Manage hosts in Xprotect

Hosts appear on the Hosts page soon after you successfully install the Xprotect agent on the hosts. The entry for a Host does not appear on the Hosts page when you have successfully uninstalled the agent from the host.

Between installing the agent and uninstalling the agent from a host, you can manage the host from Xprotect - you can enforce policies, monitor hosts and processes, fetch and isolate malicious and suspicious files from the hosts, and see alerts when activities/processes on the hosts violate the policies.

Hosts page

The Hosts page broadly displays the inventory details of the hosts that Xprotect collects and the management status of the hosts in Xprotect. The landing view of the Hosts page is a table with multiple columns.

Column name	Description
Name	Status of the host Online - Xprotect has received a heartbeat from this host in the last five minutes. Offline - Xprotect has not received a heartbeat from this host for the last 30 minutes. Unreachable - Xprotect has not received a heartbeat from this host for the last 14 days Upgrading - Xprotect is upgrading the agent on the host Uninstalling - Xprotect is uninstalling the agent on the host. OS on the host ( Linux, macOS, or Windows) If an Xprotect host is moved to the Restricted mode because the drivers necessary to run the Xprotect agent do not load on a host, you will see a Red R overlay icon. Hostname of the host
IP address	IP address of the host
Agent Version	Version of the agent on the host If an updated version of the agent is available, you will see a blue icon.
Policy	Policy pushed to the host from Xprotect
Policy Settings	Whitelist policy setting of the policy on the host On hover, you can also see the Whitelist, Blacklist, Rule rings, USB protect, File protect, and AutoTrust settings of the policy.
Host Group	Host group that the host is associated with
High Alerts	Number of high alerts generated on the host

Operations on Hosts

You can perform a wide range of operations on the hosts to manage them effectively from your Xprotect instance. The operations include routine agent management and host management tasks, security management operations, and operations to monitor the hosts.

The operations performed on a single host are listed in the host's 3-dot menu (Action menu).
The operations performed on multiple hosts are listed in the floating panel (on the top of the page).

Categories of operations

You can perform the following categories of operations:

Agent management - these operations can be performed on multiple hosts.
Host management - most of these operations are performed on multiple hosts, and sometimes only on hosts of the same OS family.
Security management - these operations must be performed on hosts of the same OS family, and sometimes only Windows OS.
Monitoring - these operations can be performed on one or multiple hosts.

Agent management

Upgrade Agent	Upgrade the Xprotect agent on a host to the latest version of the agent available for the instance. See Upgrade Xprotect agents for more details.
Uninstall Agent	Uninstall the agent from a host and decommission the host. See Uninstall Xprotect agents for more details.
Restart Agent	Restart the agent on a host. See Restart Xprotect agents for more details.

Host management

Add tag	Add Xprotect tags to identify and filter the hosts in the instance easily. See Tag hosts for more details.
Add scope	Select one or more hosts, click Add Scope, add one more Scope tags and click Apply to selected. See Scope tags for more details.
Move to Host Group	Move hosts to or across Xprotect Host groups. See Add hosts to Host groups for more details.
See agent, policy, and CPU and RAM usage details	See Agent, policy, and CPU and RAM usage details for more details.
Download as CSV	Download the inventory data fetched by the Xprotect agent and the management data in the instance for all or selected hosts as a CSV file. The file is named in the Host_<tenant name>_Inventory_<date>_<month> format. The file lists the following details of the hosts: resource and device IDs, hostname, reachability status, OS details, version of the agent on the host, tags, groups, and policies on the host, user accounts on the host, heartbeat timestamps, and the high and medium alerts generated on the host.
Delete host	Delete One or multiple entries of hosts from the Hosts page. Reachable hosts (Status=Online) cannot be deleted. Deleting a host from the Hosts page temporarily deletes all its associations with the instance (tag, group, policy, and alerts generated on the host). When deleted hosts are online again (Status=Online), Xprotect restores only the host's previous tag and group associations.

Security management

Set Self Protect

Enable the Self Protect feature on One or multiple Windows hosts to hamper accidental, or rogue uninstalls of the Xprotect agent from the hosts. See Enable Self Protect on hosts for more details.

Set Temporary Policy

Apply a set of temporary 'policy settings' on hosts of the same or different OS families, and subdue the policy settings of the original Xprotect policy on the host. For example, to install or upgrade the software using USB devices in the next few hours, 'pause' the USB Protect setting in a temporary policy and apply it to a host.

Temporary policy settings can be applied for a time window of an hour and up to 24 hours. After the time window, the policy settings revert to the settings of the original policy.

If you apply multiple sets of temporary policy settings, only the latest temporary setting is active, and only after a host receives the updates for the latest temporary setting.

Monitoring

View Process Tree	See the list of processes on a host (tabular view) or the process tree (hierarchical or parent/child view).
Run a Command	Run CLI commands on One or multiple hosts to get the health and operational status of the core services and apps installed on the hosts. See Run CLI commands on hosts from Xprotect for more details.

Agent, policy, and CPU and RAM usage details

Click a host to see more details of the host in a fly panel. The fly panel lists more details (the ones you cannot see in the columns on the Hosts page).

The details are listed by the tiles you see in the fly panel.

Host Details	Resource ID (as in the Xprotect instance database), IP address, version of the OS, local user accounts, and the policy on the host.
Tags	Tags added/assigned to the host.
Policy Details	Policy (active policy on the host), Delivered Policy (the last policy that was pushed to the host), and Scheduled Policy (the policy that is scheduled to be pushed to the host).
Policy Settings	General settings of the policy on the host. See Xprotect policy settings for more details.
Alerts	High and Total alerts on the host.
Agent Details	Dates for when the agent was installed, last started, and upgraded on the host, and when the first heartbeat and last heartbeat was received, and the status of the Self Protect feature (on Windows hosts only).
Watchdog Details	Dates for when the Watchdog service started on the host and when the first and the last heartbeat was received.
CPU and RAM Usage	CPU and RAM usage trends of the Xprotect agent on the host, in reference to the peak values seen for a time window. The peak values depend on the number of concurrent network connections on the host. See Expected behavior for more details. Overall CPU and RAM trends on the host, in reference to the peak values seen on the host, for a time window. Total number of concurrent network connections seen by the agent and the total number of concurrent network connections on the host. See the required data in the widget, as follows: Select a time window from the last One hour and up to the last 24 hours. Click the CPU, RAM, and/or Host Network Connections legends to hide or retain data. Hover over a data point to see the CPU, RAM, and network connections' details. The data points are spaced at 10-minute intervals.