Display Connected Mac Devices

Display count of connected Mac devices by device ID

This is a query example for the Mac Devices widget in the CrowdStrike Falcon Devices: Overview dashboard of the crowdstrike/falcon-devices package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} 3["Expression"] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result
logscale
* platform_name="Mac"
| count(field=device_id, distinct=True)
| count:= rename(_count)
| sort(count)

Introduction

This widget is used to identify and count unique Mac devices in your environment by analyzing the platform name field in device data.

In this widget, the count() function is used to count unique device IDs where the platform is identified as Mac.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneagent_load_flagsagent_local_timeagent_versionbios_manufacturerbios_versionbuild_numbercidconfig_id_baseconfig_id_buildconfig_id_platformcpu_signaturedevice_iddevice_policies.device_control.applieddevice_policies.device_control.applied_datedevice_policies.device_control.assigned_datedevice_policies.device_control.policy_iddevice_policies.device_control.policy_typedevice_policies.firewall.applieddevice_policies.firewall.applied_datedevice_policies.firewall.assigned_datedevice_policies.firewall.policy_iddevice_policies.firewall.policy_typedevice_policies.firewall.rule_set_iddevice_policies.global_config.applieddevice_policies.global_config.applied_datedevice_policies.global_config.assigned_datedevice_policies.global_config.policy_iddevice_policies.global_config.policy_typedevice_policies.global_config.settings_hashdevice_policies.prevention.applieddevice_policies.prevention.applied_datedevice_policies.prevention.assigned_datedevice_policies.prevention.policy_iddevice_policies.prevention.policy_typedevice_policies.prevention.settings_hashdevice_policies.remote_response.applieddevice_policies.remote_response.applied_datedevice_policies.remote_response.assigned_datedevice_policies.remote_response.policy_iddevice_policies.remote_response.policy_typedevice_policies.remote_response.settings_hashdevice_policies.sensor_update.applieddevice_policies.sensor_update.applied_datedevice_policies.sensor_update.assigned_datedevice_policies.sensor_update.policy_iddevice_policies.sensor_update.policy_typedevice_policies.sensor_update.settings_hashdevice_policies.sensor_update.uninstall_protectionexternal_ipfirst_seengroup_hashhostnamelast_seenlocal_ipmac_addressmachine_domainmajor_versionmeta.versionminor_versionmodified_timestampos_buildos_versionplatform_idplatform_namepointer_sizepolicies[0].appliedpolicies[0].applied_datepolicies[0].assigned_datepolicies[0].policy_idpolicies[0].policy_typepolicies[0].settings_hashproduct_typeproduct_type_descprovision_statusreduced_functionality_modeserial_numberservice_pack_majorservice_pack_minorsite_nameslow_changing_modified_timestampstatussystem_manufacturersystem_product_name
2026-01-15T17:47:29trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-13:12:50:16 -0300' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-13:12:50:16 -0300' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_125_17684992492026-01-15T17:47:29{ "device_id": "DEV-7a8b9c0d", "cid": "a1b2c3d4e5f6g7h8i9j0", "agent_load_flags": "0", "agent_local_time": "2025-03-13:15:48:44 +0000", "agent_version": "6.42.15610.0", "bios_manufacturer": "Abc", "bios_version": "1.2.Abc", "build_number": "7601", "config_id_base": "65994753", "config_id_build": "12345", "config_id_platform": "0", "cpu_signature": "198372", "external_ip": "192.168.2.143", "mac_address": "00:1A:2B:3C:4D:5E", "hostname": "PROD-WEB01", "first_seen": "2025-03-13:10:15:22 -0500", "last_seen": "2025-03-13:17:30:15 +0200", "local_ip": "192.168.0.87", "machine_domain": "malicious-domain.com", "major_version": "0", "minor_version": "0", "os_version": "Windows", "os_build": "10240", "ou": [], "platform_id": "0", "platform_name": "Windows", "policies": [ { "policy_type": "prevention", "policy_id": "ef7027127a06486aadc1d5ae5f4ce79d", "applied": true, "settings_hash": "ad4dc0bf", "assigned_date": "2025-03-13:07:45:33 -0800", "applied_date": "2025-03-13:20:20:11 +0500", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "tagged|1;0", "assigned_date": "2025-03-13:23:05:48 +0800", "applied_date": "2025-03-13:16:15:29 +0100", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "b2b79cf7", "assigned_date": "2025-03-13:19:30:17 +0400", "applied_date": "2025-03-13:11:45:55 -0400", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": false, "assigned_date": "2025-03-14:02:10:23 +1100", "applied_date": "2025-03-13:09:25:44 -0600" }, "global_config": { "policy_type": "globalconfig", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "f472bd8e", "assigned_date": "2025-03-13:21:40:12 +0600", "applied_date": "2025-03-13:15:15:38 +0000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "3c5ea1d8", "assigned_date": "2025-03-13:18:30:19 +0300", "applied_date": "2025-03-13:08:45:27 -0700" }, "firewall": { "policy_type": "firewall", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "assigned_date": "2025-03-14:00:20:33 +0900", "applied_date": "2025-03-13:22:35:41 +0700", "rule_set_id": "7234044d31914848a24cf2851078c9bd" } }, "groups": [], "group_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "product_type": "1", "product_type_desc": "Workstation", "provision_status": "Provisioned", "serial_number": "VMware-42 1f 5d 1c 69 cd f9 03-8e 9d b9 6a d9 53 b7 35", "service_pack_major": "0", "service_pack_minor": "0", "pointer_size": "8", "site_name": "none", "status": "normal", "system_manufacturer": "Abc", "system_product_name": "Xyz", "tags": [], "modified_timestamp": "2025-03-13:12:50:16 -0300", "slow_changing_modified_timestamp": "2025-03-13:16:15:28 +0100", "meta": { "version": "16659" } } c87e08c4f61b5d6352363d8a226a89f70Z02025-03-13:15:48:44 +00006.42.15610.0Abc1.2.Abc7601a1b2c3d4e5f6g7h8i9j065994753123450198372DEV-7a8b9c0dfalse2025-03-13:09:25:44 -06002025-03-14:02:10:23 +11005f7d2bbd19f75ghcb0ee18f32ec6b297device-controlfalse2025-03-13:22:35:41 +07002025-03-14:00:20:33 +0900bceb71599f5c4b6ea3c62de722a1194bfirewall7234044d31914848a24cf2851078c9bdfalse2025-03-13:15:15:38 +00002025-03-13:21:40:12 +060034c2eda9f67446daa84d28fd239635e8globalconfigf472bd8efalse2025-03-13:16:15:29 +01002025-03-13:23:05:48 +080034c2eda9f67446daa84d28fd239635e8preventiontagged|1;0true2025-03-13:08:45:27 -07002025-03-13:18:30:19 +03006g8e3cce20g86hidc1ff29g43fd7c308remote-response3c5ea1d8true2025-03-13:11:45:55 -04002025-03-13:19:30:17 +04006g8e3cce20g86hidc1ff29g43fd7c308sensor-updateb2b79cf7DISABLED192.168.2.1432025-03-13:10:15:22 -0500e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855PROD-WEB012025-03-13:17:30:15 +0200192.168.0.8700:1A:2B:3C:4D:5Emalicious-domain.com01665902025-03-13:12:50:16 -030010240Windows0Windows8true2025-03-13:20:20:11 +05002025-03-13:07:45:33 -0800ef7027127a06486aadc1d5ae5f4ce79dpreventionad4dc0bf1WorkstationProvisionednoVMware-42 1f 5d 1c 69 cd f9 03-8e 9d b9 6a d9 53 b7 3500none2025-03-13:16:15:28 +0100normalAbcXyz

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} 3["Expression"] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    * platform_name="Mac"

    Filters the events to include only those where platform_name equals Mac.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} 3["Expression"] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | count(field=device_id, distinct=True)

    Counts the number of unique values in the device_id field, and returns the results in a _count field. Using distinct set to true ensures each device is counted only once, regardless of how many times it appears in the data.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} 3["Expression"] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | count:= rename(_count)

    Renames the output field from the default _count to count for better readability in the results.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} 3["Expression"] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | sort(count)

    Sorts the results based on the count field. When no parameters are specified, sort() defaults to descending order.

  6. Event Result set.

Summary and Results

The widget is used to monitor the distribution of Mac devices in the environment and track their presence over time.

This widget is useful to maintain an accurate inventory of Mac devices and identify changes in the Mac device footprint.

Sample output from the incoming example data:

count
10

The output shows the total count of unique Mac devices found in the analyzed data set.