03-14-2022 09:20 AM
Hi,
I am looking to create a report that will list all endpoints seen in the last 30 days.
I have created an XQL query that will return all endpoints but I am not able to filter this query to limit the scope to agents that have been seen in the last 30 days ONLY.
-------------------------------
config case_sensitive = false
| dataset = endpoints
| fields endpoint_name , endpoint_type , endpoint_status , last_seen
--------------------------------
Does anyone know how I can achieve this?
Thanks.
#Cortex XDR
03-14-2022 10:11 AM
See if this query gets what you are after.
config case_sensitive = false
| dataset = endpoints
| fields endpoint_name , endpoint_type , endpoint_status , last_seen
| alter last_seen_days = timestamp_diff(current_time(), last_seen, "DAY")
| filter last_seen_days <= 30
03-14-2022 10:11 AM
See if this query gets what you are after.
config case_sensitive = false
| dataset = endpoints
| fields endpoint_name , endpoint_type , endpoint_status , last_seen
| alter last_seen_days = timestamp_diff(current_time(), last_seen, "DAY")
| filter last_seen_days <= 30
03-14-2022 10:20 AM
Working like a charm ... ! Thanks @tyler_bailey
02-21-2023 08:05 PM
Hi Can you suggest on below cmd
| alter last_seen_days = timestamp_diff(current_time(), last_seen, "DAY")
how to use these with an example
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
