Moved provisionally to SIEM for faster handling.
I think your only option is set the time threshold and create alarms off the triggered inactivity flags.
Yes I'd be interested in hearing what others are doing for this. Currently the only thing we do is run a powershell script that cycles through all of the systems that haven't checked in, checks if they are pingable, and if so, attempts to restart the agent.
Thanks for the replies it gives me something to go off.
I think we will run a combination of both, we already have the query to tell us what agents have not responeded within the last hour so we can use that for the PS script. I will have a chat with the team incharge of manging the agents to see if they can set the time threshold so we can have some visibility in the SIEM.
Another option would be to use a Dynamic Watchlist to query ePO for the Last Communication date older than a specified date/time...
The following query will return a list of endpoints:
USE ePO_EPO531; SELECT NodeName FROM EPOLeafNode WHERE LastUpdate < DATEADD(HOUR,-4,GETDATE())
In the example above, replace ePO_EPO531 with your ePO database name and HOUR,-4 with your expected age of returned systems (DAY,-1 would return a list of endpoints that have not checked in within the last day, etc)
Configure a watchlist in SIEM to use the SQL query against the ePO database and populate a list of HOSTNAME values.
That has been perfect. We were able to run the query and retrieve a list of instances that have not responded within a given timeframe.
McDuff Thanks for the idea of a PS script also, this will give me some more stuff to play around with!!