← Back to Explore
crowdstrike_cql
CVE-2025-1146 - System Scoping using aid_master
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the lookup file aid_master_main.csv which is automatically updated every 4 hours.
Detection Query
/*
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146.
The query is based on the lookup file aid_master_main.csv which is automatically updated every 4 hours.
*/
// Read in AID Master file; REMINDER: this file updates every 4 hours.
| readFile("aid_master_main.csv")
// Narrow search to only include Linux, Container, and K8 systems
| in(field="event_platform", values=[Lin, K8S])
// Parse AgentVersion into individual components for evaluation
| AgentVersion=/^(?<majorVersion>\d+)\.(?<minorVersion>\d+)\.(?<buildNumber>\d+)\./
// Evaluate Linux Container Sensors
| case {
event_platform=Lin ProductType=Pod majorVersion=6 | Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion<=5 | Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=6 buildNumber<4705| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=10 buildNumber<4907| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=11 buildNumber<5003| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=12 buildNumber<5102| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=13 buildNumber<5202| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=14 buildNumber<5306| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=15 buildNumber<5403| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=16 buildNumber<5503| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=17 buildNumber<5603| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=18 buildNumber<5705| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=19 buildNumber<5807| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=20 buildNumber<5908| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod | Status:="OK" | event_platform:="Lin (Pod)";
*;
}
// Evaluate Linux Container Sensors
| case {
event_platform=Lin ProductType=Pod majorVersion=6 | Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion<=5 | Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=6 buildNumber<4705| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=10 buildNumber<4907| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=11 buildNumber<5003| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=12 buildNumber<5102| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=13 buildNumber<5202| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=14 buildNumber<5306| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=15 buildNumber<5403| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=16 buildNumber<5503| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=17 buildNumber<5603| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=18 buildNumber<5705| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=19 buildNumber<5807| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=20 buildNumber<5908| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod | Status:="OK" | event_platform:="Lin (Pod)";
*;
}
// Evaluate Linux Sensors
| case {
event_platform=Lin majorVersion=6 | Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion<=5 | Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=6 buildNumber<16113 | Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=7 buildNumber<16209 | Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=10 buildNumber<16321| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=11 buildNumber<16410| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=13 buildNumber<16606| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=14 buildNumber<16705| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=15 buildNumber<16806| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=16 buildNumber<16909| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=17 buildNumber<17014| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=18 buildNumber<17131| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=19 buildNumber<17221| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=20 buildNumber<17308| Status:="NEEDS PATCH";
event_platform=Lin | Status:="OK";
*;
}
// Evaluate K8 Sensors
| case {
event_platform=K8S majorVersion=6 | Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion<=5 | Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=6 buildNumber<603 | Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=10 buildNumber<806 | Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=11 buildNumber<904 | Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=12 buildNumber<1002| Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=13 buildNumber<1102| Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=14 buildNumber<1203| Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=16 buildNumber<1403| Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=17 buildNumber<1503| Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=18 buildNumber<1605| Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=20 buildNumber<1808| Status:="NEEDS PATCH";
event_platform=K8S | Status:="OK";
*;
}
// Modify field names for easier reading
| rename([[cid, "Customer ID"],[aid, "Agent ID"], [event_platform, Platform], [aip, "External IP"]])
// Aggregate results into tabular format
| groupBy(["Customer ID", "Agent ID", ComputerName, Platform, Version, AgentVersion, Status, "External IP", LocalAddressIP4, MAC, SystemManufacturer, SystemProductName, FirstSeen, Time], function=[], limit=max)
// Set default values for easier reading
| default(value="-", field=[ComputerName, Version, AgentVersion, Status, LocalAddressIP4, MAC, SystemManufacturer, SystemProductName, FirstSeen, Time], replaceEmpty=true)
// Move timestamps from epoch to human readable
| formatTime(format="%F %T", as="FirstSeen", field=FirstSeen)
| formatTime(format="%F %T", as="LastSeen", field=Time)
// Remove unnecessary field
| drop([Time])
Author
CrowdStrike
Data Sources
Endpoint
Platforms
linux
Tags
Monitoringcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: CVE-2025-1146 - System Scoping using aid_master
# Description of what the query does and its purpose.
description: |
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146.
