Host Inventory
With Host inventory, you gain full visibility
and inventory into the business and IT operational data on all your
endpoints. By reviewing inventory for all your hosts in a single place,
you can quickly identify IT and security issues that exist in your
network, such as identifying a suspicious service or autorun that
were added to an endpoint. The Cortex XDR agent scans the endpoint
every 24 hours for any updates. Alternatively, you can rescan the
endpoint to retrieve the most updated data.
The following
are prerequisites to enable Host inventory for your Cortex XDR instance:
- Provision an active Cortex XDR Pro per Endpoint license.
- Verify the Cortex XDR Host Insights Add-on is enabled on your tenant.
- Ensure that you are running a Cortex XDR agent 7.1 or later release.
- Ensure Host Inventory Data Collection is enabled for your Cortex XDR agents.
It can take
Cortex XDR up to 6 hours to collect initial data from all endpoints
in your network.
The Cortex XDR Host inventory includes
the following entities and information, according to the operating
system running on the endpoint:
Entity | Windows | Mac | Linux |
|---|---|---|---|
Accessibility | — |  | — |
Applications | | | |
Autoruns | | | |
Daemons | — | | |
Disks | | | |
Drivers | | — | |
Extensions | — | | — |
Groups | | | |
Mounts | — | | |
Services | | — | — |
Shares | | | |
System Information | | | |
Users | | | |
Users to Groups | | | |
For each entity, Cortex XDR lists all the details
about the entity, and the details about the endpoint it applies
to. For example, the default Services view lists a separate row
for every service on every endpoint:
Alternatively,
to better understand the overall presence of each entity on the
total number of endpoints, you can switch to aggregated view (click
) and
group the data by the main entity. You can also sort and filter
according the number of affected endpoints. For example, in the
Services aggregated view, you can sort by the number of affected
endpoints to identify the least commonly deployed service in your
network. To get a closer view on all endpoints, right-click and
select
) and
group the data by the main entity. You can also sort and filter
according the number of affected endpoints. For example, in the
Services aggregated view, you can sort by the number of affected
endpoints to identify the least commonly deployed service in your
network. To get a closer view on all endpoints, right-click and
select View affected endpoints
:
View host inventory
To view the Host inventory, go to .
Data | Description |
|---|---|
Accessibility | Details about installed applications that
require and were allowed special permissions to enable a camera,
microphone, accessibility features, full disk access, or screen
captures. |
Applications | Details about all applications installed
on your endpoints. For each application, Cortex XDR lists
the existing CVEs and the vulnerability severity score that reflects
the highest NIST vulnerability score detected for the application. To
further examine these vulnerabilities, see Application Analysis with Host inventory. |
Autoruns | Details about executables that start automatically
when the user logs in or boots the endpoint. Cortex XDR displays
information about autoruns that are configured in the endpoint Registry,
startup folders, scheduled tasks, services, drivers, daemons, extensions,
Crond tasks, login items, login and logout hooks. For each
autorun, Cortex XDR lists the autorun type and configuration, such
as startup method, CMD, user details, and image path. |
Daemons | Details about all daemons that exist on
the endpoint. For each daemon, Cortex XDR lists the following
details:
|
Disks | Details about the disk volumes that exist
on an endpoint. For each disk that exists on an endpoint,
Cortex XDR lists details such as the drive type, name, file system,
free space, and total size. |
Drivers | Details about all the drivers installed
on an endpoint. For each driver, Cortex XDR lists all the
following details:
|
Extensions | Details about the system and kernel extensions
currently running on your Mac endpoints. For each extension,
Cortex XDR lists the following details:
|
Groups | Details about all user groups defined on
an endpoint. For each group, Cortex XDR lists identifying
details, such as name, SID/GID name and type. |
Mounts | Details about all the drives, volumes, and
disks that were mounted on endpoints. For each mount, Cortex
XDR lists the mount point directory, file system type, mount spec
and GUID. |
Services | Details about all the services running on
an endpoint. For each service, Cortex XDR lists all the following
details:
|
Shares | Details about network shared folders defined
on an endpoint. For each folder, Cortex XDR lists all the
following details:
|
System Information | General system information about an endpoint. For
each endpoint, Cortex XDR lists all the following details:
|
Users | List of users whose credentials are stored
on the endpoint. For each user, Cortex XDR lists all the following
details:
|
Users to Groups | A list mapping all the users, local and
in your domain, to the existing user groups on an endpoint.
|
