|
Category |
Displays a table of DG Medical devices and their device update
status.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast(["deviceSubCategory"])) | groupBy(deviceSubCategory, function=count(as="Device Count")) | sort("Device Count") | format("%,.0f", field="Device Count", as="Device Count") | rename(deviceSubCategory,as=Category)
| Table |
|
Agent vs Agentless Devices |
Agentless Devices - Devices without endpoint agents/AV installed,
no users attached on Corporate Network
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | "isAgentable" := (iotEndpoint!="IOT_ENDPOINT") | groupBy("isAgentable", function=count(field=macAddress, distinct=true, as=Devices))
| Pie Chart |
|
Manufacturer by Vulnerability Count |
Displays a table of vulnerability counts by manufacturer.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | split("vulnIds") | groupBy(["mfgName"]) | sort("_count") | rename("_count", as="Vulnerability Count") | format("%,.0f", field="Vulnerability Count", as="Vulnerability Count")
| Table |
|
Malicious Internal Communications |
Displays a list of malicious internal communications received on
connected devices including blocked ports, web service attacks,
device signature violations, denial of service, etc.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["BLOCKED_PORT", "WEB_SERVICE_ATTACKS", "DEVICE_SIGNATURE_VIOLATION", "DENIAL_OF_SERVICE", "RECONNAISSANCE", "MALWARE", "IP_SPOOFING", "MAC_SPOOFING", "MALICIOUS_COMMS", "PRINT_NIGHTMARE_ATTACK", "APPLICATION_VIOLATION"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Bar Chart |
|
Locations |
Displays a chart of DG Medical device locations.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast(location)) | top(location)
| Bar Chart |
|
Devices |
Displays the number of devices with update notifications.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | count(macAddress, distinct=true, as=Devices ) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
|
Alarm Category |
Displays a table of device security alarms by category.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort(["Device Count"], order=desc) | format("%,.0f", field="Device Count", as="Device Count") | rename(category, as=Category)
| Table |
|
Vlan |
Displays a table of devices requiring updates and their most
recent VLAN connections.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast([vlan])) | groupBy(vlan, function=count(as="Device Count")) | format("%,.0f", field="Device Count", as="Device Count") | rename("vlan",as="Vlan")
| Table |
|
Security Insights - Vulnerabilities |
Displays a list of vulnerabilities by device.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
|
Groups |
Displays a table of Ordr groups and associated data (device
category, device count, etc.)
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast(["deviceCategory"])) | groupBy(deviceCategory, function=count(as="Device Count")) | sort("Device Count") | format("%,.0f", field="Device Count", as="Device Count") | rename(deviceCategory,as=Group)
| Table |
|
Incident Map |
Displays a world map of device security alarm incidents by peer
ID.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | peerId != "NA" | worldMap(ip=peerId)
| World Map |
|
Agentable Devices Missing Falcon Sensor |
Displays a list of agentable devices that are missing Falcon
Sensor device updates.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
|
Ordr Advisories |
Displays a pie chart of ordr advisories by type.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["BLUEKEEP_ATTACK", "URGENT_11_ATTACKS", "BLUEKEEP_VULN", "RIPPLE_20_ATTACKS", "RIPPLE_20_VULNS", "CDPWN_VULNS", "LOG4_PROHIBITED_SITES", "LOG4VULN", "LOG4SHELL", "PRINT_NIGHTMARE_VULNS", "NETWORK_ALERTS"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Pie Chart |
|
Network Connectivity |
Displays network connectivity data by device.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
|
Device Status |
Displays a list of devices and their status by IoT endpoint.
Hide Query Show Query #logtype = "ordr" | iotEndpoint="IOT_ENDPOINT" | groupBy(macAddress, function=selectLast(["isAgedOut"])) | groupBy(isAgedOut, function=count(as=Devices))
| Pie Chart |
|
Medical Device Analytics |
Displays a list of analytics for selected medical devices based on
IoT endpoint and device update data.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
|
Subnets |
Displays a table of subnets by device.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast([subnet])) | groupBy(subnet, function=count(as="Device Count")) | format("%,.0f", field="Device Count", as="Device Count") | rename("subnet",as="Subnet")
| Table |
|
Suspicious External Communications |
Displays a list of suspicious external communications by MAC
address and their details, including categories such as
ransomware, data exfiltration, command and control communications,
suspicious domain, bad IP address, phishing, spam URLs,
inappropriate content, Tor sites, and mining and malicious URL.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["RANSOMWARE", "DATA_EXFILTRATION", "COMMAND_AND_CONTROL_COMM", "SUSPICIOUS_DOMAIN", "BAD_IP", "PHISHING", "SPAM_URLS", "INAPPROPRIATE_CONTENT", "TOR_SITES", "MINING", "MALICIOUS_URL"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Bar Chart |
|
Profiles |
Displays a table of Ordr profiles by count in descending order.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | deviceCategory="DG-Medical*" | groupBy(macAddress, function=selectLast([profileGuid])) | groupBy(profileGuid, function=count(as="Device Count")) | sort(["Device Count"], order=desc) | format("%,.0f", field="Device Count", as="Device Count") | rename("profileGuid",as="Profile")
| Table |
|
Vulnerability Severity Level |
Displays a pie chart of vulnerabilities by severity level.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | groupBy(severityLevel,function=count(field=macAddress, distinct=true, as=Devices))
| Pie Chart |
|
Risk Level |
Displays a list of devices and their risk level by MAC address.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | groupBy(macAddress, function=selectLast(behaviorState)) | groupBy(behaviorState)
| Pie Chart |
|
Infections & Vulnerabilities |
Displays a chart of infections and vulnerabilities including weak
ciphers, device software vulnerability, password vulnerability,
open ports, etc.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | in(category, values=["WEAK_CIPHERS", "DEVICE_SOFTWARE_VULNERABILITY", "PASSWORD_VULNERABILITY", "OPEN_PORTS", "CERTIFICATE_EXPIRY", "OUTDATED_OS", "AV_INACTIVITY", "UNAUTHORIZED_ACCESS", "CARE_CERTIFICATE"]) | groupBy(category, function=count(macAddress, distinct=true, as="Device Count")) | sort("Device Count")
| Bar Chart |
|
Attack Surface |
Displays attack surface data including device update status, IoT
endpoint data, and MAC address.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
|
Security Insights - Incidents |
Displays security incidents and their insights.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | iotEndpoint!="IOT_ENDPOINT" | count(field=macAddress, distinct=true, as=Devices) | format("%,.0f", field=Devices, as=Devices)
| Single Value |
|
OS Type |
Displays a chart of devices and their OS type and limits results
to the first 5 entries.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceUpdate" | groupBy(macAddress, function=selectLast(osType)) | top(osType, limit=5)
| Bar Chart |
|
Alarms by Device Category |
Displays a chart of alarms by device category in ascending order.
Hide Query Show Query #logtype = "ordr" | #msgType="deviceSecAlarm" | severityLevel="*" | join({deviceCategory="*"}, field=macAddress, include=["deviceCategory","osType" ]) | groupBy([deviceCategory, severityLevel]) | sort("severityLevel", order=asc) | rename("_count", as="Count")
| Bar Chart |