The query is based on the lookup file aid_master_main.csv which is automatically updated every 4 hours.
# The author or team that created the query.
author: CrowdStrike
# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
- Endpoint
# The CrowdStrike modules required to run this query.
cs_required_modules:
- Insight
# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
- Monitoring
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
/*
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146.
The query is based on the lookup file aid_master_main.csv which is automatically updated every 4 hours.
*/
// Read in AID Master file; REMINDER: this file updates every 4 hours.
| readFile("aid_master_main.csv")
// Narrow search to only include Linux, Container, and K8 systems
| in(field="event_platform", values=[Lin, K8S])
// Parse AgentVersion into individual components for evaluation
| AgentVersion=/^(?<majorVersion>\d+)\.(?<minorVersion>\d+)\.(?<buildNumber>\d+)\./
// Evaluate Linux Container Sensors
| case {
event_platform=Lin ProductType=Pod majorVersion=6 | Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion<=5 | Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=6 buildNumber<4705| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=10 buildNumber<4907| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=11 buildNumber<5003| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=12 buildNumber<5102| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=13 buildNumber<5202| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=14 buildNumber<5306| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=15 buildNumber<5403| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=16 buildNumber<5503| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=17 buildNumber<5603| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=18 buildNumber<5705| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=19 buildNumber<5807| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=20 buildNumber<5908| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod | Status:="OK" | event_platform:="Lin (Pod)";
*;
}
// Evaluate Linux Container Sensors
| case {
event_platform=Lin ProductType=Pod majorVersion=6 | Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion<=5 | Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=6 buildNumber<4705| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=10 buildNumber<4907| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=11 buildNumber<5003| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=12 buildNumber<5102| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=13 buildNumber<5202| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=14 buildNumber<5306| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=15 buildNumber<5403| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=16 buildNumber<5503| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=17 buildNumber<5603| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=18 buildNumber<5705| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=19 buildNumber<5807| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=20 buildNumber<5908| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
event_platform=Lin ProductType=Pod | Status:="OK" | event_platform:="Lin (Pod)";
*;
}
// Evaluate Linux Sensors
| case {
event_platform=Lin majorVersion=6 | Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion<=5 | Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=6 buildNumber<16113 | Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=7 buildNumber<16209 | Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=10 buildNumber<16321| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=11 buildNumber<16410| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=13 buildNumber<16606| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=14 buildNumber<16705| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=15 buildNumber<16806| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=16 buildNumber<16909| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=17 buildNumber<17014| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=18 buildNumber<17131| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=19 buildNumber<17221| Status:="NEEDS PATCH";
event_platform=Lin majorVersion=7 minorVersion=20 buildNumber<17308| Status:="NEEDS PATCH";
event_platform=Lin | Status:="OK";
*;
}
// Evaluate K8 Sensors
| case {
event_platform=K8S majorVersion=6 | Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion<=5 | Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=6 buildNumber<603 | Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=10 buildNumber<806 | Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=11 buildNumber<904 | Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=12 buildNumber<1002| Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=13 buildNumber<1102| Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=14 buildNumber<1203| Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=16 buildNumber<1403| Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=17 buildNumber<1503| Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=18 buildNumber<1605| Status:="NEEDS PATCH";
event_platform=K8S majorVersion=7 minorVersion=20 buildNumber<1808| Status:="NEEDS PATCH";
event_platform=K8S | Status:="OK";
*;
}
// Modify field names for easier reading
| rename([[cid, "Customer ID"],[aid, "Agent ID"], [event_platform, Platform], [aip, "External IP"]])
// Aggregate results into tabular format
| groupBy(["Customer ID", "Agent ID", ComputerName, Platform, Version, AgentVersion, Status, "External IP", LocalAddressIP4, MAC, SystemManufacturer, SystemProductName, FirstSeen, Time], function=[], limit=max)
// Set default values for easier reading
| default(value="-", field=[ComputerName, Version, AgentVersion, Status, LocalAddressIP4, MAC, SystemManufacturer, SystemProductName, FirstSeen, Time], replaceEmpty=true)
// Move timestamps from epoch to human readable
| formatTime(format="%F %T", as="FirstSeen", field=FirstSeen)
| formatTime(format="%F %T", as="LastSeen", field=Time)
// Remove unnecessary field
| drop([Time])