09-24-2024 02:51 AM - edited 09-24-2024 02:52 AM
Hi Team,
I’ve noticed that the data on the assets and dashboards in Cisco XDR isn't up to date. Specifically, the number of computers and information shown in Secure Endpoint doesn’t fully match what I see in XDR, and the numbers seem different. Could someone explain why this is happening?
Additionally, when deploying agents to computers, Secure Client is installed, but Orbital fails to install, showing the following error:
Error:
Orbital 1.31.4 installation failed.
Does anyone have any insights on how to resolve this?
Lastly, does anyone have a checklist for Cisco XDR and Secure Client (AMP) configuration? I’m looking for the essential settings that should be applied as a best practice.
Thank you in advance for your help!
09-24-2024 08:38 AM
09-24-2024 10:18 AM
Thank you for the information and resources provided. I will review the Secure Client profiles and policies you mentioned.
Regarding the data discrepancy between XDR and Secure Endpoint, could you clarify if there are any known synchronization issues or delays that might cause the numbers to differ between these platforms? Additionally, if there are steps I should follow or best practices to ensure consistent data across these platforms, I would greatly appreciate your guidance.
For the Orbital installation failure, I will review the policy adjustments you suggested. However, are there specific logs or other troubleshooting steps I should follow to identify the root cause of the issue?
09-24-2024 11:12 AM
I can chime in little bit as well. When it comes to synchronization between XDR and other portals/sources currently this is not as fast as for example between your Endpoint and Secure Endpoint Console. I think the actual sync is once or maybe twice a day. The other thing to consider is data retention. For example if you have feed from Orbital to XDR and lets say you un-install endpoint you will notice that endpoint will be gone from Secure Endpoint console but you will still find that endpoint in XDR and Orbital because that's due to 90 days data retention. In other words it will take 90 days for the endpoint to be purged if there is no more communication during that period of 90 days.
09-24-2024 11:48 AM
Is it normal that I cannot see data from EDR in the XDR dashboard? Wouldn't this create a risk during threat hunting? If I'm not able to view current information, how does having XDR provide any real benefit?
09-24-2024 11:24 AM
09-24-2024 10:26 AM
Additionally, I am curious about the difference between the options on the left and the right.
What is the difference between Automatic and With Connector?
Will this solve my problem?
09-24-2024 11:23 AM
And lastly the difference between the two deployments is that:
Automatic: will update as soon as Orbital release new version.
With Connector: will update ONLY with connector upgrade. In other words even if Orbital releases new version it will be not updated unless you upgrade to new Secure Endpoint connector release through the policy.
09-24-2024 11:34 AM
Which one do you recommend then?
09-24-2024 11:19 AM
I can also help with this. The error you see is most likely due to fact that this is not latest release. We are currently investigating what happened but it seem like the issue started last Wednesday (Sept 18), the Orbital windows node should be version 1.37.4 not 1.34.1.
We're looking to address this ASAP.
09-24-2024 11:23 AM
09-24-2024 11:32 AM
So, in conclusion, is this issue a general problem right now? Is everyone experiencing it? Can’t we find a solution for the "Orbital install failed" error?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide