View Details About an Endpoint

You can view miscellaneous details about a particular endpoint that you select.
The
Endpoints
All Endpoints
page provides a central location from which you can view and manage the endpoints on which the
Cortex
XDR agent is installed. The right-click pivot menu that is available for each endpoint displays the actions you can perform.
The following table describes the list of actions you can perform on your endpoints.
Field
Action
Endpoint Control
Security Operations
Endpoint Data
  • View Incidents (in same tab or new tab)
  • View Endpoint Policy
  • View Actions
  • View Endpoint Logs
The following table describes both the default and additional optional fields that you can view in the Endpoints table and lists. The table lists the fields in alphabetical order.
Field
Description
Check box to select one or more endpoints on which to perform actions.
Active Directory
Lists all Active Directory Groups and Organizational Units to which the user belongs.
Assigned Policy
Policy assigned to the endpoint.
Auto Upgrade Status
When Agent Auto Upgrades are enabled, indicates the action status is either:
  • In progress
    —Indicates that the
    Cortex
    XDR agent upgrade is in progress on the endpoint.
  • Up to date
    —Indicates that the current
    Cortex
    XDR agent version on the endpoint is up to date.
  • Failure
    —Indicates that the
    Cortex
    XDR agent upgrade failed after three retries.
  • Not configured
    —Indicates that automatic agent upgrades are not configured for this endpoint.
  • Pending
    —Indicates that the
    Cortex
    XDR agent version running on the endpoint is not up to date, and the agent is waiting for the upgrade message from
    Cortex
    XDR
    .
  • Not supported
    —Indicates this endpoint type does not support automatic agent upgrades. Relevant for VDI, TS, or Android endpoints.
To include or exclude one or more endpoints from auto upgrade, right-click and select
Endpoint Control
<Exclude/Include>
endpoints from auto upgrade
After an endpoint is excluded, the Auto upgrade profile configuration will no longer be available.
If you exclude the endpoint from Auto Upgrade while the Auto Upgrade Status is
In progress
status, the ongoing upgrade will still take place.
Cloud Info
Displays IBM and Alibaba Cloud metadata reported by the endpoint.
Content Auto Update
Indicates whether automatic content updates are
Enabled
or
Disabled
for the endpoint. See Agent Settings profile.
Content Release Timestamp
Displays the time and date of when the current content version was released.
Content Rollout Delay (days)
If you configured delayed content rollout, the number of days for delay is displayed here. See Agent Settings profile.
Content Status
Displays the status of the content version on the relevant endpoint. Cortex XDR attempts to contact an endpoint and check the content version over a 7 day period. After this period Cortex XDR displays one of the following statuses:
  • Up to Date
    - The endpoint is running with the latest content version
  • Waiting for Update
    - Cortex XDR is in the process of updating the new content version. Depending on your bandwidth and network connection, updating the content version may take time.
  • Outdated
    - The endpoint is running on an outdated content version.
  • Offline
    - The endpoint is disconnected.
Content Status is calculated every 30 minutes, therefore, there could be a delay of up to 30 minutes in displaying the data.
Content Version
Content update version used with the
Cortex
XDR agent.
Disabled Capabilities
A list of the capabilities that were disabled on the endpoint.
To disable one or more capabilities, right-click the endpoint name and select
Endpoint Control
Disable Capabilities
.
Options are:
  • Live Terminal
  • Script Execution
  • File Retrieval
You can disable these capabilities during the
Cortex
XDR agent installation on the endpoint
or through
Endpoint Administration
. Disabling any of these actions is irreversible, so if you later want to enable the action on the endpoint, you must uninstall the Cortex XDR agent and install a new package on the endpoint.
Domain
Domain or workgroup to which the endpoint belongs, if applicable.
Only supported for Windows.
Endpoint Alias
If you assigned an alias to represent the endpoint in
Cortex
XDR
, the alias is displayed here. To set an endpoint alias, right-click the endpoint name, and select
Change endpoint alias
. The alias can contain any of the following characters: a-Z, 0-9, !@#$%^&()-'{}~_.
Endpoint ID
Unique ID assigned by
Cortex
XDR
that identifies the endpoint.
Endpoint Isolated
Isolation status, either:
  • Isolated
    —The endpoint has been isolated from the network with communication permitted to only
    Cortex
    XDR
    and to any IP addresses and processes included in the allow list.
  • Not Isolated
    —Normal network communication is permitted on the endpoint.
  • Pending Isolation
    —The isolation action has reached the server and is pending contact with the endpoint.
  • Pending Isolation Cancellation
    —The cancel isolation action has reached the server and is pending contact with the endpoint.
Endpoint Name
Hostname of the endpoint. If the agent enables Pro features, this field also includes a
PRO
badge. For Anrdoid endpoints, the hostname comprises the <
firstname
>
<
lastname
> of the registered user, with a separating dash.
Endpoint Status
Registration status of the
Cortex
XDR agent on the endpoint:
  • Connected
    —The
    Cortex
    XDR agent has checked in within 10 minutes for standard endpoints, and within 3 hours for mobile endpoints.
