The→ page provides a central location from which you can view and manage the endpoints on which the agent is installed.
To ensure the All Endpoints table is displaying the most useful list of endpoints, you can perform a one-time or periodic cleanup of duplicated entities of the same endpoint from the table. After the cleanup, duplicated entities are removed leaving only one endpoint entry - the last endpoint to connect with the server. Deleted endpoint data is retained for 90 days from the last connection timestamp. If a deleted endpoint reconnects, Cortex XDR recovers and redisplays the endpoint’s existing data.
Navigate to Periodic duplicate cleanup and select to either run one-time cleanup or define to run according to the Host Name, Host IP Address, and/or MAC Address fields every 6 hours, 12 hours, 1 day, or 7 days.→ → → → . Enable the
To investigate a single endpoint, right click it, select Endpoint Data , and open the Asset view.
The right-click pivot menu that is available for each endpoint displays the actions you can perform. The following table describes the list of actions you can perform on your endpoints.
View Endpoint Data
The following table describes both the default and additional optional fields that you can view in the All Endpoints table and lists.
The table lists the fields in alphabetical order.
Check box to select one or more endpoints on which to perform actions.
Lists all Active Directory Groups and Organizational Units to which the user belongs.
Policy assigned to the endpoint.
Auto Upgrade Status
When Agent Auto Upgrades are enabled, indicates the action status is either:
To include or exclude one or more endpoints from auto upgrade, right-click and select→
After an endpoint is excluded, the Auto upgrade profile configuration will no longer be available.
If you exclude the endpoint from Auto Upgrade while the Auto Upgrade Status is In progress status, the ongoing upgrade will still take place.
Displays IBM and Alibaba Cloud metadata reported by the endpoint.
Content Auto Update
Indicates whether automatic content updates are Enabled or Disabled for the endpoint. See Agent Settings profile.
Content Release Timestamp
Displays the time and date of when the current content version was released.
Content Rollout Delay (days)
If you configured delayed content rollout, the number of days for delay is displayed here. See Agent Settings profile.
Displays the status of the content version on the relevant endpoint. The Cortex XDR tenant attempts to contact an endpoint and check the content version over a 7 day period. After this period the tenant displays one of the following statuses:
Content Status is calculated every 30 minutes, therefore, there could be a delay of up to 30 minutes in displaying the data.
Content update version used with the agent.
A list of the capabilities that were disabled on the endpoint. To disable one or more capabilities, right-click the endpoint name and select Options are: → .
You can disable these capabilities during the agent installation on the endpoint or through Endpoint Administration. Disabling any of these actions is irreversible, so if you later want to enable the action on the endpoint, you must uninstall the agent and install a new package on the endpoint.
Domain or workgroup to which the endpoint belongs, if applicable.
Only supported for Windows and macOS.
If you assigned an alias to represent the endpoint in Cortex XDR, the alias is displayed here. To set an endpoint alias, right-click the endpoint name, and select Change endpoint alias. The alias can contain any of the following characters:
Unique ID assigned by Cortex XDR that identifies the endpoint.
Isolation status, either:
Hostname of the endpoint. If the agent enables Pro features, this field also includes a PRO badge. For Android endpoints, the hostname comprises the <
Registration status of the agent on the endpoint:
Type of endpoint: Mobile, Server, or Workstation.
Versions of the agent that runs on the endpoint.
Date and time the agent first checked in (registered) with Cortex XDR.
Golden Image ID
For endpoints with a System Type of Golden Image, the image ID is a unique identifier for the golden image.
Endpoint Groups to which the endpoint is a member, if applicable. See Define Endpoint Groups.
Agent incompatibility status, either:
When agents are compatible with the operating system and environment, this field is blank.
Date and time of when the endpoint was Isolated. Displayed only for endpoints in Isolated or Pending Isolation Cancellation status.
Date and time at which the agent was first installed on the endpoint.
Installation package name used to install the agent.
Type of installation:
Last known IPv4 address of the endpoint.
Last known IPv6 address of the endpoint.
Is EDR Enabled
Whether EDR data is enabled on the endpoint.
Last Content Update Time
Displays the time and date when the agent last deployed a content update.
Last Origin IP
Represents the last IPv4 address from which the XDR agent connected.
Last Origin IPv6
Represents the last IPv6 address from which the XDR agent connected.
Date and time of the last malware scan on endpoint.
Date and time of the last change in an agent's status. This can occur when Cortex XDR receives a periodic status report from the agent (once an hour), a user performed a manual Check In, or a security event occurred.
Changes to the agent status can take up to ten minutes to display on Cortex XDR .
Last Used Proxy
The IP address and port number of proxy that was last used for communication between the agent and Cortex XDR.
Last Used Proxy Port
Last proxy port used on endpoint.
Linux Operation Mode
(Agent v7.7 and later for Linux) Displays the type of operation mode your Linux endpoint is running by the agent. The operation modes available are; Kernel, User Space, or Kernel Disabled.
The endpoint MAC address that corresponds to the IP address. Currently, this information is available only for IPv4 addresses.
Unique identifier of the agent located on an Android or iOS mobile.
The relationship between the MAC address and the IP address for agents that can report the network interfaces information. Information is displayed in JSON format, and searches can be performed on attributes in JSON.
Agent v7.1 and later for Windows and agent v7.2 and later for macOS and Linux) Endpoint location is reported by the agent when you enable this capability in the Agent Settings profile:
Name of the operating system.
XDR agent operational status:
Operating system version name.
Name of the operating system.
Operating system version number.
IP address and port number of the configured proxy server.
Malware scan status, either:
Indicates whether an iOS device has a corporate profile installed on it and is to some extent controlled and managed by the corporation.
Displays the tags associated with the endpoint.
Tags created in the agent are displayed with a shield icon.
User that was last logged into the endpoint. On Android endpoints, the Cortex XDR tenant identifies the user from the email prefix specified during app activation.