CAASM Use Case #2 – Find Devices With Broken Agents

CAASM Use Case #2 – Find Devices With Broken Agents

Hey there, cybersecurity warriors! How goes the good fight?

Welcome to the second instalment in our series on Cybersecurity Observability use cases. Today, we’re diving into a sneaky little problem that can leave your defenses wide open: broken endpoint agents.

You know the drill: you’ve got your security policy in place, agents deployed across your network, and everything seems hunky-dory. But then your CSO drops this bomb:

"How do we know our endpoint agents are actually working? I mean, they're installed, but are they really doing their job?" (Chief Security Officer)

Ouch. Talk about a reality check. 🥹

But fear not! This is where CAASM (Cyber Asset Attack Surface Management) and cybersecurity observability come to the rescue.

Gain Complete Visibility of Your Cybersecurity Assets with the SJULTRA CAASM free trial.

Table of Contents

The Silent Threat: Broken Agents

Picture this: You’ve got an endpoint agent installed on every device in your network. Your dashboard shows green across the board. Life is good, right? Wrong.

Here’s the kicker – just because an agent is installed doesn’t mean it’s working. It could be:

  • Turned off by a crafty user
  • Uninstalled without your knowledge
  • Installed but malfunctioning due to a technical hiccup

And the worst part? Your agent’s admin console might not even know it’s not working! Talk about a false sense of security.

Who's job is it to check if agents are working and to fix them?

Enter SJULTRA's Cybersecurity Observability Service

This is where things get exciting. At SJULTRA, we use CAASM in our CAASM Services to pull off some serious cybersecurity magic.

CAASM is like the Sherlock Holmes of your IT environment. It gathers clues from multiple data sources, cross-references them, and uncovers the mystery of your missing or malfunctioning agents.

Book your free CAASM trial now

Get visibility on all 14 cybersecurity observability use cases in less than 30 days with SJULTRA.

Let's get querying

Once we have CAASM set up (remember, SJULTRA offers a free 30-day trial), we can begin identifying those elusive malfunctioning agents.
Want to locate all devices where the Carbon Black agent is installed but hasn’t been active for 30 days, even though Active Directory has detected the device within the last week? Here’s how we accomplish that.

Show me all devices that have been seen by Carbon Black, but not in the last 30 days, and have been seen by AD in the last 7 days.

sjultra axonius use case 2 find broken agents query wizard

3. In CAASMQuery Languge (SQL): 

				
					(adapters_data.carbonblack_response_adapter.id == ({"$exists":true,"$ne":""})) and not adapters_data.carbonblack_response_adapter.last_seen >= date("NOW - 30d") and adapters_data.active_directory_adapter.last_seen >= date("NOW - 7d")
				
			

I know, I know, it looks like a cat walked across the keyboard. But trust me, this little line of code is cybersecurity gold. 

Result:

Ok, we found devices with no agents: now what?

Great, so now we’ve got this list of non-compliant devices. What do we do with it?  

This is where the “enforcement” part of our cybersecurity observability comes in. We’ve got four tricks up our sleeves: 

  1. Send out notifications (because who doesn’t love another email, right?)
  2. Create incident tickets in your favorite ITSM tool (Jira, ServiceNow, you name it)
  3. Tell another agent to isolate or un-isolate a device (for those “uh-oh” moments)
  4. Deploy and run files, or even initiate a device scan (if the stars align and the device is reachable)

Summary

And there you have it, folks! That’s how we turn the invisible threat of broken agents into a manageable, observable process. It’s not always pretty, but it gets the job done.

Remember, this is just 2 out of 14 standard use cases we help our customers with as part of our CAASM Concierge service. And guess what? You can get it for free!

Cybersecurity is a never-ending game of hide and seek. But with the right tools and a bit of observability magic, we can shine a light on those hidden threats.

Stay vigilant, keep querying, and may your agents always be functioning!

Get your free 30-day CAASM trial now!

CAASM documentation and Videos

Read the CAASM documentation on Finding Endpoint Agents Not Functioning Correctly.