Seeking a rule to detect the WindowsLogAgent Disconnected for 2 hours or more and alert once

I could not find any of the below using the

System Event Category = 2 Query.

Filters: Select the attribute that identifies the Windows Agent heartbeat log. In FortiSIEM’s Event Type browser, find the event type for the agent heartbeat. For example, FortiSIEM categorizes agent heartbeat status under audit events – one common event is “PH_AUDIT_AGENT_RUNNING” (description: Windows/Linux Agent is running and sending events) which the agent sends periodically, and a related event “PH_AUDIT_AGENT_NOTRESPONDING” for when it times out​fortinetweb.s3.amazonaws.com. Use the appropriate heartbeat event identifier for your version (e.g. Event Type = PH_AUDIT_AGENT_RUNNING).