Category filter
Managing Endpoints in Hexnode XDR: Deployment, Monitoring, and Response
1. Architectural Definition: Hexnode XDR Endpoints
In the Hexnode XDR ecosystem, endpoints represent the frontline of security telemetry. These are physical or virtual assets (currently limited to Windows platforms) that have the Hexnode XDR agent deployed.
The agent serves as a continuous observation layer, streaming telemetry regarding:
- Process Execution: Identifying malicious binaries or scripts.
- File Activity: Detecting unauthorized modifications or ransomware signatures.
- Network Behavior: Flagging lateral movement or C2 (Command & Control) communications.
- System Changes: Monitoring registry and configuration tampering.
This continuous stream of telemetry allows security teams to move from reactive patching to proactive threat response, isolating issues before they propagate through the network.
2. Core Operational Modules (The Endpoints Tab)
The Endpoints tab serves as the centralized command center for asset management. It is architected into three primary functional subtabs:
- Endpoints Subtab: Functions as the primary monitoring and remediation interface for tracking real-time device health and executing rapid response actions.
- Endpoint Groups Subtab: Enables logical administrative segmentation (by risk, department, or OS) to facilitate bulk policy application and streamlined incident management.
- Installation Subtab: Acts as the XDR deployment gateway, providing the specific agent packages required to initialize monitoring on new Windows assets.
3. Real-Time Monitoring (Endpoints Subtab)
This module provides a live inventory of all monitored assets. To maintain data relevance, technicians can utilize the Column Selector (top right) to toggle visibility of specific telemetry fields.
Detailed Asset Parameters
- Name: The designated identifier for the endpoint.
- Device Health: Represents the current security posture.
- Secured: No active threats detected.
- Unsecured: Active threats detected; immediate investigation required.
- Unknown: Telemetry link interrupted; security state cannot be verified.
- Isolated: The device has been programmatically severed from the network.
- Status: Indicates the real-time connectivity state (Online, Inactive, or Offline).
- Deployed Via: Identifies the enrollment origin, indicating whether the asset was onboarded via XDR or UEM.
- Network Identifiers: Includes the IP Address, MAC Address, and a unique Endpoint ID for backend cross-referencing.
- System Context: Provides the OS Name, Version, and hardware Serial Number to assist in vulnerability mapping.
Understanding Remote Response Actions
Remote actions are high-priority commands executed directly from the console to mitigate security risks.
- Isolate Endpoint: Severely restricts network access, allowing communication only with the XDR console. This prevents malware from spreading while maintaining a remediation link.
- Reconnect Endpoint: Restores full network connectivity.
Business Logic: This action is performed only after a technician confirms the device has reached a verified Secure State.
- Uninstall Agent: Permanently removes the monitoring layer and purges endpoint records.
- Authentication & RBAC: To prevent unauthorized tampering, uninstallation requires a password. This action is restricted to technicians assigned the Super Admin, or Admin roles.
4. Endpoint Summary View (The Deep-Dive Interface)
Clicking any device in the list opens the Endpoint Summary View. This view aggregates fragmented data into a cohesive security profile.
High-Level Status Widgets
Four “Snapshot” widgets provide an immediate overview of the asset: Device Health, Connectivity Status, Associated Policies, and Total Detected Threats.
Data Sub-Sections (The Detailed Tabs)
A. Endpoint Details Tab (Hardware and System Telemetry)
Technicians use this tab to verify the physical and configuration limits of the device.
- Endpoint Summary: Shows detailed hardware specs including Model, Core count, Memory capacity, and Serial Number.
- Agent Summary: Displays the current Agent Version and the timestamp of the Last Update to ensure the protection layer is current.
- Policy Summary: Lists all active security configurations.
- Associate Policy: Used by admins to link new security profiles as policies.
- Effective Policy: A logic-check tool that shows the final, “net-effective” configuration if multiple policies conflict.
- Groups: Lists the organizational segments the device belongs to.
