Elastic Onprem 8.19.12
We are currently preparing to rollout Elastic Defend on all our systems. Since this makes the Elastic installation on the agent absolutly security critical, we want to be informed about the status change of an agent.
What we are looking for is a way get a notification when an agent is switching into the status “Inactive”, “Orphaned” or “Unenrolled”. The orphaned status can obtained with DSL, and I think I found a way to put that into a cluster rule.
But I am not able to create a rule that gets the “inactive” or “unenrolled” state of the agent and produces a notification with all the hits. Does anybody have some idea how I could achieve this?
Thank you very much in advance!