https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-monitor-computer-uptime/m-p/573967#M5925 <P>Have you confirmed that the system uptime field is populated for any endpoints?&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>None of our 4000+ endpoints show values in that field and I posted this question in December.</P> <P>The response was it is only for iOS devices.</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/system-uptime-field-for-cortex-pro-agents-is-empty/m-p/568917" target="_blank">LIVEcommunity - System uptime field for Cortex Pro agents is empty. - LIVEcommunity - 568917 (paloaltonetworks.com)</A></P> Mon, 22 Jan 2024 19:02:30 GMT PC-TomS 2024-01-22T19:02:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-monitor-computer-uptime/m-p/573918#M5922 <P>&nbsp;</P> <P>Hello,</P> <P>&nbsp;</P> <P>I intend to formulate a new query to retrieve the computer's uptime, and if the system has been active for more than 30 days, generate an alert. Although I attempted the following XQL Search, the outcome yielded no results:</P> <P>&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="100%">config case_sensitive = false <BR />| preset = xdr_event_log <BR />| filter event_type = EVENT_LOG and action_evtlog_event_id in (6013)&nbsp;<BR />| fields action_evtlog_message as message, action_evtlog_event_id as event_id&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Can u help me, please</P> Mon, 22 Jan 2024 13:51:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-monitor-computer-uptime/m-p/573918#M5922 Melvin_Machado 2024-01-22T13:51:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-monitor-computer-uptime/m-p/573967#M5925 <P>Have you confirmed that the system uptime field is populated for any endpoints?&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>None of our 4000+ endpoints show values in that field and I posted this question in December.</P> <P>The response was it is only for iOS devices.</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/system-uptime-field-for-cortex-pro-agents-is-empty/m-p/568917" target="_blank">LIVEcommunity - System uptime field for Cortex Pro agents is empty. - LIVEcommunity - 568917 (paloaltonetworks.com)</A></P> Mon, 22 Jan 2024 19:02:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-monitor-computer-uptime/m-p/573967#M5925 PC-TomS 2024-01-22T19:02:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-monitor-computer-uptime/m-p/574482#M5958 <P>&nbsp;</P> <P>We have different inquiries and issues ;</P> <P>&nbsp;</P> <UL> <LI>While you utilize an add-on named "Host Insights" to retrieve your machine's uptime, someone mentions that it's not feasible because it's solely accessible for iOS</LI> <LI>On my end, what I aim for is to extract the description of event 6013 from the event log using an XQL Search. If the value within the description exceeds 2,592e+6, I want to trigger an alert</LI> </UL> Thu, 25 Jan 2024 15:29:59 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-monitor-computer-uptime/m-p/574482#M5958 Melvin_Machado 2024-01-25T15:29:59Z