Falcon Sensor Version Drift Monitoring (MacOS)
Compares CrowdStrike Falcon sensor major/minor versions (x.xx) over time for each host. The query detects version changes, classifies them as upgrades or downgrades, and outputs the timestamp of the change along with the previous and current version values.
EDRmonitoring
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read
Query
defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*
| groupBy([aid,ComputerName,AgentVersion],function=min("@timestamp"))
}, include=[aid,ComputerName,AgentVersion,_min], name="time")
| defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*
| event_platform=Mac
| groupBy([aid,ComputerName],function=[selectFromMin(@timestamp,include=AgentVersion)])
| rename(field=AgentVersion,as=Old_Version)}, include=[aid,ComputerName,Old_Version], name="old")
| "#event_simpleName" = OsVersionInfo AgentVersion=*
| event_platform=Mac
| groupBy([aid,ComputerName],function=[selectFromMax(@timestamp,include=[AgentVersion])])
| rename(field=AgentVersion,as=Current_Version)
| match(old, field=[aid])
| match(time, field=[aid,Current_Version],column=[aid,AgentVersion])
| Current_Version=/(?<Short_Current_Version>\d+\.\d+)/
| Old_Version=/(?<Short_Old_Version>\d+\.\d+)/
| if(condition=Current_Version==Old_Version, then="No change", else=if(condition= Short_Current_Version<Short_Old_Version, then="Downgrade", else=if(condition= Short_Current_Version>Short_Old_Version, then="Upgrade", else=0)))
| Status := rename(field="_if")
| "Changed at" := if(condition=Current_Version==Old_Version, then="n/a", else=formatTime(format="%Y/%m/%d %H:%M:%S", field=_min, as="Timestamp"))
| "Old Version" := rename("Old_Version")
| "Current Version" := rename("Current_Version")
| table([ComputerName,aid, "Old Version","Current Version",Status,"Changed at"])Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.