EXPLORE
Sign In
← Back to Explore
crowdstrike_cql

New installed Sensors

This query loads host inventory data from aid_master_main.csv, enriches it with details from aid_master_details.csv, and outputs a cleaned, formatted table of host information.

Detection Query

readfile("aid_master_main.csv")
| test(FirstSeen > start())
| cid=?cid
| ProductType match {
    1 => ProductType := "Workstation";
    2 => ProductType := "Domain controller";
    3 => ProductType := "Server";
    * => *;
}
| LastSeen := rename(Time)
| match(file="aid_master_details.csv", field=aid, include=[HostHiddenStatus], strict=false)
| $falcon/investigate:hideHiddenHosts()
| default(field=[ComputerName], value="--", replaceEmpty=true)
| LastSeen_UTC_readable := formatTime("%FT%T%z", field=LastSeen)
| FirstSeen_UTC_readable := formatTime("%FT%T%z", field=FirstSeen)
| table([ComputerName, MAC, LocalAddressIP4, AgentVersion, FirstSeen, FirstSeen_UTC_readable, LastSeen, LastSeen_UTC_readable, ProductType, Version, Timezone, MachineDomain, SiteName, OU, aid], sortby=ComputerName, order=asc, limit=20000)
| default(field=[LocalAddressIP4, MAC, OU, MachineDomain, SiteName, ProductType, Version, FirstSeen, LastSeen, AgentVersion], value="--", replaceEmpty=true)

Author

CrowdStrike

Data Sources

Endpoint

Platforms

windowslinux

Tags

Monitoringcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: New installed Sensors

# MITRE ATT&CK technique IDs
# mitre_ids:

# Description of what the query does and its purpose.
description: |
  This query loads host inventory data from aid_master_main.csv, enriches it with details from aid_master_details.csv, and outputs a cleaned, formatted table of host information.

# The author or team that created the query.
author: CrowdStrike

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Monitoring

cs_required_modules: 
  - Insight

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  readfile("aid_master_main.csv")
  | test(FirstSeen > start())
  | cid=?cid
  | ProductType match {
      1 => ProductType := "Workstation";
      2 => ProductType := "Domain controller";
      3 => ProductType := "Server";
      * => *;
  }
  | LastSeen := rename(Time)
  | match(file="aid_master_details.csv", field=aid, include=[HostHiddenStatus], strict=false)
  | $falcon/investigate:hideHiddenHosts()
  | default(field=[ComputerName], value="--", replaceEmpty=true)
  | LastSeen_UTC_readable := formatTime("%FT%T%z", field=LastSeen)
  | FirstSeen_UTC_readable := formatTime("%FT%T%z", field=FirstSeen)
  | table([ComputerName, MAC, LocalAddressIP4, AgentVersion, FirstSeen, FirstSeen_UTC_readable, LastSeen, LastSeen_UTC_readable, ProductType, Version, Timezone, MachineDomain, SiteName, OU, aid], sortby=ComputerName, order=asc, limit=20000)
  | default(field=[LocalAddressIP4, MAC, OU, MachineDomain, SiteName, ProductType, Version, FirstSeen, LastSeen, AgentVersion], value="--", replaceEmpty=true)

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
#explanation: