Volver al hub

New installed Sensors

This query loads host inventory data from aid_master_main.csv, enriches it with details from aid_master_details.csv, and outputs a cleaned, formatted table of host information.

EDRmonitoring
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read

Query

readfile("aid_master_main.csv")
| test(FirstSeen > start())
| cid=?cid
| ProductType match {
    1 => ProductType := "Workstation";
    2 => ProductType := "Domain controller";
    3 => ProductType := "Server";
    * => *;
}
| LastSeen := rename(Time)
| match(file="aid_master_details.csv", field=aid, include=[HostHiddenStatus], strict=false)
| $falcon/investigate:hideHiddenHosts()
| default(field=[ComputerName], value="--", replaceEmpty=true)
| LastSeen_UTC_readable := formatTime("%FT%T%z", field=LastSeen)
| FirstSeen_UTC_readable := formatTime("%FT%T%z", field=FirstSeen)
| table([ComputerName, MAC, LocalAddressIP4, AgentVersion, FirstSeen, FirstSeen_UTC_readable, LastSeen, LastSeen_UTC_readable, ProductType, Version, Timezone, MachineDomain, SiteName, OU, aid], sortby=ComputerName, order=asc, limit=20000)
| default(field=[LocalAddressIP4, MAC, OU, MachineDomain, SiteName, ProductType, Version, FirstSeen, LastSeen, AgentVersion], value="--", replaceEmpty=true)

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.