Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            ARO: Hosts Observed Without Field Effect Agent Installed

            ARO Introduction

            This is a very common alert whos' primary aim is to let you know which endpoints don't have the Field Effect agent installed.


            The Field Effect appliance continually scans your network and log files and checks hosts its sees against the list of endpoints you have installed, when a new host is seen that is not on that list, it will appear in this alert.


            We recommend that you install the Field Effect agent as soon as possible so that it can be protected and recommend you factor its install into its setup.


            The analytic was developed in order to highlight systems on your network running without a Field Effect agent installed in order to help close the gap on systems that may have been missed during its initial deployment. 


            These systems, which are listed on the "Hosts" column, are pulled from logs analyzed from the systems listed under the "Log Source" column in the table. When a successful login takes place, a check is made to see if the hostname which made the login has a corresponding agent. If there is not a corresponding agent, it is reported in this ARO. 


            All hosts under "Log Source" have an endpoint agent installed on them. Given the way these logs are constructed, we do not always know what type of device could be authenticating to the systems under "Log Sources", such as a printer or IoT device. 


            Our recommendation for this alert is to review the list provided, install the agent where possible and then notify Field Effect MDR by requesting help on the ARO, we can then work out where the agent cannot be installed, and we can then exclude them from future reporting.


            ARO FAQs

            What would be considered the Log source column?

            It would be the endpoint in which the Windows event log revealed the presence of the host was recorded.


            Example: Host123 RDPs into Host456, there would be a Windows event log for the authentication event which would show Host123, and the ARO would have the Log source as Host456.


            Is there a time threshold for PCs connected to a network without an agent, and will it show up on the ARO?

            The analytic is specifically looking at hosts observed in authentication logs, so as an example, a host temporarily connecting to guest WiFi without authenticating to any local resources would not show up in the report. We do, however, have a lot of options for excluding hosts or domains - client feedback is the best way to get that information to us.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0