  • Connection Lost
    —The
    Cortex
    XDR agent has not checked in within 30 to 180 days for standard endpoints, and between 90 minutes and 6 hours for VDI and temporary sessions.
  • Disconnected
    —The
    Cortex
    XDR agent has checked in within the defined inactivity window: between 10 minutes and 30 days for standard and mobile endpoints, and between 10 minutes and 90 minutes for VDI and temporary sessions.
  • VDI Pending Log-on
    —(
    Windows only
    ) Indicates a non-persistent VDI endpoint is waiting for user logon, after which the
    Cortex
    XDR agent consumes a license and starts enforcing protection.
  • Uninstalled
    —The
    Cortex
    XDR agent has been uninstalled from the endpoint.
Endpoint Type
Type of endpoint:
Mobile
,
Server
, or
Workstation
.
Endpoint Version
Versions of the
Cortex
XDR agent that runs on the endpoint.
First Seen
Date and time the
Cortex
XDR agent first checked in (registered) with
Cortex
XDR
.
Golden Image ID
For endpoints with a System Type of Golden Image, the image ID is a unique identifier for the golden image.
Group Names
Endpoint Groups to which the endpoint is a member, if applicable. See Define Endpoint Groups.
Incompatibility Mode
Cortex
XDR agent incompatibility status, either:
  • Agent Incompatible
    —The
    Cortex
    XDR agent is incompatible with the environment and cannot recover.
  • OS Incompatible
    —The
    Cortex
    XDR agent is incompatible with the operating system.
When
Cortex
XDR agents are compatible with the operating system and environment, this field is blank.
Isolation Date
Date and time of when the endpoint was
Isolated
. Displayed only for endpoints in
Isolated
or
Pending Isolation Cancellation
status.
Install Date
Date and time at which the agent was first installed on the endpoint.
Installation Package
Installation package name used to install the
Cortex
XDR agent.
Installation Type
Type of installation:
  • Standard
  • VDI
  • Golden Image
  • Temporary Session
IP
Last known IPv4 or IPv6 address of the endpoint.
Is EDR Enabled
Whether EDR data is enabled on the endpoint.
Last Content Update Time
Displays the time and date when the agent last deployed a content update.
Last Origin IP
Represents the last IP address from which the
Cortex
XDR agent connected.
Last Scan
Date and time of the last malware scan on endpoint.
Last Seen
Date and time of the last change in an agent's status. This can occur when
Cortex
XDR
receives a periodic status report from the agent (once an hour), a user performed a manual Check In, or a security event occurred.
Changes to the agent status can take up to ten minutes to display on
Cortex
XDR
.
Last Used Proxy
The IP address and port number of proxy that was last used for communication between the agent and
Cortex
XDR
.
Last Used Proxy Port
Last proxy port used on endpoint.
Linux Operation Mode
(
Cortex
XDR agent 7.7 and later for Linux
) Displays the type of operation mode your Linux endpoint is running by
Cortex
XDR
agent. The operation modes available are;
Kernel
,
User Space
, or
Kernel Disabled
.
MAC
The endpoint MAC address that corresponds to the IP address.
Network Location
(
Cortex
XDR agent 7.1 and later for Windows and
Cortex
XDR agent 7.2 and later for macOS and Linux
) Endpoint location is reported by the
Cortex
XDR agent when you enable this capability in the Agent Settings profile:
  • Internal
  • External
  • Not Supported
    —The
    Cortex
    XDR agent is running a prior agent version that does not support network location reporting.
  • Disabled
    —The
    Cortex
    XDR agent was unable to identify the network location.
Operating System
Name of operating system.
Operational Status
Cortex
XDR agent operational status:
  • Protected
    —Indicates that the
    Cortex
    XDR agent is running as configured and did not report any exceptions to
    Cortex
    XDR
    .
  • Partially protected
    —Indicates that the
    Cortex
    XDR agent reported to
    Cortex
    XDR
    one or more exceptions.
  • Unprotected
    —Indicates the
    Cortex
    XDR agent was shut down.
OS Description
Operating system version name.
OS Type
Name of the operating system.
OS Version
Operating system version number.
Platform
Platform architecture.
Proxy
IP address and port number of the configured proxy server.
Scan Status
Malware scan status, either:
  • None
    —No scan initiated
  • Pending
    —Scan was initiated, waiting for action to reach endpoint.
  • In Progress
    —Scan in process.
  • Success
    —Scan completed.
  • Pending Cancellation
    —Scan was aborted, waiting for action to reach endpoint.
  • Canceled
    —Scan canceled.
  • Error
    —Scan failed to run.
Tags
Displays the tags associated with the endpoint.
Tags created in the
Cortex
XDR agent are displayed with a shield icon.
Users
User that was last logged into the endpoint. On Android endpoints, the
Cortex
XDR
app identifies the user from the email prefix specified during app activation.

Recommended For You