Category | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast(["deviceSubCategory"])) | groupBy(deviceSubCategory, function=count(as="Device Count")) | sort("Device Count") | format("%,.0f", field="Device Count", as="Device Count") | rename(deviceSubCategory,as=Category)
| Table |
Agent vs Agentless Devices |
Agentless Devices - Devices without endpoint agents/AV installed,
no users attached on Corporate Network
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | "isAgentable" := (iotEndpoint!="IOT_ENDPOINT") | groupBy("isAgentable", function=count(field=macAddress, distinct=true, as=Devices))
| Pie Chart |
Manufacturer by Vulnerability Count | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | split("vulnIds") | groupBy(["mfgName"]) | sort("_count") | rename("_count", as="Vulnerability Count") | format("%,.0f", field="Vulnerability Count", as="Vulnerability Count")
| Table |
Malicious Internal Communications |
Displays a list of malicious internal communications received on
connected devices including blocked ports, web service attacks,
device signature violations, denial of service, etc.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["BLOCKED_PORT", "WEB_SERVICE_ATTACKS", "DEVICE_SIGNATURE_VIOLATION", "DENIAL_OF_SERVICE", "RECONNAISSANCE", "MALWARE", "IP_SPOOFING", "MAC_SPOOFING", "MALICIOUS_COMMS", "PRINT_NIGHTMARE_ATTACK", "APPLICATION_VIOLATION"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Bar Chart |
Locations | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast(location)) | top(location)
| Bar Chart |
Devices | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | count(macAddress, distinct=true, as=Devices ) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
Alarm Category | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort(["Device Count"], order=desc) | format("%,.0f", field="Device Count", as="Device Count") | rename(category, as=Category)
| Table |
Vlan | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast([vlan])) | groupBy(vlan, function=count(as="Device Count")) | format("%,.0f", field="Device Count", as="Device Count") | rename("vlan",as="Vlan")
| Table |
Security Insights - Vulnerabilities | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
Groups | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast(["deviceCategory"])) | groupBy(deviceCategory, function=count(as="Device Count")) | sort("Device Count") | format("%,.0f", field="Device Count", as="Device Count") | rename(deviceCategory,as=Group)
| Table |
Incident Map |
Displays a world map of device security alarm incidents by peer
ID.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | peerId != "NA" | worldMap(ip=peerId)
| World Map |
Agentable Devices Missing Falcon Sensor |
Displays a list of agentable devices that are missing Falcon
Sensor device updates.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
Ordr Advisories |
Displays a list of ordr advisories by device.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["BLUEKEEP_ATTACK", "URGENT_11_ATTACKS", "BLUEKEEP_VULN", "RIPPLE_20_ATTACKS", "RIPPLE_20_VULNS", "CDPWN_VULNS", "LOG4_PROHIBITED_SITES", "LOG4VULN", "LOG4SHELL", "PRINT_NIGHTMARE_VULNS", "NETWORK_ALERTS"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Pie Chart |
Network Connectivity | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
Device Status |
Displays a list of devices and their status by IoT endpoint.
Hide Query Show Query #logtype = "ordr" | iotEndpoint="IOT_ENDPOINT" | groupBy(macAddress, function=selectLast(["isAgedOut"])) | groupBy(isAgedOut, function=count(as=Devices))
| Pie Chart |
Medical Device Analytics |
Displays a list of analytics for selected medical devices based on
IoT endpoint and device update data.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
Subnets | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast([subnet])) | groupBy(subnet, function=count(as="Device Count")) | format("%,.0f", field="Device Count", as="Device Count") | rename("subnet",as="Subnet")
| Table |
Suspicious External Communications |
Displays a list of suspicious external communications by MAC
address and their details, including categories such as
ransomware, data exfiltration, command and control communications,
suspicious domain, bad IP address, phishing, spam URLs,
inappropriate content, Tor sites, and mining and malicious URL.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["RANSOMWARE", "DATA_EXFILTRATION", "COMMAND_AND_CONTROL_COMM", "SUSPICIOUS_DOMAIN", "BAD_IP", "PHISHING", "SPAM_URLS", "INAPPROPRIATE_CONTENT", "TOR_SITES", "MINING", "MALICIOUS_URL"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Bar Chart |
Profiles | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast([profileGuid])) | groupBy(profileGuid, function=count(as="Device Count")) | sort(["Device Count"], order=desc) | format("%,.0f", field="Device Count", as="Device Count") | rename("profileGuid",as="Profile")
| Table |
Vulnerability Severity Level | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | groupBy(severityLevel,function=count(field=macAddress, distinct=true, as=Devices))
| Pie Chart |
Risk Level |
Displays a list of devices and their risk level by MAC address.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | groupBy(macAddress, function=selectLast(behaviorState)) | groupBy(behaviorState)
| Pie Chart |
Infections & Vulnerabilities | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["WEAK_CIPHERS", "DEVICE_SOFTWARE_VULNERABILITY", "PASSWORD_VULNERABILITY", "OPEN_PORTS", "CERTIFICATE_EXPIRY", "OUTDATED_OS", "AV_INACTIVITY", "UNAUTHORIZED_ACCESS", "CARE_CERTIFICATE"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Bar Chart |
Attack Surface | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
Security Insights - Incidents | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
OS Type | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | groupBy(macAddress, function=selectLast(osType)) | top(osType, limit=5)
| Bar Chart |
Alarms by Device Category | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | severityLevel="*" | join({deviceCategory="*"}, field=macAddress, include=["deviceCategory","osType" ]) | groupBy([deviceCategory, severityLevel]) | sort("severityLevel", order=asc) | rename("_count", as="Count")
| Bar Chart |