Attempting to write a search to find all CrowdStri...

Ghost

Hello,

Got tasked with finding all hosts that didnt have the crowdstrike agent installed and running into problems with my searches.

Ive used the following "CSFalconservice.exe | stats count by host" & "index=*sourcetype="crowdstrike:events:sensor" | stats count by host" but its not giving me the information per each individual hosts.

V/r

Ghost

Ghost

i do have access to it its under index=falcon with a sourcetype="crowdstrike:events:sensor or crowdstrike*". Just trying to find a full proof way to view 100% of the hosts that have the agent installed with each of the hosts source IP. if I could get a true and false statement saying no crowdstrike agent is installed on the list that would be great. But sadly im not that versed at Splunkfu.

livehybrid

Hi @Ghost

Its generally not advisable to run index=* if you can avoid it - do you know where you crowdstrike data is being ingested, and are you able to confirm that you have access to it?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Attempting to write a search to find all CrowdStrike agents that are installed on the hosts in our environment

count

fields

stats

table

The Latest Cisco Integrations With Splunk Platform!

Enterprise Security Content Update (ESCU) | New Releases

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?