← Back to Explore
crowdstrike_cql
Get Host Zero Trust Assessment Scores
This query outputs a table with hosts including their zero trust scores
Detection Query
event_type=ZeroTrustHostAssessment
| groupBy([aid], function=([selectFromMax(field="@timestamp", include=[scores.os, scores.sensor, scores.overall])]))
| join(query={#data_source_name=aidmaster }, field=[aid], include=[ComputerName, event_platform])
Author
CrowdStrike
Data Sources
Endpoint
Platforms
windowslinux
Tags
Monitoringcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Get Host Zero Trust Assessment Scores
# Description of what the query does and its purpose.
description: This query outputs a table with hosts including their zero trust scores
# The author or team that created the query.
author: CrowdStrike
# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
- Endpoint
# The CrowdStrike modules required to run this query.
cs_required_modules:
- Insight
# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
- Monitoring
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
event_type=ZeroTrustHostAssessment
| groupBy([aid], function=([selectFromMax(field="@timestamp", include=[scores.os, scores.sensor, scores.overall])]))
| join(query={#data_source_name=aidmaster }, field=[aid], include=[ComputerName, event_platform])