Category | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast(["deviceSubCategory"])) | groupBy(deviceSubCategory, function=count(as="Device Count")) | sort("Device Count") | format("%,.0f", field="Device Count", as="Device Count") | rename(deviceSubCategory,as=Category)
| Table |
Agent vs Agentless Devices |
Agentless Devices - Devices without endpoint agents/AV installed,
no users attached on Corporate Network
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | "isAgentable" := (iotEndpoint!="IOT_ENDPOINT") | groupBy("isAgentable", function=count(field=macAddress, distinct=true, as=Devices))
| Pie Chart |
Manufacturer by Vulnerability Count | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | split("vulnIds") | groupBy(["mfgName"]) | sort("_count") | rename("_count", as="Vulnerability Count") | format("%,.0f", field="Vulnerability Count", as="Vulnerability Count")
| Table |
Malicious Internal Communications | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["BLOCKED_PORT", "WEB_SERVICE_ATTACKS", "DEVICE_SIGNATURE_VIOLATION", "DENIAL_OF_SERVICE", "RECONNAISSANCE", "MALWARE", "IP_SPOOFING", "MAC_SPOOFING", "MALICIOUS_COMMS", "PRINT_NIGHTMARE_ATTACK", "APPLICATION_VIOLATION"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Bar Chart |
Locations | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast(location)) | top(location)
| Bar Chart |
Devices | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | count(macAddress, distinct=true, as=Devices ) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
Alarm Category | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort(["Device Count"], order=desc) | format("%,.0f", field="Device Count", as="Device Count") | rename(category, as=Category)
| Table |
Vlan | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast([vlan])) | groupBy(vlan, function=count(as="Device Count")) | format("%,.0f", field="Device Count", as="Device Count") | rename("vlan",as="Vlan")
| Table |
Security Insights - Vulnerabilities | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
Groups | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast(["deviceCategory"])) | groupBy(deviceCategory, function=count(as="Device Count")) | sort("Device Count") | format("%,.0f", field="Device Count", as="Device Count") | rename(deviceCategory,as=Group)
| Table |
Incident Map | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | peerId != "NA" | worldMap(ip=peerId)
| World Map |
Agentable Devices Missing Falcon Sensor | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
Ordr Advisories | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["BLUEKEEP_ATTACK", "URGENT_11_ATTACKS", "BLUEKEEP_VULN", "RIPPLE_20_ATTACKS", "RIPPLE_20_VULNS", "CDPWN_VULNS", "LOG4_PROHIBITED_SITES", "LOG4VULN", "LOG4SHELL", "PRINT_NIGHTMARE_VULNS", "NETWORK_ALERTS"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Pie Chart |
Network Connectivity | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
Device Status | Hide Query Show Query #logtype = "ordr" | iotEndpoint="IOT_ENDPOINT" | groupBy(macAddress, function=selectLast(["isAgedOut"])) | groupBy(isAgedOut, function=count(as=Devices))
| Pie Chart |
Medical Device Analytics | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
Subnets | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast([subnet])) | groupBy(subnet, function=count(as="Device Count")) | format("%,.0f", field="Device Count", as="Device Count") | rename("subnet",as="Subnet")
| Table |
Suspicious External Communications | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["RANSOMWARE", "DATA_EXFILTRATION", "COMMAND_AND_CONTROL_COMM", "SUSPICIOUS_DOMAIN", "BAD_IP", "PHISHING", "SPAM_URLS", "INAPPROPRIATE_CONTENT", "TOR_SITES", "MINING", "MALICIOUS_URL"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Bar Chart |
Profiles | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast([profileGuid])) | groupBy(profileGuid, function=count(as="Device Count")) | sort(["Device Count"], order=desc) | format("%,.0f", field="Device Count", as="Device Count") | rename("profileGuid",as="Profile")
| Table |
Vulnerability Severity Level | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | groupBy(severityLevel,function=count(field=macAddress, distinct=true, as=Devices))
| Pie Chart |
Risk Level | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | groupBy(macAddress, function=selectLast(behaviorState)) | groupBy(behaviorState)
| Pie Chart |
Infections & Vulnerabilities | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["WEAK_CIPHERS", "DEVICE_SOFTWARE_VULNERABILITY", "PASSWORD_VULNERABILITY", "OPEN_PORTS", "CERTIFICATE_EXPIRY", "OUTDATED_OS", "AV_INACTIVITY", "UNAUTHORIZED_ACCESS", "CARE_CERTIFICATE"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Bar Chart |
Attack Surface | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
Security Insights - Incidents | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
OS Type | Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | groupBy(macAddress, function=selectLast(osType)) | top(osType, limit=5)
| Bar Chart |
Alarms by Device Category | Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | severityLevel="*" | join({deviceCategory="*"}, field=macAddress, include=["deviceCategory","osType" ]) | groupBy([deviceCategory, severityLevel]) | sort("severityLevel", order=asc) | rename("_count", as="Count")
| Bar Chart |