07-04-2023 10:00 AM
Hello @Claude_Schwab ,
Thanks for reaching out on LiveCommunity.
You can create a correlation rule or query that should identify the assets without XDR agent installed. Dataset you need is "panw_network_mapper_raw", which contain output of Network Mapper scans. You can compare this dataset with "endpoints" dataset mainly with reference to IP address. So basically, first dataset will have complete list of assets (For given IP range in Network Mapper scan) and you can subtract assets from second dataset which are having agent installed on them.
Below is an example query that you can refer and build something according to your use case.
dataset = panw_network_mapper_raw
| filter ip not in (dataset = endpoints | arrayexpand ip_address |fields ip_address )
|fields ip,hostname
Please refer below document for XQL queries.
