07-01-2023 07:15 AM
Hello dear community,
we have a couple of sites, which sometimes do not have a internet connection, because the provider has issues.
Is there a way to get an alert, when a boundle of agents is not reachable at the same time (disconnected)?
I can alert, when one or another is disconnected, but what do I need to change if I wan't to alert, when all of them are disconnected at the same time?
BR
Rob
07-02-2023 07:51 PM - edited 07-02-2023 07:56 PM
Hi @RFeyertag ,
Thank you for writing to live community!
First things first, you would want to create group names for the endpoints. Then you can actually create an XQL query for those group of endpoints for the site and then you can run the XQL query for it. You can create this as a correlation rule and it should return only one entry with below.
The reason why we have 30 minutes as a timeline because the agents getting disconnected, show "Disconnected" in XDR only after missing on 2 heartbeats which means 10 minutes of time as minimum threshold and then for the group of endpoints, we would want to give a buffer of 2-3 minutes.
dataset = endpoints
| fields endpoint_status, agent_version, last_seen, endpoint_name, endpoint_type, group_names
| alter ct = current_time()
| alter diff = timestamp_diff(ct, last_seen, "MINUTE")
| filter endpoint_status != CONNECTED and diff > 30 and group_names contains "<group name of your choice>"
| comp count(endpoint_name ) as offline
| alter text = if(offline > 30 , 1,0 ) //replace the 30 by any number you want and also the return values as per your choice
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
