EXPLORE
Sign In
← Back to Explore
crowdstrike_cql

Falcon Sensor Version Drift Monitoring (Linux)

Compares CrowdStrike Falcon sensor major/minor versions (x.xx) over time for each host. The query detects version changes, classifies them as upgrades or downgrades, and outputs the timestamp of the change along with the previous and current version values.

Detection Query

defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*
| groupBy([aid,ComputerName,AgentVersion],function=min("@timestamp"))
}, include=[aid,ComputerName,AgentVersion,_min], name="time")
| defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*
| event_platform=Lin
| groupBy([aid,ComputerName],function=[selectFromMin(@timestamp,include=AgentVersion)])
| rename(field=AgentVersion,as=Old_Version)}, include=[aid,ComputerName,Old_Version], name="old")
| "#event_simpleName" = OsVersionInfo AgentVersion=*
| event_platform=Lin
| groupBy([aid,ComputerName],function=[selectFromMax(@timestamp,include=[AgentVersion])])
| rename(field=AgentVersion,as=Current_Version)
| match(old, field=[aid])
| match(time, field=[aid,Current_Version],column=[aid,AgentVersion])
| Current_Version=/(?<Short_Current_Version>\d+\.\d+)/
| Old_Version=/(?<Short_Old_Version>\d+\.\d+)/
| if(condition=Current_Version==Old_Version, then="No change", else=if(condition= Short_Current_Version<Short_Old_Version, then="Downgrade", else=if(condition= Short_Current_Version>Short_Old_Version, then="Upgrade", else=0)))
| Status := rename(field="_if")
| "Changed at" := if(condition=Current_Version==Old_Version, then="n/a", else=formatTime(format="%Y/%m/%d %H:%M:%S", field=_min, as="Timestamp"))
| "Old Version" := rename("Old_Version")
| "Current Version" := rename("Current_Version")
| table([ComputerName,aid, "Old Version","Current Version",Status,"Changed at"])

Author

ByteRay GmbH

Data Sources

Endpoint

Platforms

linux

Tags

Monitoringcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Falcon Sensor Version Drift Monitoring (Linux)

# Description of what the query does and its purpose.
# Using the YAML block scalar `|` allows for multi-line strings.
description: |
  Compares CrowdStrike Falcon sensor major/minor versions (x.xx) over time for each host. The query detects version changes, classifies them as upgrades or downgrades, and outputs the timestamp of the change along with the previous and current version values.

# The author or team that created the query.
author: ByteRay GmbH

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Monitoring

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*
  | groupBy([aid,ComputerName,AgentVersion],function=min("@timestamp"))
  }, include=[aid,ComputerName,AgentVersion,_min], name="time")
  | defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*
  | event_platform=Lin
  | groupBy([aid,ComputerName],function=[selectFromMin(@timestamp,include=AgentVersion)])
  | rename(field=AgentVersion,as=Old_Version)}, include=[aid,ComputerName,Old_Version], name="old")
  | "#event_simpleName" = OsVersionInfo AgentVersion=*
  | event_platform=Lin
  | groupBy([aid,ComputerName],function=[selectFromMax(@timestamp,include=[AgentVersion])])
  | rename(field=AgentVersion,as=Current_Version)
  | match(old, field=[aid])
  | match(time, field=[aid,Current_Version],column=[aid,AgentVersion])
  | Current_Version=/(?<Short_Current_Version>\d+\.\d+)/
  | Old_Version=/(?<Short_Old_Version>\d+\.\d+)/
  | if(condition=Current_Version==Old_Version, then="No change", else=if(condition= Short_Current_Version<Short_Old_Version, then="Downgrade", else=if(condition= Short_Current_Version>Short_Old_Version, then="Upgrade", else=0)))
  | Status := rename(field="_if")
  | "Changed at" := if(condition=Current_Version==Old_Version, then="n/a", else=formatTime(format="%Y/%m/%d %H:%M:%S", field=_min, as="Timestamp"))
  | "Old Version" := rename("Old_Version")
  | "Current Version" := rename("Current_Version")
  | table([ComputerName,aid, "Old Version","Current Version",Status,"Changed at"])