Cortex XDR disconnected endpoints
Supported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
A Job to periodically query disconnected Cortex XDR endpoints with a provided last seen time range playbook input. The Collected data, if found will be generated to a CSV report, including a detailed list of the disconnected endpoints. The report will be sent to the recipient's provided email addresses in the playbook input. The playbook includes an incident type with a dedicated layout to visualize the collected data. To set the job correctly, you will need to.
- Create a new recurring job.
- Set the recurring schedule.
- Add a name.
- Set type to Cortex XDR disconnected endpoints.
- Set this playbook as the job playbook.
https://xsoar.pan.dev/docs/incidents/incident-jobs
The scheduled run time and the timestamp relative date should be identical, If the job is recurring every 7 days, the time range should be 7 days as well.
Dependencies
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks
This playbook does not use any sub-playbooks.
Integrations
- CortexXDRIR
Scripts
This playbook does not use any scripts.
Commands
- setIncident
- send-mail
- xdr-get-endpoints
- closeInvestigation
Playbook Inputs
| Name | Description | Default Value | Required |
|---|---|---|---|
| LastSeenStartDate | Last seen start date, in relative timestamp - "1 Day" or "7 days" | None | Optional |
| LastSeenEndDate | Last seen end date, in relative timestamp - "1 Day" or "7 days" For the current day use "0 days" | None | Optional |
| Email addresses to send the disconnected endpoints report. | None | Optional | |
| MessageBody | Body for the report email message. | This message contains an automatically generated report by Cortex XSOAR, including a list of disconnected Cortex XDR endpoints. Please investigate and remediate according to the organization's policy. | Optional |
Playbook Outputs
There are no outputs for this playbook.
Playbook Image
