Volver al hub

Search for oldest devices

A query to get the age of devices that have the falcon sensor installed.

EDRmonitoring
FDR intermediatepor ByteRay (cql-hub.com) 1 min read

Query

#event_simpleName = SensorHeartbeat
| in(field=event_platform, values=[?Platform])
| ComputerName like ?ComputerName
| aid = ?aid
| groupBy([aid, ComputerName], function=session([max(@timestamp),min(@timestamp)]))
| "Last seen" := formatTime("%d-%b-%Y %H:%M:%S", field=_max)
| "First seen" := formatTime("%d-%b-%Y %H:%M:%S", field=_min)
| "Age in h" := _duration/3600000
| age := formatDuration(_duration, precision=2)
| "Age in h" := format(format="%.2f", field=["Age in h"])
| sort(field=_duration)
| drop([@timestamp,_duration,_max,_min])

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.