Alert for internet down on site x (disconnected state)

RFeyertag — Sat, 01 Jul 2023 14:15:19 GMT

Hello dear community,

we have a couple of sites, which sometimes do not have a internet connection, because the provider has issues.

Is there a way to get an alert, when a boundle of agents is not reachable at the same time (disconnected)?

I can alert, when one or another is disconnected, but what do I need to change if I wan't to alert, when all of them are disconnected at the same time?

Rob

Re: Alert for internet down on site x (disconnected state)

neelrohit — Mon, 03 Jul 2023 02:56:34 GMT

Hi @RFeyertag ,

Thank you for writing to live community!

First things first, you would want to create group names for the endpoints. Then you can actually create an XQL query for those group of endpoints for the site and then you can run the XQL query for it. You can create this as a correlation rule and it should return only one entry with below.

The reason why we have 30 minutes as a timeline because the agents getting disconnected, show "Disconnected" in XDR only after missing on 2 heartbeats which means 10 minutes of time as minimum threshold and then for the group of endpoints, we would want to give a buffer of 2-3 minutes.

dataset = endpoints | fields endpoint_status, agent_version, last_seen, endpoint_name, endpoint_type, group_names | alter ct = current_time() | alter diff = timestamp_diff(ct, last_seen, "MINUTE") | filter endpoint_status != CONNECTED and diff > 30 and group_names contains "<group name of your choice>" | comp count(endpoint_name ) as offline | alter text = if(offline > 30 , 1,0 ) //replace the 30 by any number you want and also the return values as per your choice

Hope this helps!

topic Alert for internet down on site x (disconnected state) in Cortex XDR Discussions

Alert for internet down on site x (disconnected state)

Re: Alert for internet down on site x (disconnected state)