Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Hi @VenuK.,


I came up with this XQL query, see if it is something you could use,

| fields endpoint_id, endpoint_name, manual_protection_pause as all_endpoints_protection_pause, endpoint_status
| filter all_endpoints_protection_pause = "PROTECTION_PAUSED" and endpoint_status in (ENUM.CONNECTED, ENUM.DISCONNECTED) // You could remove ENUM.DISCONNECTED
| join type=left(dataset = agent_auditing | filter agent_auditing_subtype = ENUM.AGENT_AUDIT_MANUAL_PROTECTION_STATUS | fields description, agent_auditing_subtype, endpoint_id, received_time ) as aal aal.endpoint_id = endpoint_id
| filter timestamp_diff(current_time(), received_time , "MINUTE") > 30 // You can change MINUTE by HOUR or DAY. In this example, I added a MINUTE to showcase the result


I would not recommend to look for machines with Protectection paused for >= 30 days. It would be better to know about this as soon as possible. Therefore, I would recommend adding this XQL query to a correlation rule to generate alerts whenever timestamp_diff is >= 30 minutes or so.  You can then create notifications filtering on the correlation alert. 

Who rated this post