Is there a practical way of exporting/query-ing for information regarding Endpoints with missing seats?
For example if an organization runs out of seats and the administrator would like to know which Endpoints operate at reduced functionality, what's a keyword to search for to produce a list?
Obviously purchasing adequate licenses ends up as a top priority, but for the sake of information gathering this knowledge may be good to have.
As far as I'm aware only the Threat Emulation blade produces periodic "enabled/disabled due to (in)valid license" messages and I've been able to produce such a list through a log query "blade:"threat emulation" disabled" and a bit of regex on the exported CSV.
But what's the plan when this blade isn't involved; for example with a local TE appliance or if the blade isn't installed on the Endpoint?
In general, what's the logic when assigning seats; is it first come first serve when it comes to "last contact with MGMT" or does it go by "Last deployment" statistics?