Add files via upload

stefansec · web-flow · commit 4b51186beba0 · 2026-01-17T15:38:25.000+01:00
diff --git a/queries/falcon_sensor_version_drift_monitoring__linux_.yml b/queries/falcon_sensor_version_drift_monitoring__linux_.yml
@@ -0,0 +1,52 @@
+# --- Query Metadata ---
+# Human-readable name for the query. Will be displayed as the title.
+name: Falcon Sensor Version Drift Monitoring (Linux)
+
+# Description of what the query does and its purpose.
+# Using the YAML block scalar `|` allows for multi-line strings.
+description: |
+  Compares CrowdStrike Falcon sensor major/minor versions (x.xx) over time for each host. The query detects version changes, classifies them as upgrades or downgrades, and outputs the timestamp of the change along with the previous and current version values.
+
+# The author or team that created the query.
+author: ByteRay GmbH
+
+# The required log sources to run this query successfully in Next-Gen SIEM.
+# This will be displayed in the UI to inform the user.
+log_sources:
+  - Endpoint
+
+# The CrowdStrike modules required to run this query.
+cs_required_modules:
+  - Insight
+
+# Tags for filtering and categorization.
+# Include relevant techniques, tactics, or platforms.
+tags:
+  - Monitoring
+
+# --- Query Content ---
+# The actual CrowdStrike Query Language (CQL) code.
+# Using the YAML block scalar `|` allows for multi-line strings.
+cql: |
+  defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*
+  | groupBy([aid,ComputerName,AgentVersion],function=min("@timestamp"))
+  }, include=[aid,ComputerName,AgentVersion,_min], name="time")
+  | defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*
+  | event_platform=Lin
+  | groupBy([aid,ComputerName],function=[selectFromMin(@timestamp,include=AgentVersion)])
+  | rename(field=AgentVersion,as=Old_Version)}, include=[aid,ComputerName,Old_Version], name="old")
+  | "#event_simpleName" = OsVersionInfo AgentVersion=*
+  | event_platform=Lin
+  | groupBy([aid,ComputerName],function=[selectFromMax(@timestamp,include=[AgentVersion])])
+  | rename(field=AgentVersion,as=Current_Version)
+  | match(old, field=[aid])
+  | match(time, field=[aid,Current_Version],column=[aid,AgentVersion])
+  | Current_Version=/(?<Short_Current_Version>\d+\.\d+)/
+  | Old_Version=/(?<Short_Old_Version>\d+\.\d+)/
+  | if(condition=Current_Version==Old_Version, then="No change", else=if(condition= Short_Current_Version<Short_Old_Version, then="Downgrade", else=if(condition= Short_Current_Version>Short_Old_Version, then="Upgrade", else=0)))
+  | Status := rename(field="_if")
+  | "Changed at" := if(condition=Current_Version==Old_Version, then="n/a", else=formatTime(format="%Y/%m/%d %H:%M:%S", field=_min, as="Zeitpunkt"))
+  | "Old Version" := rename("Old_Version")
+  | "Current Version" := rename("Current_Version")
+  | table([ComputerName,aid, "Old Version","Current Version",Status,"Changed at"])
+
diff --git a/queries/falcon_sensor_version_drift_monitoring__macos_.yml b/queries/falcon_sensor_version_drift_monitoring__macos_.yml
@@ -0,0 +1,52 @@
+# --- Query Metadata ---
+# Human-readable name for the query. Will be displayed as the title.
+name: Falcon Sensor Version Drift Monitoring (MacOS)
+
+# Description of what the query does and its purpose.
+# Using the YAML block scalar `|` allows for multi-line strings.
+description: |
+  Compares CrowdStrike Falcon sensor major/minor versions (x.xx) over time for each host. The query detects version changes, classifies them as upgrades or downgrades, and outputs the timestamp of the change along with the previous and current version values.
+
+# The author or team that created the query.
+author: ByteRay GmbH
+
+# The required log sources to run this query successfully in Next-Gen SIEM.
+# This will be displayed in the UI to inform the user.
+log_sources:
+  - Endpoint
+
+# The CrowdStrike modules required to run this query.
+cs_required_modules:
+  - Insight
+
+# Tags for filtering and categorization.
+# Include relevant techniques, tactics, or platforms.
+tags:
+  - Monitoring
+
+# --- Query Content ---
+# The actual CrowdStrike Query Language (CQL) code.
+# Using the YAML block scalar `|` allows for multi-line strings.
+cql: |
+  defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*
+  | groupBy([aid,ComputerName,AgentVersion],function=min("@timestamp"))
+  }, include=[aid,ComputerName,AgentVersion,_min], name="time")
+  | defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*
+  | event_platform=Mac
+  | groupBy([aid,ComputerName],function=[selectFromMin(@timestamp,include=AgentVersion)])
+  | rename(field=AgentVersion,as=Old_Version)}, include=[aid,ComputerName,Old_Version], name="old")
+  | "#event_simpleName" = OsVersionInfo AgentVersion=*
+  | event_platform=Mac
+  | groupBy([aid,ComputerName],function=[selectFromMax(@timestamp,include=[AgentVersion])])
+  | rename(field=AgentVersion,as=Current_Version)
+  | match(old, field=[aid])
+  | match(time, field=[aid,Current_Version],column=[aid,AgentVersion])
+  | Current_Version=/(?<Short_Current_Version>\d+\.\d+)/
+  | Old_Version=/(?<Short_Old_Version>\d+\.\d+)/
+  | if(condition=Current_Version==Old_Version, then="No change", else=if(condition= Short_Current_Version<Short_Old_Version, then="Downgrade", else=if(condition= Short_Current_Version>Short_Old_Version, then="Upgrade", else=0)))
+  | Status := rename(field="_if")
+  | "Changed at" := if(condition=Current_Version==Old_Version, then="n/a", else=formatTime(format="%Y/%m/%d %H:%M:%S", field=_min, as="Zeitpunkt"))
+  | "Old Version" := rename("Old_Version")
+  | "Current Version" := rename("Current_Version")
+  | table([ComputerName,aid, "Old Version","Current Version",Status,"Changed at"])
+
