Hi @KarlHalpin The Agent Service is captured in the Agent Audit Logs. The agent audit logs are not currently exposed as a dataset in ordered to be queried utilizing XQL. The agent audit logs are able to be exported to file or you may to configure notification forwarding to support your monitoring needs.
From an XQL enablement standpoint, there is a new feature to Pause Endpoint Protection that requires the Cortex XDR agent 7.7 and above, which is apart of the Endpoints dataset; therefore, you can leverage XQL. Please reference the following example query:
dataset = endpoints |filter manual_protection_pause = "PROTECTION_PAUSED"
The results from this XQL query will display only endpoints that are configured with the XDR agent and have the endpoint protection manually paused.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!