Q: 6
[Dashboards and Reporting]
Which action is being taken with the query below?
dataset = xdr_data
| fields agent_hostname, _time, _product
| comp latest as latest_time by agent_hostname, _product
| join type=inner (dataset = endpoints
| fields endpoint_name, endpoint_status, endpoint_type) as lookup lookup.endpoint_name =
agent_hostname
| filter endpoint_status = ENUM.CONNECTED
| fields agent_hostname, endpoint_status, latest_time, _product
Options
Discussion
A tbh. The trap here is C but it's not filtering by firewall type, so pretty sure it's just latest activity overall.
Not B, A. Saw a similar query in practice dumps, looks like it's just tracking recent activity per endpoint.
Be respectful. No spam.