B. Incidents Tab (Threat & Alert Logs)
This tab acts as a localized ledger of all threats affecting the device. Clicking an incident redirects the technician to the main Incidents module for deeper forensics.
- Severity Mapping: Categorizes events into Threats (Critical, High, Medium, Low) or Alerts.
C. Quarantined Files Tab ( Isolated Threats)
Displays a log of all files forcibly moved to a secure directory by a technician or the agent. This view provides the SHA256 Hash and Original File Path for threat intelligence verification.
D. Action History Tab (Audit Trail)
Provides a forensic log of every command or policy change initiated from the portal. This ensures accountability by tracking the Action, Initiated Time, and Final Outcome (Success, Failed, Pending, etc.).
5. Remote Terminal: CLI Troubleshooting
The Remote Terminal provides a secure, real-time Command-Line Interface (CLI) to remediate issues without physical access.
Key Use-Cases:
- Service Remediation: Restarting essential security services if they stop responding.
- Live Forensics: Executing scripts to check local configurations or logs.
- Workflow: Technicians access this via the Remote Terminal button on the Summary View, with options to connect in-view or in a new browser tab.
- Endpoint Info Panel: A collapsible sidebar used to verify the device identity (IP, MAC, Firewall Status) before executing high-risk commands.
6. Activity and Access Auditing
Located on the right side of the Summary View, these feeds monitor the “human” and “automated” activity on the device.
- Recent Events: A color-coded activity feed. Technicians can filter this feed by the four severity levels (Critical, High, Medium, Low) to prioritize investigations.
- Login Events: An audit log of user access patterns across the specific endpoint. This is used to identify anomalous login behaviors, such as “impossible travel” or unauthorized credential usage.
7. Organizing Devices (Endpoint Groups)
Groups allow for the logical segmentation of assets. This subtab displays the Group Name, Type, and specific metrics:
- Number of Endpoints: This field displays the total count of devices currently managed within the group.
- Active Endpoints: This field indicates the count of devices that are currently online and communicating.
- Management History: Tracks when and by whom a group was Created or Modified.
Logic & Use-Case Comparison
| Group Type | Logic | Primary Use Case |
|---|---|---|
| Static | Membership is updated manually by a technician. | Fixed organizational structures (e.g., “Finance Department Laptops”). |
| Dynamic | Membership is automated based on conditional filters. | Risk-based automation (e.g., “Devices with Outdated OS Versions”). |
Dynamic Criteria Logic (Examples)
| Filter | Comparator Example | Practical Application |
|---|---|---|
| Host | Contains ‘SERVER’ | Automatically group all assets designated as servers. |
| Platform | In ‘Windows’ | Isolate all Windows-based telemetry. |
| OS Version | != ‘10.0.19045’ | Group all devices that have not yet updated to a specific build. |
| Status | In ‘Isolated’ | Create a high-priority dashboard for all currently isolated assets. |
Logic Operators: Use AND for strict multi-requirement rules, OR for broader inclusions, and GROUP for nested, complex logic sets.
8. Deployment Gateway (Installation Subtab)
This subtab houses the installation packages required to deploy the Hexnode XDR agent app to your endpoints.
- Primary Function: To initialize monitoring, technicians download the platform-specific installer (categorized by File Name, OS, and Release Date) and deploy it to target endpoints.
- Deployment Flow: Download the agent → Execute on the endpoint → The device appears in the Endpoints Subtab.
Frequently Asked Questions (FAQ)
Q: How do I quickly locate a specific asset among thousands of endpoints?
A: Use the search bar in the top right of the Endpoints or Endpoint Groups subtabs to search by device name.
Q: Can I perform a “Mass Isolation” during a breach?
A: Yes. From the main Endpoints subtab, select multiple devices using the checkboxes and use the Actions button to trigger a bulk network isolation.
Q: What is the difference between the ‘Actions’ button on the main list vs. the Details page?
A: The main list button is for Bulk Operations across many devices. The button on the Endpoint Summary View is for Targeted Remediation on that specific device only.
