Falcon Sensor Support Status
This query lists all active falcon sensors including their release date and support end date.
EDRmonitoring
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read
Query
#repo=sensor_metadata #data_source_name=aidmaster #data_source_group=aidmaster-api
| groupBy([aid], function=([selectFromMax(field="@timestamp", include=[ComputerName, Time, Version, ConfigIDBuild, AgentVersion])]))
| match(file="falcon/helper/sensors_support_info.csv", field=ConfigIDBuild, column=BUILD, ignoreCase=true, strict=true)
| parseTimestamp("M/d/yy",field=SUPPORT_ENDS, as=SUPPORT_ENDS_EPOCH, timezone="UTC")
| case{
test(now()>SUPPORT_ENDS_EPOCH) | SUPPORTED:="NO";
* | SUPPORTED:="YES";
}
| groupBy([PLATFORM, VERSION_FAMILY, SUPPORTED], function=([count(aid, as=Count), collect([RELEASE_DATE, SUPPORT_ENDS])]))Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.