04-30-2023 06:12 PM
Hi @VenuK, thank you for writing to Live Community.
1. I am not sure what do you mean by agent malfunction, but if you are referring to agent disconnected/lost connection you can use the following query as baseline:
dataset = endpoints | filter endpoint_status = CONNECTION_LOST or endpoint_status = DISCONNECTED2. For agents with no content update please try the below query:
dataset = endpoints
| filter content_version = "" and (endpoint_status = CONNECTED or endpoint_status = DISCONNECTED)
| alter last_seen_diff = timestamp_diff(current_time(), last_seen, "DAY")
| filter last_seen_diff <= 7
| comp count(endpoint_id ) as count
| view graph type = pie show_percentage = `false` xaxis = count yaxis = count default_limit = `false` legend = `false` 3. Regarding agents being partially protected or unprotected please try the below query as baseline (feel free to choose which fields you'd like to see in the table):
dataset = endpoints
| filter operational_status != ENUM.PROTECTED
| fields Endpoint_Name as Name, operational_status, is_edr_enabled, operating_system as OS, os_version, kernel_version, mac_address, agent_version as Cortex_Agent_Version, ip_address as IP, endpoint_type
| view graph type = pie 4. Regarding agent connection issues please see the first query I suggested.
Hope these will help you get started with the queries you're looking to build.
