← Back to Explore
crowdstrike_cql
Evaluate Operating System Prevalence
This query counts how many Windows endpoints are running each OS version (like Windows 10, Windows 11, etc.) in your CrowdStrike environment. It groups endpoints by their current OS product name and returns the count for each version.
Detection Query
#event_simpleName=OsVersionInfo event_platform=Win
| groupby(aid, function=selectLast([ProductName]))
| groupBy([ProductName], function=stats([count(aid, as="endpointCount")]))
Author
CrowdStrike
Data Sources
Endpoint
Platforms
windows
Tags
Monitoringcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Evaluate Operating System Prevalence
# MITRE ATT&CK technique IDs
#mitre_ids:
# Description of what the query does and its purpose.
description: This query counts how many Windows endpoints are running each OS version (like Windows 10, Windows 11, etc.) in your CrowdStrike environment. It groups endpoints by their current OS product name and returns the count for each version.
# The author or team that created the query.
author: CrowdStrike
# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
- Endpoint
# Tags for filtering and categorization.
tags:
- Monitoring
cs_required_modules:
- Insight
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
#event_simpleName=OsVersionInfo event_platform=Win
| groupby(aid, function=selectLast([ProductName]))
| groupBy([ProductName], function=stats([count(aid, as="endpointCount")]))
# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
#explanation: