This query gets device metadata, such as the last contact time, Carbon Black Cloud sensor version and state, and OS version for the endpoints in your environment that have triggered the highest severity alerts.

Required Product: Any

Required Data: Alerts (App Input or Data Forwarder), VMware CBC Device Info (App Custom Command)

eventtype="vmware_cbc_alerts" severity >= 8  
| stats dc(id) as alert_count by device_id, org_key 
| sort -alert_count 
| head 10 
| cbcdvcinfo 
| table org_key, device_id, name, alert_count, sensor_version, last_contact_time, os_version, sensor_states