Issue
We noticed that Sensors are showing up in our Red Canary with outdated "Last Activity" timestamps, or the Last Activity time shows as "Unknown." If the Last Activity time shows as "Unknown" that means we have never received telemetry from that Sensor. The first thing to do is to check if that Sensor is actually sending telemetry to the Cortex XDR Server.
Environment
Red Canary + Cortex XDR
Resolution
- First login to your Cortex XDR tenant.
- Next, go to Incident Response > Query Builder.
- Select "All Actions"
- Enter the Hostname of the endpoint you wish to check.
- Enter the timeframe you want to check for.
- Click "Run" at the bottom of the screen. NOTE: there are actually two options for running the Query: "Run" and "Run in background." If you choose "Run in background" you can immediately start working in other areas of the Cortex console without having to wait for the report. If you click "Run" the Query will be run in the foreground and you will have to wait for the report to be generated before you can continue working in other areas of Cortex.
Cause
There can be many causes for this. Here are some things to check:
- Does the Endpoint policy have Cortex XDR Pro enabled? If this setting is not enabled on the Profile, which is applied to an endpoint Policy (i.e Endpoint Group), then the Cortex XDR Agents will not be sending EDR Telemetry.
- Is the Sensor version supported for the Operating System that it's running on? Check the Cortex XDR System Requirements.
- Make sure you have whitelisted the correct URLs and IP addresses in your Firewall for Cortex XDR. NOTE: You can find this information by going to your Red Canary console, clicking on your User Icon (top right) and then selecting "Getting Help." At the bottom of the page we list out all of the required URLs and IP addresses to allow Sensor communications.
- Are you running any other 3rd party security software, like another anti-virus product? If yes, please be sure to exclude the Cortex XDR Sensor in your 3rd party software. Also, be sure to exclude the 3rd party software in your Cortex XDR > Endpoints > Policy Management > Prevention Profiles > Malware Profile. In the Malware Profile you want to start by applying the Exclusions under the "Portable Executable and DLL Examination" section. You'll see the section called "Files/Folders in Allow List." Click "Add" to add your Exclusions.
Comments
0 comments
Please sign in to leave a comment.