I’ve stumbled across a partial solution to this while working on something completely different , so will add this update in case it helps anyone else. It still requires an export to Excel but is a load faster than what i have been doing.
Assumptions are made that you have the endpoint agent sending process activity into IDR and that you can identify a process that almost certainly should be running on every device within the period being checked (such as a normal Windows exe).
Create a query that looks for this ‘always on’ process or updateprocessA or updateprocessB etc, group by hostname and then limit by the number devices expected. For example:
where("process.name" = "commonprocess.exe" or "process.name" = "UpdateA.exe" or "process.name" = "UpdateB.exe" or "process.name" = "UpdateC.exe",loose) groupby("hostname", "process.name") limit(6000)
You can then use the resulting CSV in Excel to pivot the data to find systems that aren’t updating ,so are either broken or don’t have the agent.