How To Find Endpoint Agents Not Functioning Correctly

How To Find Endpoint Agents Not Functioning Correctly

Finding Endpoint agents not functioning correctly

Much like the Finding Endpoints Missing Agents Use Case where customers are looking to find assets with a missing agent, customers use Axonius to understand agent health to find devices that have the right agent installed but aren’t working as expected. Here, we’ll look at why it’s necessary to find devices with agents that aren’t working, the security and operational implications, and how a cybersecurity asset management platform like Axonius can solve the issue.

When organizations roll out an endpoint agent to all devices (or a subset of devices), they should feel a sense of accomplishment. After a process of evaluation, testing, and finally deployment, pushing out an agent to endpoints is a feat. However, aside from knowing the agent exists, how can you know the agent is active and working as it should?

Challenges in Understanding which endpoint agents aren’t working correctly

Logging into the admin console of any agent-based solution will give you a list of devices on which the agent is installed. Additionally, you’ll be able to find a “last seen” date, letting you know when the agent has sent data back to the mothership. You won’t, however, be able to see whether the agent has been turned off, was uninstalled by the user, or is simply not functioning correctly.

Security Implications for Devices with Agents Not Functioning Correctly

Organizations purchase and deploy agents to make sure their devices are protected, and some use solutions like Axonius to determine which of their devices are missing an endpoint agent entirely. But stopping at knowing which devices have an agent installed fails to account for the case where the agent is there but just isn’t working properly.

Data Sources Needed to Find Devices With Agents Not Functioning Correctly

The following data sources are needed to find devices with endpoint agents not functioning correctly:

  • Endpoint Agents — By connecting to the agent’s admin console, you can see all devices that have the agent installed, along with a “last seen” date/time. These could be:
    • AV Agents
    • EPP/EDR Agents
    • Systems Management and Configuration Agents
  • IAM Solutions — Services like Active Directory or Azure AD that authenticate and authorize users and devices.

Finding Devices Seen by AD More Recently Than the Agent Console

First, let’s look at devices that have a Carbon Black Cb Response agent installed, with their “last seen” date on the admin console older than the “last seen” date in AD. (Note: Carbon Black is just one of several popular EPP/EDR providers we support and is used for the following examples.) Here’s that query:

( == ({"$exists":true,"$ne":""})) and not adapters_data.carbonblack_response_adapter.last_seen >= date("NOW - 30d") and adapters_data.active_directory_adapter.last_seen >= date("NOW - 7d")

This query can also be represented in the Axonius Query Wizard as:

This query identifies any asset that has been seen by Carbon Black, but has not been seen by Carbon Black in 30 days, and has been seen by AD within the last 7 days.

Taking Action on Devices with an endpoint agent not working properly

The Axonius Security Policy Enforcement Center allows customers to determine what automated action to take once a device has been found with a non-functioning endpoint agent. 

Highlighted actions include:

  • Run Command — Run a shell command on Windows/Linux or initiate a WMI or SSH Scan
  • Execute Endpoint Security Agent Action  — Isolate or Unisolate a machine using a different endpoint agent (if installed)
  • Block Device at Firewall — Block the unprotected device at the firewall level
  • Notify Let someone know about the device via email, Slack, Syslog, or CSV
  • Create an Incident — Create an incident using a ticketing system like ServiceNow, Jira, or Zendesk.

LEARN MORE ABOUT Finding Endpoint Agents Not Functioning Correctly

With that said, we’ve created a video that outlines Finding Endpoint Agents not Functioning Correctly here:

And as always, if you’d like to see a custom demo to better understand how Axonius can help your organization solve the asset management challenge, request a demo here.

See for yourself.

Interested in seeing what Axonius can do for your organization?

Schedule a demo and let us show you