https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-unprotected-assets/m-p/1234897#M8599 <P>Hi, everyone.</P> <P>&nbsp;</P> <P>I have a use case of creating a Correlation rule to track the asset where the operational status of the agent changed from "Protected" to "Unprotected". I am having a hard time building the actual query. Any ideas?</P> <P>&nbsp;</P> <P>Im currently only tracking asset under "Unprotected" but that generates a lot of noise as any new deployment the initial status of the agent will be "Unprotected" therefore the alert will trigger. So this is not accurate at all.</P> <P>&nbsp;</P> <P>Current query:</P> <P>&nbsp;</P> <P>dataset = endpoints | filter endpoint_status = ENUM.CONNECTED and operational_status = "UNPROTECTED"<BR />| dedup endpoint_id<BR />| fields endpoint_id , endpoint_name , endpoint_type, endpoint_status, operational_status, operational_status_description, operating_system, ip_address, tags</P> Tue, 29 Jul 2025 15:02:36 GMT BOtero1 2025-07-29T15:02:36Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-unprotected-assets/m-p/1234897#M8599 <P>Hi, everyone.</P> <P>&nbsp;</P> <P>I have a use case of creating a Correlation rule to track the asset where the operational status of the agent changed from "Protected" to "Unprotected". I am having a hard time building the actual query. Any ideas?</P> <P>&nbsp;</P> <P>Im currently only tracking asset under "Unprotected" but that generates a lot of noise as any new deployment the initial status of the agent will be "Unprotected" therefore the alert will trigger. So this is not accurate at all.</P> <P>&nbsp;</P> <P>Current query:</P> <P>&nbsp;</P> <P>dataset = endpoints | filter endpoint_status = ENUM.CONNECTED and operational_status = "UNPROTECTED"<BR />| dedup endpoint_id<BR />| fields endpoint_id , endpoint_name , endpoint_type, endpoint_status, operational_status, operational_status_description, operating_system, ip_address, tags</P> Tue, 29 Jul 2025 15:02:36 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-unprotected-assets/m-p/1234897#M8599 BOtero1 2025-07-29T15:02:36Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-unprotected-assets/m-p/1234987#M8603 <P>Hi</P> <P>You could probably just filter out newly installed agents.</P> <P>| alter install_date_difference = timestamp_diff(current_time(), install_date, "DAY") // calculate the amount of days since the XDR agent was installed. <BR />| filter install_date_difference &gt; 1 // Set/filter the amount of days when the correlation rule should trigger. In this example the agent needs to be installed for 2 days and more</P> <P>&nbsp;</P> <P>timestamp_diff would also support the difference in hours.</P> <P>&nbsp;</P> <P>Hope this helps</P> Wed, 30 Jul 2025 06:28:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-unprotected-assets/m-p/1234987#M8603 micomi 2025-07-30T06:28:17Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-unprotected-assets/m-p/1235048#M8604 <P>Amazing! Thanks! That works like a charm.&nbsp;</P> Wed, 30 Jul 2025 18:09:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-unprotected-assets/m-p/1235048#M8604 BOtero1 2025-07-30T18:09:23Z