Can someone help with a simple query? im trying to...
# fleetl
Layne
03/13/2024, 7:36 PMCan someone help with a simple query? im trying to find both mac and windows endpoints that don't have our EDR platform installed "cortex"
f
FG
03/13/2024, 7:39 PMi can try.
FG
03/13/2024, 7:40 PMi don't have that app but i have done something similar to this for detecting a different edr solution on both platforms
l
Layne
03/13/2024, 7:41 PMthat would be wonderful! thank you FG
f
FG
03/13/2024, 8:03 PMcan you send what you currently have?
FG
03/13/2024, 8:30 PMin case anyone else was interested, this was handled in DM.
----------
is it enough to say that it is running based on whether or not a process is simply running?
for example, this is how i checked if crowdstrike was running on a macos box, and then in another system we have internally that consumes query results, i was able to make a decision whether or not the query returns RUNNING or not
Copy code
SELECT count(*) AS count,
path,
CASE WHEN path LIKE '/Library/SystemExtensions/%/com.crowdstrike.falcon.Agent.systemextension/Contents/MacOS/com.crowdstrike.falcon.Agent'
THEN 'RUNNING'
ELSE 'ERROR'
END
status,
'macOSCrowdStrikeCheckProcess' AS query_type
FROM processes
WHERE path LIKE '/Library/SystemExtensions/%/com.crowdstrike.falcon.Agent.systemextension/Contents/MacOS/com.crowdstrike.falcon.Agent'; Copy code
SELECT services.*,
'WindowsCrowdStrikeCheckProcess' AS query_type
FROM services
WHERE name LIKE 'CSFalconService';d
Dherder
03/14/2024, 4:28 PM@FG awesome query! If you don't mind, I've added your queries to https://github.com/dherder/EDR-health/blob/main/queries.yml. @Layne if you are open to it, feel free to commit your cortex queries to the project!
f
FG
03/14/2024, 4:43 PMcool no problem and thanks.
FG
03/14/2024, 4:44 PMI may have some other stuff, i'll DM you if it fits the use case.
l
Layne
03/14/2024, 5:46 PM@FG big props to you! Thanks for all the help, truly learned a lot ❤️