cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1640
Views
0
Helpful
11
Replies

Cisco XDR and Secure Endpoint Orbital Installation Issue

Hi Team,

I’ve noticed that the data on the assets and dashboards in Cisco XDR isn't up to date. Specifically, the number of computers and information shown in Secure Endpoint doesn’t fully match what I see in XDR, and the numbers seem different. Could someone explain why this is happening?

Additionally, when deploying agents to computers, Secure Client is installed, but Orbital fails to install, showing the following error:

Error:
Orbital 1.31.4 installation failed.

Does anyone have any insights on how to resolve this?

Lastly, does anyone have a checklist for Cisco XDR and Secure Client (AMP) configuration? I’m looking for the essential settings that should be applied as a best practice.

Thank you in advance for your help!

 

11 Replies 11

XDR doesn't have a whole lot of options there. At the moment, you just pick the cloud managed profile and that's it...

For Secure Client, there are a myriad of options...
https://docs.amp.cisco.com/en/SecureEndpoint/Secure%20Endpoint%20Deployment%20Strategy.pdf

Here's what we did:
In the gui there are a couple of defined profiles that you can apply. Go edit a policy, and you'll see a "Workstation" and "Server" policy example on the right of that screen. Pick the appropriate one to start. Add the Cisco Managed exceptions for applications you have deployed to the policy.
Look at apps you have deployed and if create required exceptions as needed, and add those to your policy.
Get that deployed and monitor things...

Start turning on more engines a little at time so you don't break everything at once, with the goal being able to set everything to block.

There are some webinars coming that you may want to attend:
https://community.cisco.com/t5/technology-and-support-events-and-webinars/planning-for-cisco-secure-endpoint/ev-p/5194496
https://community.cisco.com/t5/technology-and-support-events-and-webinars/secure-endpoint-capabilities/ev-p/5144198

There has been some AMP stuff at CiscoLive, and there is a stack of stuff in Cisco Learning Network.

Thank you for the information and resources provided. I will review the Secure Client profiles and policies you mentioned.

Regarding the data discrepancy between XDR and Secure Endpoint, could you clarify if there are any known synchronization issues or delays that might cause the numbers to differ between these platforms? Additionally, if there are steps I should follow or best practices to ensure consistent data across these platforms, I would greatly appreciate your guidance.

For the Orbital installation failure, I will review the policy adjustments you suggested. However, are there specific logs or other troubleshooting steps I should follow to identify the root cause of the issue?

I can chime in little bit as well. When it comes to synchronization between XDR and other portals/sources currently this is not as fast as for example between your Endpoint and Secure Endpoint Console. I think the actual sync is once or maybe twice a day. The other thing to consider is data retention. For example if you have feed from Orbital to XDR and lets say you un-install endpoint you will notice that endpoint will be gone from Secure Endpoint console but you will still find that endpoint in XDR and Orbital because that's due to 90 days data retention. In other words it will take 90 days for the endpoint to be purged if there is no more communication during that period of 90 days.

Is it normal that I cannot see data from EDR in the XDR dashboard? Wouldn't this create a risk during threat hunting? If I'm not able to view current information, how does having XDR provide any real benefit?

1. Consistency between Endpoint/CMC/XDR... is less than ideal, but it is getting better. I've been in the beta of Device Insights since inception, and how devices between Secure Endpoint/CMC/Orbital get deduped was a mess for a long time... its better, but it still takes time, and you'll see machines with name changes in the gui based on who reported last. I've had a couple of weird instances where one two machines were crosslinked.



1. How are you deploying Secure Endpoint? We push deploy it separately from the CSC package, using SCCM, and send it to a policy that has Orbital off because when Secure Endpoint went to install Orbital it caused issues with the SCCM Task Sequence. Every night we move all machines in the "Build" policy to their normal policy via an automation I wrote. As far as logs go, I'm pretty sure its an MSI, that they're downloading to do the orbital install so the standard Windows logs.



1. The Orbital settings you pointed out: 1 is to turn it on... the other is when does it update. I have mine set to update automatically, e.g. independently from when Secure Endpoint updates happen.




________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

Additionally, I am curious about the difference between the options on the left and the right.
What is the difference between Automatic and With Connector?

Will this solve my problem?



chickenriceandbeans_1-1727198549972.png

 

And lastly the difference between the two deployments is that:

Automatic: will update as soon as Orbital release new version.

With Connector: will update ONLY with connector upgrade. In other words even if Orbital releases new version it will be not updated unless you upgrade to new Secure Endpoint connector release through the policy.

Which one do you recommend then?

Roman Valenta
Cisco Employee
Cisco Employee

I can also help with this. The error you see is most likely due to fact that this is not latest release. We are currently investigating what happened but it seem like the issue started last Wednesday (Sept 18), the Orbital windows node should be version 1.37.4  not 1.34.1.

We're looking to address this ASAP.

Thanks Roman!

So, in conclusion, is this issue a general problem right now? Is everyone experiencing it? Can’t we find a solution for the "Orbital install failed" error?