endpoints table and lists. Clicking on a row in the All Endpoints table opens a detailed view of the endpoint.

Field

Description

Active Directory

Active Directory Groups and Organizational Units to which the user belongs.

Assigned Extensions Policy

Policy related to extensions and devices connected to the endpoint.

Assigned Prevention Policy

Policy assigned to the endpoint.

Agent Version

Agent version that is installed on the endpoint.

Auto Upgrade Status

When Cortex XDR agent Auto Upgrades are enabled, indicates the action status.

To include or exclude one or more endpoints from auto upgrade, right-click and select Endpoint Controlinclude/exlcude endpoints from auto upgrade

Note

After an endpoint is excluded, the Auto upgrade profile configuration will no longer be available.

If you exclude the endpoint from Auto Upgrade while the Auto Upgrade Status is In progress status, the ongoing upgrade will still take place.

Cloud Info

IBM and Alibaba Cloud metadata reported by the endpoint.

Content Auto Update

Whether automatic content updates are Enabled or Disabled for the endpoint in the agent settings profile.

Content Release Timestamp

Time and date of when the current content version was released.

Content Rollout Delay (days)

If you configured delayed content rollout, the number of days for delay is displayed here.

Content Status

Status of the content version on the relevant endpoint. The Cortex XDR tenant attempts to contact an endpoint and check the content version over a 7 day period. After this period the tenant displays one of the following statuses:

  • Up to Date - The endpoint is running with the latest content version

  • Waiting for Update - Cortex XDR is in the process of updating the new content version. Depending on your bandwidth and network connection, updating the content version may take time.

  • Outdated - The endpoint is running on an outdated content version.

  • Offline - The endpoint is disconnected.

Note

Content Status is calculated every 30 minutes, therefore, there could be a delay of up to 30 minutes in displaying the data.

Content Version

Content update version used with the agent.

Disabled Capabilities

List of capabilities that were disabled on the endpoint. To disable one or more capabilities, right-click the endpoint name and select Endpoint ControlDisable Capabilities. Options are:

  • Live Terminal

  • Script Execution

  • File Retrieval

You can disable these capabilities during the agent installation on the endpoint or through Endpoint Administration. Disabling any of these actions is irreversible, so if you later want to enable the action on the endpoint, you must uninstall the agent and install a new package on the endpoint.

Domain

Domain or workgroup to which the endpoint belongs, if applicable.

Note

Only supported for Windows and macOS.

Endpoint Alias

If you assigned an alias to represent the endpoint in Cortex XDR, the alias is displayed here. To set an endpoint alias, right-click in the endpoint row, select Endpoint ControlChange endpoint alias. The alias can contain any of the following characters:

a-Z, 0-9, !@#$%^&:()-'{}~_.

Endpoint ID

Unique ID assigned by Cortex XDR that identifies the endpoint.

Endpoint Isolated

Isolation status, either:

  • Isolated: The endpoint has been isolated from the network with communication permitted to only Cortex XDR and to any IP addresses and processes included in the allow list.

  • Not Isolated: Normal network communication is permitted on the endpoint.

  • Pending Isolation: The isolation action has reached the server and is pending contact with the endpoint.

  • Pending Isolation Cancellation: The cancel isolation action has reached the server and is pending contact with the endpoint.

Endpoint Name

Hostname of the endpoint. If the agent enables Pro features, this field also includes a PRO badge. For Android endpoints, the hostname comprises the <firstname><lastname> of the registered user, with a separating dash.

Endpoint Status

Registration status of the agent on the endpoint:

  • Connected: The agent has checked in within 10 minutes for standard endpoints, and within 3 hours for mobile endpoints.

  • Connection Lost: The agent has not checked in within 30 to 180 days for standard endpoints, and between 90 minutes and 6 hours for VDI and temporary sessions.

  • Disconnected: The agent has not checked in within the defined inactivity window: between 10 minutes and 30 days for standard and mobile endpoints, and between 10 minutes and 90 minutes for VDI and temporary sessions.

