Cortex XSIAM enables you to review the inventory of all your hosts (endpoints), and identify in the inventory any IT and security issues in your network.
With Host Inventory, you gain full visibility and inventory into the business and IT operational data on all your endpoints. By reviewing the inventory for all your hosts in a single place, you can quickly identify IT and security issues that exist in your network, such as identifying a suspicious service or autorun that was added to an endpoint.
The Cortex XDR agent scans the endpoint every 24 hours for any updates and displays the data found over the last 30 days. Alternatively, you can rescan the endpoint to retrieve the most updated data. It can take Cortex XSIAM up to 6 hours to collect initial data from all endpoints in your network.
The following are prerequisites to enable Host Inventory for your Cortex XSIAM instance:
Requirement | Description |
---|---|
Licenses and Add-ons |
|
Supported Platforms |
|
Setup and Permissions |
|
The Cortex XSIAM Host inventory includes the following entities and information, according to the operating system running on the endpoint:
Entity | Windows | Mac | Linux |
---|---|---|---|
Accessibility | — | — | |
Applications | |||
Autoruns | |||
Daemons | — | ||
Disks | |||
Drivers | — | ||
Extensions | — | — | |
Groups | |||
Mounts | — | ||
Services | — | — | |
Shares | |||
System Information | |||
Users | |||
Users to Groups |
For each entity, Cortex XSIAM lists all the details about the entity, and the details about the endpoint it applies to. For example, the default Services view lists a separate row for every service on every endpoint:
Alternatively, to better understand the overall presence of each entity on the total number of endpoints, you can switch to aggregated view (click ) and group the data by the main entity. You can also sort and filter according to the number of affected endpoints. For example, in the Services aggregated view, you can sort by the number of affected endpoints to identify the least commonly deployed service in your network. To get a closer view of all endpoints, right-click and select View affected endpoints:
View Host Inventory
To view the Host inventory, go to
→ → . You can export the tables and respective asset views to a tab-separated values (TSV) file.Data | Description |
---|---|
Accessibility | Details about installed applications that require and were allowed special permissions to enable a camera, microphone, accessibility features, full disk access, or screen captures. |
Applications | Details about all applications installed on your endpoints. For each application, Cortex XSIAM lists the existing CVEs and the vulnerability severity score that reflects the highest NIST vulnerability score detected for the application. To further examine these vulnerabilities, see Application Analysis. |
Autoruns | Details about executables that start automatically when the user logs in or boots the endpoint. Cortex XSIAM displays information about autoruns that are configured in the endpoint Registry, startup folders, scheduled tasks, services, drivers, daemons, extensions, Crond tasks, login items, login, and logout hooks. For each autorun, Cortex XSIAM lists the autorun type and configuration, such as startup method, CMD, user details, and image path. |
Daemons | Details about all daemons that exist on the endpoint. For each daemon, Cortex XSIAM lists the following details.
|
Disks | Details about the disk volumes that exist on an endpoint. For each disk that exists on an endpoint, Cortex XSIAM lists details such as the drive type, name, file system, free space, and total size. |
Drivers | Details about all the drivers installed on an endpoint. For each driver, Cortex XSIAM lists all the following details:
|
Extensions | Details about the system and kernel extensions currently running on your Mac endpoints. For each extension, Cortex XSIAM lists the following details:
|
Groups | Details about all user groups defined on an endpoint. For each group, Cortex XSIAM lists identifying details, such as name, SID/GID name, and type. |
Mounts | Details about all the drives, volumes, and disks that were mounted on endpoints. For each mount, Cortex XSIAM lists the mount point directory, file system type, mount spec, and GUID. |
Services | Details about all the services running on an endpoint. For each service, Cortex XSIAM lists all the following details:
|
Shares | Details about network shared folders defined on an endpoint. For each folder, Cortex XSIAM lists all the following details:
|
System Information | General system information about an endpoint. For each endpoint, Cortex XSIAM lists all the following details:
|
Users | List of users whose credentials are stored on the endpoint. For each user, Cortex XSIAM lists all the following details.
|
Users to Groups | A list mapping all the users, local and in your domain, to the existing user groups on an endpoint. Note
|