XQL query to find agents seen in the last 30 days

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XQL query to find agents seen in the last 30 days

L1 Bithead

Hi,

 

I am looking to create a report that will list all endpoints seen in the last 30 days.

 

I have created an XQL query that will return all endpoints but I am not able to filter this query to limit the scope to agents that have been seen in the last 30 days ONLY.

-------------------------------

config case_sensitive = false
| dataset = endpoints
| fields endpoint_name , endpoint_type , endpoint_status , last_seen

--------------------------------

 

Does anyone know how I can achieve this?

 

Thanks.

#Cortex XDR 

1 ACCEPTED SOLUTION

Accepted Solutions

L2 Linker

See if this query gets what you are after.

config case_sensitive = false

| dataset = endpoints
| fields endpoint_name , endpoint_type , endpoint_status , last_seen
| alter last_seen_days = timestamp_diff(current_time(), last_seen, "DAY")
| filter last_seen_days <= 30

View solution in original post

2 REPLIES 2

L2 Linker

See if this query gets what you are after.

config case_sensitive = false

| dataset = endpoints
| fields endpoint_name , endpoint_type , endpoint_status , last_seen
| alter last_seen_days = timestamp_diff(current_time(), last_seen, "DAY")
| filter last_seen_days <= 30

Working like a charm ... !  Thanks @tyler_bailey 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!