  • VDI Pending Log-on: (Windows only) Indicates a non-persistent VDI endpoint is waiting for user logon, after which the agent consumes a license and starts enforcing protection.

  • Uninstalled: The agent has been uninstalled from the endpoint.

Endpoint Type

Type of endpoint.

Endpoint Version

Versions of the agent that runs on the endpoint.

First Seen

Date and time the agent first checked in (registered) with Cortex XDR.

Golden Image ID

For endpoints with a System Type of Golden Image, the image ID is a unique identifier for the golden image.

Group Names

Endpoint Groups to which the endpoint is a member, if applicable.

Incompatibility Mode

Agent incompatibility status, either:

  • Agent Incompatible: The agent is incompatible with the environment and cannot recover.

  • OS Incompatible: The agent is incompatible with the operating system.

When agents are compatible with the operating system and environment, this field is blank.

Isolation Date

Date and time of when the endpoint was Isolated. Displayed only for endpoints in Isolated or Pending Isolation Cancellation status.

Install Date

Date and time at which the agent was first installed on the endpoint.

Installation Package

Installation package name used to install the agent.

Installation Type

Type of installation.

IP Address

Last known IPv4 address of the endpoint.

IPv6 Address

Last known IPv6 address of the endpoint.

Is EDR Enabled

Whether EDR data is enabled on the endpoint.

Last Certificate Enforcement Fallback

(For Windows and MacOS Endpoints.) If Certificate Enforcement is Enabled, this column shows the date and time of use of a fallback certificate from the local store. If no fallback is used, this will remain empty.

Last Content Update Time

Time and date when the agent last deployed a content update.

Last Origin IP

Last IPv4 address from which the XDR agent connected.

Last Origin IPv6

Last IPv6 address from which the XDR agent connected.

Last Scan

Date and time of the last malware scan on endpoint.

Last Seen

Date and time of the last change in an agent's status. This can occur when Cortex XDR receives a periodic status report from the agent (once an hour), a user performed a manual Check In, or a security event occurred.

Note

Changes to the agent status can take up to ten minutes to display on Cortex XDR .

Last Used Proxy

IP address and port number of proxy that was last used for communication between the agent and Cortex XDR.

Last Used Proxy Port

Last proxy port used on endpoint.

Linux Operation Mode

(Agent 7.7 and later for Linux) Type of operation mode your Linux endpoint is running by the agent.

Last Upgrade Failure Reason

Reason an upgrade failed.

Last Upgrade Source

Source of the upgrade installation file.

Last Upgrade Status

Status of the last upgrade.

Last Upgrade Status Time

Date and time of the last upgrade.

MAC Address

Endpoint MAC address that corresponds to the IP address. Currently, this information is available only for IPv4 addresses.

Mobile ID

Unique identifier of the agent located on an Android or iOS mobile.

Network Interface

Relationship between the MAC address and the IP address for agents that can report the network interfaces information. Information is displayed in JSON format, and searches can be performed on attributes in JSON.

Network Location

Agent v7.1 and later for Windows and agent v7.2 and later for macOS and Linux) Endpoint location is reported by the agent when you enable this capability in the Agent Settings profile.

Operating System

Name of the operating system.

Operational Status

XDR agent operational status:

  • Protected: The agent is running as configured and did not report any exceptions to Cortex XDR.

  • Partially protected: The agent reported to Cortex XDR one or more exceptions. Clicking on the row shows in the detailed view why an endpoint may be partially protected.

  • Unprotected: The Cortex XDR agent was shut down.

OS Description

Operating system version name.

OS Type

Name of the operating system.

OS Version

Operating system version number.

Platform

Platform architecture.

Proxy

IP address and port number of the configured proxy server.

Scan Status

Malware scan status.

Managed Device

Whether an iOS device has a corporate profile installed on it and is to some extent controlled and managed by the corporation.

Tags

Tags associated with the endpoint.

Tags created in the agent are displayed with a shield icon.

User

User that was last logged into the endpoint. On Android endpoints, the Cortex XDR tenant identifies the user from the email prefix specified during app activation.