| Category | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast(["deviceSubCategory"])) | groupBy(deviceSubCategory, function=count(as="Device Count")) | sort("Device Count") | format("%,.0f", field="Device Count", as="Device Count") | rename(deviceSubCategory,as=Category)
| Table |
| Agent vs Agentless Devices |
Agentless Devices - Devices without endpoint agents/AV installed,
no users attached on Corporate Network
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | "isAgentable" := (iotEndpoint!="IOT_ENDPOINT") | groupBy("isAgentable", function=count(field=macAddress, distinct=true, as=Devices))
| Pie Chart |
| Manufacturer by Vulnerability Count | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | split("vulnIds") | groupBy(["mfgName"]) | sort("_count") | rename("_count", as="Vulnerability Count") | format("%,.0f", field="Vulnerability Count", as="Vulnerability Count")
| Table |
| Malicious Internal Communications | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["BLOCKED_PORT", "WEB_SERVICE_ATTACKS", "DEVICE_SIGNATURE_VIOLATION", "DENIAL_OF_SERVICE", "RECONNAISSANCE", "MALWARE", "IP_SPOOFING", "MAC_SPOOFING", "MALICIOUS_COMMS", "PRINT_NIGHTMARE_ATTACK", "APPLICATION_VIOLATION"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Bar Chart |
| Locations | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast(location)) | top(location)
| Bar Chart |
| Devices | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | count(macAddress, distinct=true, as=Devices ) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
| Alarm Category | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort(["Device Count"], order=desc) | format("%,.0f", field="Device Count", as="Device Count") | rename(category, as=Category)
| Table |
| Vlan | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast([vlan])) | groupBy(vlan, function=count(as="Device Count")) | format("%,.0f", field="Device Count", as="Device Count") | rename("vlan",as="Vlan")
| Table |
| Security Insights - Vulnerabilities | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
| Groups | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast(["deviceCategory"])) | groupBy(deviceCategory, function=count(as="Device Count")) | sort("Device Count") | format("%,.0f", field="Device Count", as="Device Count") | rename(deviceCategory,as=Group)
| Table |
| Incident Map | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | peerId != "NA" | worldMap(ip=peerId)
| World Map |
| Agentable Devices Missing Falcon Sensor | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
| Ordr Advisories | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["BLUEKEEP_ATTACK", "URGENT_11_ATTACKS", "BLUEKEEP_VULN", "RIPPLE_20_ATTACKS", "RIPPLE_20_VULNS", "CDPWN_VULNS", "LOG4_PROHIBITED_SITES", "LOG4VULN", "LOG4SHELL", "PRINT_NIGHTMARE_VULNS", "NETWORK_ALERTS"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Pie Chart |
| Network Connectivity | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
| Device Status | Hide Query Show Query #logtype = "ordr" | iotEndpoint="IOT_ENDPOINT" | groupBy(macAddress, function=selectLast(["isAgedOut"])) | groupBy(isAgedOut, function=count(as=Devices))
| Pie Chart |
| Medical Device Analytics | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
| Subnets | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast([subnet])) | groupBy(subnet, function=count(as="Device Count")) | format("%,.0f", field="Device Count", as="Device Count") | rename("subnet",as="Subnet")
| Table |
| Suspicious External Communications | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["RANSOMWARE", "DATA_EXFILTRATION", "COMMAND_AND_CONTROL_COMM", "SUSPICIOUS_DOMAIN", "BAD_IP", "PHISHING", "SPAM_URLS", "INAPPROPRIATE_CONTENT", "TOR_SITES", "MINING", "MALICIOUS_URL"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Bar Chart |
| Profiles | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast([profileGuid])) | groupBy(profileGuid, function=count(as="Device Count")) | sort(["Device Count"], order=desc) | format("%,.0f", field="Device Count", as="Device Count") | rename("profileGuid",as="Profile")
| Table |
| Vulnerability Severity Level | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | groupBy(severityLevel,function=count(field=macAddress, distinct=true, as=Devices))
| Pie Chart |
| Risk Level | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | groupBy(macAddress, function=selectLast(behaviorState)) | groupBy(behaviorState)
| Pie Chart |
| Infections & Vulnerabilities | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["WEAK_CIPHERS", "DEVICE_SOFTWARE_VULNERABILITY", "PASSWORD_VULNERABILITY", "OPEN_PORTS", "CERTIFICATE_EXPIRY", "OUTDATED_OS", "AV_INACTIVITY", "UNAUTHORIZED_ACCESS", "CARE_CERTIFICATE"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Bar Chart |
| Attack Surface | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
| Security Insights - Incidents | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
| OS Type | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | groupBy(macAddress, function=selectLast(osType)) | top(osType, limit=5)
| Bar Chart |
| Alarms by Device Category | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | severityLevel="*" | join({deviceCategory="*"}, field=macAddress, include=["deviceCategory","osType" ]) | groupBy([deviceCategory, severityLevel]) | sort("severityLevel", order=asc) | rename("_count", as="Count")
| Bar Chart |
