Finding Endpoint Agents Not Functioning Correctly

Watch the “Finding Endpoint Agents Not Functioning Correctly” video, or read below.

Finding Endpoint Agents Not Functioning Correctly

Much like the Finding Endpoints Missing Agents Use Case where customers are looking to find assets with a missing agent, customers use Axonius to understand agent health to find devices that have the right agent installed but aren’t working as expected. Here, we’ll look at why it’s necessary to find devices with agents that aren’t working, the security and operational implications, and how a cybersecurity asset management platform like Axonius can solve the issue.

Challenges in Understanding Which Endpoint Agents Aren't Working Correctly

Logging into the admin console of any agent-based solution will give you a list of devices on which the agent is installed. Additionally, you’ll be able to find a “last seen” date, letting you know when the agent has sent data back to the mothership. You won’t, however, be able to see whether the agent has been turned off, was uninstalled by the user, or is simply not functioning correctly.

Data Sources Needed to Find Endpoint Agents Not Functioning Correctly

The following data sources are needed to find devices with endpoint agents not functioning correctly:

• Endpoint Agents — By connecting to the agent’s admin console, you can see all devices that have the agent installed, along with a “last seen” date/time. These could be:
  • AV
  • EPP/EDR
  • Systems Management and Configuration Agents
• Directory Services / Endpoint Management Solutions — Services like Active Directory or Azure AD that authenticate and authorize users and devices.

Finding Devices Seen by AD More Recently than the Agent Console

First, let’s look at devices that have a VMware Carbon Black EDR (Carbon Black CB Response) agent installed, with their “last seen” date on the admin console older than the “last seen” date in AD. (Note: Carbon Black is just one of several popular EPP/EDR providers we support and is used for the following examples.)


This query can also represented in the Axonius Query Wizard as:

This query can also be represented as an AQL (Axonius Query Language) expression:

(adapters_data.carbonblack_response_adapter.id == ({"$exists":true,"$ne":""})) and not adapters_data.carbonblack_response_adapter.last_seen >= date("NOW - 30d") and adapters_data.active_directory_adapter.last_seen >= date("NOW - 7d")

This query identifies any asset that has been seen by Carbon Black, but has not been seen by Carbon Black in 30 days, and has been seen by AD within the last 7 days.

Taking Action on Devices With an Endpoint Agent Not Working Properly

The Axonius Security Policy Enforcement Center allows customers to determine what automated action to take once a device has been found with a non-functioning endpoint agent.

Highlighted Actions Include:

• Notify - Let someone know about the device via email, Slack, Syslog, or CSV
• Create Incident - Create an incident using a ticketing system like ServiceNow, Jira, or Zendesk
• Execute Endpoint Security Agent Action - Isolate or Unisolate a machine using a different endpoint agent (if installed)
• Deploy Files and Run Commands - Run a shell command on Windows/Linux or initiate a WMI or SSH Scan

For more details, see Action Library.