- 20 Dec 2022
- 3 Minutes to read
- Print
- DarkLight
- PDF
Finding Endpoints Missing Agents
- Updated on 20 Dec 2022
- 3 Minutes to read
- Print
- DarkLight
- PDF
Finding Devices Missing Endpoint Agents
A common Use Case for Axonius customers is finding devices that are missing specific security agents or other endpoint agents. Here, we will look at why it’s important to find devices missing endpoint agents, the security and operational implications, and how a cybersecurity asset management platform can solve the issue.
Watch the “Finding Endpoints Missing Agents” video, or read below.
Challenges in Knowing Which Assets Are Missing Endpoint Agents
To understand which devices have a specific endpoint agent installed, simply accessing the admin console of the agent will produce a list of covered devices. However, the problem is the inverse: knowing which devices should have the agent, but don’t.
Part of the challenge is due to device discovery: How does an EPP/EDR solution identify a new device that exists and should be protected? The other issue is based on the context of the security policy. For example, if my security policy requires one endpoint agent for PCs and another for Macs, what mechanism is in place to find the device, understand its context, and then ensure the right agent is installed to meet the policy?
Data Sources Required to Find Assets Missing Endpoint Agents
The following data sources are needed to find devices missing endpoint agents:
Endpoint Agents — By connecting to the agent’s admin console, you can see all devices that have the agent installed. Depending on the missing agent in question, this could be:
- AV
- EPP/EDR
- Systems Management Agents
Directory Services / Endpoint Management Solutions — Services like Active Directory or Azure AD that authenticate and authorize users and devices
Finding Devices With No Endpoint Agent Installed
Let’s first look at the most basic query around finding devices missing an endpoint agent.
This query can be represented in the Axonius Query Wizard as:
This query can also be represented as an AQL (Axonius Query Language) expression:
not specific_data.data.adapter_properties == "Agent"
This simple query looks at any identified asset that does not have any agent installed whatsoever and is only known to the network. For example, this query can return a result like:
You’ll notice in this result set that the devices include Linux, Windows, Macs, and more, making these results less actionable than if we were to segment the device types to determine which endpoint solution should be present.
Finding Windows Devices Without an EPP/EDR Solution
Next, let’s add another level of detail. Our policy states that every Windows device must have the Carbon Black endpoint agent installed. (Note: Carbon Black is just one of several popular endpoint agents we support and is used for the following examples.) We can modify our query to identify any devices that do not have the Carbon Black endpoint agent installed.
This query can represented in the Axonius Query Wizard as:
This query can also be represented as an AQL (Axonius Query Language) expression:
(specific_data.data.os.type == "Windows") and not ((adapters_data.carbonblack_defense_adapter.id == ({"$exists":true,"$ne":""})))
The returned results are all Windows devices that are missing the Carbon Black agent. Now you can quickly identify devices that do not adhere to your security policy.
Finding Windows Devices Missing Carbon Black and Running Google Chrome
We can specify the agent required and add any additional criteria. For example, let's take a look at Windows devices that do not have Carbon Black installed and have Google Chrome installed.
This query can be represented in the Axonius Query Wizard as:
This query can also be represented as an AQL (Axonius Query Language) expression:
(specific_data.data.os.type == "Windows") and not ((adapters_data.carbonblack_defense_adapter.id == ({"$exists":true,"$ne":""}))) and (specific_data.data.installed_software.name == regex("chrome", "i"))
The results display devices with a Windows operating system, missing the Carbon Black agent, with Google Chrome installed.
Taking Action on Devices Missing Endpoint Agents
Once the devices missing an endpoint agent are identified, customers can use the Axonius Security Policy Enforcement Center to determine which automated action to take.
Highlighted Actions Include:
- Notify - Let someone know about the device via email, Slack, Syslog, or CSV
- Create Incident - Create an incident using a ticketing system like ServiceNow, Jira, or Zendesk
- Execute Endpoint Security Agent Action - Isolate or Unisolate a machine using a different endpoint agent (if installed)
- Deploy Files and Run Commands - Run a shell command on Windows/Linux or initiate a WMI or SSH Scan.
For more details, see Action Library.