You can view and take actions on endpoints on the All Endpoints page.
The All Endpoints page provides a central location from which you can view and manage the endpoints on which the agent is installed.
To investigate a single endpoint, right click it, select Endpoint Data+Open Asset View.
To ensure the All Endpoints table is displaying the most accurate list of endpoints, you can perform a one-time or periodic cleanup of duplicated entities. After the cleanup, duplicated entities are removed leaving only one endpoint entry, which is the last endpoint to connect with the server. Deleted endpoint data is retained for 90 days from the last connection timestamp. If a deleted endpoint reconnects, Cortex XSIAM recovers and redisplays the endpoint’s existing data.
Go to Settings → Configurations → General → Agent Configurations → Endpoint Administration Cleanup. Enable the Periodic duplicate cleanup and select either One-time cleanup or define a periodic cleanup to run according to the Host Name, Host IP Address, and/or MAC Address fields at a specific time interval.
Endpoint actions
The right-click pivot menu displays the actions you can perform on your endpoints. For more information about these actions, see the topics in this section, and the topics under Manage endpoint protection.
Note
For the Include endpoints from auto upgrade action, you cannot enable auto upgrade for Mobile, VDI, and TS installations.
The following table describes both the default and additional optional fields that you can view in the All Endpoints table and lists. Clicking on a row in the All Endpoints table opens a detailed view of the endpoint.
Field | Description |
---|---|
Active Directory | Active Directory Groups and Organizational Units to which the user belongs. |
Assigned Extensions Policy | Policy related to extensions and devices connected to the endpoint. |
Assigned Prevention Policy | Policy assigned to the endpoint. |
Agent Version | Agent version that is installed on the endpoint. |
Auto Upgrade Status | When Cortex XDR agent auto upgrades are enabled, this field indicates the action status. NoteIf an endpoint is excluded, the auto upgrade profile configuration is not available. If you exclude the endpoint from auto upgrade while the auto upgrade action is In progress, the ongoing upgrade will still take place. |
Cloud Info | IBM and Alibaba Cloud metadata reported by the endpoint. |
Content Auto Update | Whether automatic content updates are Enabled or Disabled for the endpoint in the agent settings profile. |
Content Release Timestamp | Time and date of when the current content version was released. |
Content Rollout Delay (days) | If you configured delayed content rollout, the number of days for delay is displayed here. |
Content Status | Status of the content version on the relevant endpoint. The Cortex XSIAM tenant attempts to contact an endpoint and check the content version over a 7-day period. After this period the tenant displays one of the following statuses:
NoteContent Status is calculated every 30 minutes. Therefore, there might be a delay of up to 30 minutes in displaying the data. |
Content Version | Content update version used with the agent. |
Disabled Capabilities | List of capabilities that were disabled on the endpoint. Options are Live Terminal, Script Execution, and File Retrieval. You can disable these capabilities during agent installation on the endpoint or through Endpoint Administration. Disabling any of these actions is irreversible. If you later want to enable the action on the endpoint, you must uninstall the agent and install a new package on the endpoint. |
Domain | Domain or workgroup to which the endpoint belongs. NoteOnly supported for Windows and macOS. |
Endpoint Alias | If you assigned an alias to represent the endpoint in Cortex XSIAM, the alias is displayed here. To set an endpoint alias, right-click in the endpoint row, select Endpoint Control → Change Endpoint Alias. The alias can contain any of the following characters:
|
Endpoint ID | Unique ID that identifies the endpoint. |
Endpoint Isolated | Isolation status, either:
|
Endpoint Name | Hostname of the endpoint. If the agent enables Pro features, this field also includes a PRO badge. For Android endpoints, the hostname comprises the < |
Endpoint Status | Registration status of the agent on the endpoint:
|
Endpoint Type | Type of endpoint. |
Endpoint Version | Versions of the agent that runs on the endpoint. |
First Seen | Date and time the agent first checked in (registered) with Cortex XSIAM. |
Golden Image ID | For endpoints with a System Type of Golden Image, the image ID is a unique identifier for the golden image. |
Group Names | Endpoint Groups to which the endpoint is a member, if applicable. |
Incompatibility Mode | Agent incompatibility status, either:
When agents are compatible with the operating system and environment, this field is blank. |
Isolation Date | Date and time of when the endpoint was Isolated. Displayed only for endpoints in Isolated or Pending Isolation Cancellation status. |
Install Date | Date and time at which the agent was first installed on the endpoint. |
Installation Package | Installation package name used to install the agent. |
Installation Type | Type of installation. |
IP Address | Last known IPv4 address of the endpoint. |
IPv6 Address | Last known IPv6 address of the endpoint. |
Is EDR Enabled | Whether EDR data is enabled on the endpoint. |
IT Metric Collection | Whether the endpoint is collecting IT performance data. |
Last Certificate Enforcement Fallback | (For Windows and MacOS Endpoints.) If Certificate Enforcement is Enabled, this column shows the date and time of use of a fallback certificate from the local store. If no fallback is used, this will remain empty. |
Last Content Update Time | Time and date when the agent last deployed a content update. |
Last Origin IP | Last IPv4 address from which the XDR agent connected. |
Last Origin IPv6 | Last IPv6 address from which the XDR agent connected. |
Last Scan | Date and time of the last malware scan on endpoint. |
Last Seen | Date and time of the last change in an agent's status. This can occur when Cortex XSIAM receives a periodic status report from the agent (once an hour), a user performed a manual Check In, or a security event occurred. NoteChanges to the agent status can take up to ten minutes to display on Cortex XSIAM . |
Last Used Proxy | IP address and port number of proxy that was last used for communication between the agent and Cortex XSIAM. |
Last Used Proxy Port | Last proxy port used on endpoint. |
Linux Operation Mode | (Agent 7.7 and later for Linux) Type of operation mode your Linux endpoint is running by the agent. |
Last Upgrade Failure Reason | Reason an upgrade failed. |
Last Upgrade Source | Source of the upgrade installation file. |
Last Upgrade Status | Status of the last upgrade. |
Last Upgrade Status Time | Date and time of the last upgrade. |
MAC Address | Endpoint MAC address that corresponds to the IP address. Currently, this information is available only for IPv4 addresses. |
Mobile ID | Unique identifier of the agent located on an Android or iOS mobile. |
Network Interface
| Relationship between the MAC address and the IP address for agents that can report the network interfaces information. Information is displayed in JSON format, and searches can be performed on attributes in JSON. |
Network Location | Agent v7.1 and later for Windows and agent v7.2 and later for macOS and Linux) Endpoint location is reported by the agent when you enable this capability in the Agent Settings profile. |
Operating System | Name of the operating system. |
Operational Status | Cortex XDR agent operational status:
|
OS Description | Operating system version name. |
OS Type | Name of the operating system. |
OS Version | Operating system version number. |
Platform | Platform architecture. |
Proxy | IP address and port number of the configured proxy server. |
Scan Status | Malware scan status. |
Managed Device | Whether an iOS device has a corporate profile installed on it and is to some extent controlled and managed by the corporation. |
Tags | Tags associated with the endpoint. Tags created in the agent are displayed with a shield icon. |
User | User that was last logged into the endpoint. On Android endpoints, the Cortex XSIAM tenant identifies the user from the email prefix specified during app activation. |