How To Track Various Agent States: Active, Missing, Inactive and Headless

Hi folks,

I wanted to share the way our organization has found Axonius to be the most helpful in tracking and graphing various states of an agent, and to also help identify the best course of remediation.

Note: In order to ensure I am not disclosing specific products used in our environment, I will be speaking in general product terms and including sanitized visualizations when possible.

Summary:

We track four color coded states of an agent in pie charts and the graph below to show criticality.

  • Active (Green) is used to indicate the agent is running and reporting in as expected.
  • Missing (Red) is used to indicate no presence/protection and a gap in our deployment.
  • Inactive (Orange) is used to indicate the agent is installed, exists in the management console, but is not reporting back. In this state we may or may not be receiving protection from the agent and we certainly are not receiving alerts or events.
  • Headless (Orange) is also used to indicate the agent may be installed but not reporting back. This state is a bit more severe than Inactive in that the host likely has not even received the initial protection policy but may still be providing some basic out-of-the-box protection for the host, and again we are certainly not receiving alerts or events. Note: One caveat to this state occurs when the agent has been in the Inactive state for a period longer than our adapter's device import cutoff time. We consider agents/hosts to be stale after 30 days and do not have those records pulled into Axonius, so it is possible the agent exists in the management UI and has exceeded 30 days without checking in, in which case the host moves from the Inactive to Headless state.

Queries:

Active Agent Query

Purpose: Used to show hosts that have been active in the past week.

  • Axonius Aggregate – Last Seen – Last Days - 7

Missing Agent Query

Purpose: Used to show hosts that have been active in the past week, but neither exist in the management UI nor appear to have the agent installed to the host.

Remediation: Remotely push installer to host.

  • NOT - AV Agent – ID – Exists
  • AND NOT – Axonius Aggregate – Installed Software: Software Name – contains – (Software Name)
  • AND – Axonius Aggregate – Last Seen - Last Days – 7

Inactive Agent Query

Purpose: Used to show AV agents that have not checked into the AV management server in a week, yet have been active within the week with other agents.

Remediation: Restart agent service or host, troubleshoot communication, reinstall agent.

  • AV Agent – ID – Exists
  • AND NOT - AV Agent – Last Contact Time – Last Days – 7
  • AND – Axonius Aggregate – Last Seen – Last Days – 7

Headless Agent Query

Purpose: Used to show AV agents that appear to have the agent installed, yet have been active within the week and do no exist in the management console.

Remediation: Reregister agent, troubleshoot communication, reinstall agent.

  • NOT – AV Agent – ID – exists
  • AND – Axonius Aggregate – Installed Software: Software Name – equals – (name)
  • AND – Axonius Aggregate – Last Seen – Last Days – 7

Graphing:

At the time of writing, Query Intersection Pie Charts are limited to one base query and two intersecting queries. Therefore we have yet a fifth query that combines Inactive and Headless for use in graphing, as they are most similar in states and criticality. The combined query results are also easy to decipher, as those captured by the Inactive query will still have the corresponding adapter agent icon while those captured by the Headless query will not.

Missing or Inactive Combined Query

  • Axonius Aggregate - Saved Query - Headless Query
  • OR - Axonius Aggregate - Saved Query - Inactive Query

Query Intersection Pie Chart

  • Module: Devices
  • Base Query: Active Agent Query (colored Green)
  • Intersecting query: Missing Agent Query (colored Red)
  • Intersecting query: Missing or Inactive Combined Query (colored Orange)

Final note:

If you have found this article helpful, please consider paying it forwarding and sharing tips and tricks of your own. We often compare Axonius to our own personal Marie Kondo, and this platform definitely sparks joy. Cheers!

6

Comments

1 comment
  • This is a great post! Thanks for writing this up.

    4

Please sign in to leave a comment.

Didn't find what you were looking for?

New post