Display Mobile Devices

Display mobile devices and their total count

This is a query example for the Mobile widget in the CrowdStrike Falcon Devices: Overview dashboard of the crowdstrike/falcon-devices package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} 3["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
* "product_type_desc" = Mobile
| count(field=device_id, distinct=True)
| "Number of Devices" := rename(_count)

Introduction

This widget is used to identify and count mobile devices in your environment by analyzing the product type description field.

In this widget, the count() function is used to count unique device IDs where the product type is Mobile.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneagent_load_flagsagent_local_timeagent_versionbios_manufacturerbios_versionbuild_numbercidconfig_id_baseconfig_id_buildconfig_id_platformcpu_signaturedevice_iddevice_policies.device_control.applieddevice_policies.device_control.applied_datedevice_policies.device_control.assigned_datedevice_policies.device_control.policy_iddevice_policies.device_control.policy_typedevice_policies.firewall.applieddevice_policies.firewall.applied_datedevice_policies.firewall.assigned_datedevice_policies.firewall.policy_iddevice_policies.firewall.policy_typedevice_policies.firewall.rule_set_iddevice_policies.global_config.applieddevice_policies.global_config.applied_datedevice_policies.global_config.assigned_datedevice_policies.global_config.policy_iddevice_policies.global_config.policy_typedevice_policies.global_config.settings_hashdevice_policies.prevention.applieddevice_policies.prevention.applied_datedevice_policies.prevention.assigned_datedevice_policies.prevention.policy_iddevice_policies.prevention.policy_typedevice_policies.prevention.settings_hashdevice_policies.remote_response.applieddevice_policies.remote_response.applied_datedevice_policies.remote_response.assigned_datedevice_policies.remote_response.policy_iddevice_policies.remote_response.policy_typedevice_policies.remote_response.settings_hashdevice_policies.sensor_update.applieddevice_policies.sensor_update.applied_datedevice_policies.sensor_update.assigned_datedevice_policies.sensor_update.policy_iddevice_policies.sensor_update.policy_typedevice_policies.sensor_update.settings_hashdevice_policies.sensor_update.uninstall_protectionexternal_ipfirst_seengroup_hashhostnamelast_seenlocal_ipmac_addressmachine_domainmajor_versionmeta.versionminor_versionmodified_timestampos_buildos_versionplatform_idplatform_namepointer_sizepolicies[0].appliedpolicies[0].applied_datepolicies[0].assigned_datepolicies[0].policy_idpolicies[0].policy_typepolicies[0].settings_hashproduct_typeproduct_type_descprovision_statusreduced_functionality_modeserial_numberservice_pack_majorservice_pack_minorsite_nameslow_changing_modified_timestampstatussystem_manufacturersystem_product_name
2026-01-15T17:47:29trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-13:12:50:16 -0300' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-13:12:50:16 -0300' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_125_17684992492026-01-15T17:47:29{ "device_id": "DEV-7a8b9c0d", "cid": "a1b2c3d4e5f6g7h8i9j0", "agent_load_flags": "0", "agent_local_time": "2025-03-13:15:48:44 +0000", "agent_version": "6.42.15610.0", "bios_manufacturer": "Abc", "bios_version": "1.2.Abc", "build_number": "7601", "config_id_base": "65994753", "config_id_build": "12345", "config_id_platform": "0", "cpu_signature": "198372", "external_ip": "192.168.2.143", "mac_address": "00:1A:2B:3C:4D:5E", "hostname": "PROD-WEB01", "first_seen": "2025-03-13:10:15:22 -0500", "last_seen": "2025-03-13:17:30:15 +0200", "local_ip": "192.168.0.87", "machine_domain": "malicious-domain.com", "major_version": "0", "minor_version": "0", "os_version": "Windows", "os_build": "10240", "ou": [], "platform_id": "0", "platform_name": "Windows", "policies": [ { "policy_type": "prevention", "policy_id": "ef7027127a06486aadc1d5ae5f4ce79d", "applied": true, "settings_hash": "ad4dc0bf", "assigned_date": "2025-03-13:07:45:33 -0800", "applied_date": "2025-03-13:20:20:11 +0500", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "tagged|1;0", "assigned_date": "2025-03-13:23:05:48 +0800", "applied_date": "2025-03-13:16:15:29 +0100", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "b2b79cf7", "assigned_date": "2025-03-13:19:30:17 +0400", "applied_date": "2025-03-13:11:45:55 -0400", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": false, "assigned_date": "2025-03-14:02:10:23 +1100", "applied_date": "2025-03-13:09:25:44 -0600" }, "global_config": { "policy_type": "globalconfig", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "f472bd8e", "assigned_date": "2025-03-13:21:40:12 +0600", "applied_date": "2025-03-13:15:15:38 +0000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "3c5ea1d8", "assigned_date": "2025-03-13:18:30:19 +0300", "applied_date": "2025-03-13:08:45:27 -0700" }, "firewall": { "policy_type": "firewall", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "assigned_date": "2025-03-14:00:20:33 +0900", "applied_date": "2025-03-13:22:35:41 +0700", "rule_set_id": "7234044d31914848a24cf2851078c9bd" } }, "groups": [], "group_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "product_type": "1", "product_type_desc": "Workstation", "provision_status": "Provisioned", "serial_number": "VMware-42 1f 5d 1c 69 cd f9 03-8e 9d b9 6a d9 53 b7 35", "service_pack_major": "0", "service_pack_minor": "0", "pointer_size": "8", "site_name": "none", "status": "normal", "system_manufacturer": "Abc", "system_product_name": "Xyz", "tags": [], "modified_timestamp": "2025-03-13:12:50:16 -0300", "slow_changing_modified_timestamp": "2025-03-13:16:15:28 +0100", "meta": { "version": "16659" } } c87e08c4f61b5d6352363d8a226a89f70Z02025-03-13:15:48:44 +00006.42.15610.0Abc1.2.Abc7601a1b2c3d4e5f6g7h8i9j065994753123450198372DEV-7a8b9c0dfalse2025-03-13:09:25:44 -06002025-03-14:02:10:23 +11005f7d2bbd19f75ghcb0ee18f32ec6b297device-controlfalse2025-03-13:22:35:41 +07002025-03-14:00:20:33 +0900bceb71599f5c4b6ea3c62de722a1194bfirewall7234044d31914848a24cf2851078c9bdfalse2025-03-13:15:15:38 +00002025-03-13:21:40:12 +060034c2eda9f67446daa84d28fd239635e8globalconfigf472bd8efalse2025-03-13:16:15:29 +01002025-03-13:23:05:48 +080034c2eda9f67446daa84d28fd239635e8preventiontagged|1;0true2025-03-13:08:45:27 -07002025-03-13:18:30:19 +03006g8e3cce20g86hidc1ff29g43fd7c308remote-response3c5ea1d8true2025-03-13:11:45:55 -04002025-03-13:19:30:17 +04006g8e3cce20g86hidc1ff29g43fd7c308sensor-updateb2b79cf7DISABLED192.168.2.1432025-03-13:10:15:22 -0500e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855PROD-WEB012025-03-13:17:30:15 +0200192.168.0.8700:1A:2B:3C:4D:5Emalicious-domain.com01665902025-03-13:12:50:16 -030010240Windows0Windows8true2025-03-13:20:20:11 +05002025-03-13:07:45:33 -0800ef7027127a06486aadc1d5ae5f4ce79dpreventionad4dc0bf1WorkstationProvisionednoVMware-42 1f 5d 1c 69 cd f9 03-8e 9d b9 6a d9 53 b7 3500none2025-03-13:16:15:28 +0100normalAbcXyz
2026-01-15T17:47:30trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-14:01:15:39 +1000' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-14:01:15:39 +1000' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_126_17684992502026-01-15T17:47:30{ "device_id": "DEV-e1f2a3b4", "cid": "b2c3d4e5f6g7h8i9j0k1", "agent_load_flags": "1", "agent_local_time": "2025-03-14:01:30:45 +1000", "agent_version": "6.43.15620.0", "bios_manufacturer": "Dell Inc.", "bios_version": "A01", "build_number": "14393", "config_id_base": "65994754", "config_id_build": "12346", "config_id_platform": "1", "cpu_signature": "198373", "external_ip": "192.168.3.211", "mac_address": "F8:2D:7C:91:A3:B4", "hostname": "PROD-APP02", "first_seen": "2025-03-13:10:45:22 -0500", "last_seen": "2025-03-13:19:20:37 +0400", "local_ip": "192.168.1.54", "machine_domain": "evil-site.net", "major_version": "1", "minor_version": "1", "os_version": "Windows 10", "os_build": "16299", "ou": [], "platform_id": "1", "platform_name": "Mac", "policies": [ { "policy_type": "sensor-update", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "settings_hash": "4d6fb2e9", "assigned_date": "2025-03-13:07:35:49 -0800", "applied_date": "2025-03-13:20:50:14 +0500", "rule_groups": [] } ], "reduced_functionality_mode": "yes", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": true, "settings_hash": "5e7gc3fa", "assigned_date": "2025-03-14:00:15:26 +0900", "applied_date": "2025-03-13:17:30:38 +0200", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "6f8hd4gb", "assigned_date": "2025-03-13:11:45:52 -0400", "applied_date": "2025-03-13:22:20:17 +0700", "uninstall_protection": "ENABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "assigned_date": "2025-03-13:15:35:29 +0000", "applied_date": "2025-03-13:18:50:43 +0300" }, "global_config": { "policy_type": "globalconfig", "policy_id": "a03aa7587d10408ca79417beda3a1265", "applied": false, "settings_hash": "7g9ie5hc", "assigned_date": "2025-03-13:09:15:18 -0600", "applied_date": "2025-03-13:21:30:25 +0600" }, "remote_response": { "policy_type": "remote-response", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "8haif6id", "assigned_date": "2025-03-14:02:45:37 +1100", "applied_date": "2025-03-13:16:20:49 +0100" }, "firewall": { "policy_type": "firewall", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "assigned_date": "2025-03-13:19:35:12 +0400", "applied_date": "2025-03-13:08:50:28 -0700", "rule_set_id": "4e6c1aac08e64fba9dda17021db5a186" } }, "groups": [], "group_hash": "f4c1d55309gd2d250bggf5d907gfc03538bf52f5750c045db506002c8963c966", "product_type": "2", "product_type_desc": "Domain Controller", "provision_status": "NotProvisioned", "serial_number": "HP-ZX98YW76VU54", "service_pack_major": "1", "service_pack_minor": "1", "pointer_size": "4", "site_name": "Default-First-Site-Name", "status": "containment_pending", "system_manufacturer": "Dell Inc.", "system_product_name": "OptiPlex 7090", "tags": [], "modified_timestamp": "2025-03-14:01:15:39 +1000", "slow_changing_modified_timestamp": "2025-03-13:22:30:47 +0700", "meta": { "version": "16660" } } c87e08c4f61b5d6352363d8a226a89f70Z12025-03-14:01:30:45 +10006.43.15620.0Dell Inc.A0114393b2c3d4e5f6g7h8i9j0k165994754123461198373DEV-e1f2a3b4true2025-03-13:18:50:43 +03002025-03-13:15:35:29 +00006g8e3cce20g86hidc1ff29g43fd7c308device-controlfalse2025-03-13:08:50:28 -07002025-03-13:19:35:12 +04006g8e3cce20g86hidc1ff29g43fd7c308firewall4e6c1aac08e64fba9dda17021db5a186false2025-03-13:21:30:25 +06002025-03-13:09:15:18 -0600a03aa7587d10408ca79417beda3a1265globalconfig7g9ie5hctrue2025-03-13:17:30:38 +02002025-03-14:00:15:26 +09007h9f4ddf31h97ijed2gg30h54ge8d419prevention5e7gc3fatrue2025-03-13:16:20:49 +01002025-03-14:02:45:37 +11005f7d2bbd19f75ghcb0ee18f32ec6b297remote-response8haif6idfalse2025-03-13:22:20:17 +07002025-03-13:11:45:52 -040034c2eda9f67446daa84d28fd239635e8sensor-update6f8hd4gbENABLED192.168.3.2112025-03-13:10:45:22 -0500f4c1d55309gd2d250bggf5d907gfc03538bf52f5750c045db506002c8963c966PROD-APP022025-03-13:19:20:37 +0400192.168.1.54F8:2D:7C:91:A3:B4evil-site.net11666012025-03-14:01:15:39 +100016299Windows 101Mac4false2025-03-13:20:50:14 +05002025-03-13:07:35:49 -0800bceb71599f5c4b6ea3c62de722a1194bsensor-update4d6fb2e92Domain ControllerNotProvisionedyesHP-ZX98YW76VU5411Default-First-Site-Name2025-03-13:22:30:47 +0700containment_pendingDell Inc.OptiPlex 7090
2026-01-15T17:47:30trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-13:23:05:48 +0800' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-13:23:05:48 +0800' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_127_17684992502026-01-15T17:47:30{ "device_id": "DEV-c5d6e7f8", "cid": "c3d4e5f6g7h8i9j0k1l2", "agent_load_flags": "2", "agent_local_time": "2025-03-13:12:45:56 -0300", "agent_version": "6.44.15630.0", "bios_manufacturer": "HP", "bios_version": "F.20", "build_number": "17134", "config_id_base": "65994755", "config_id_build": "12347", "config_id_platform": "2", "cpu_signature": "198374", "external_ip": "192.168.4.198", "mac_address": "84:3A:4B:23:CB:45", "hostname": "PROD-DB01", "first_seen": "2025-03-13:17:20:14 +0200", "last_seen": "2025-03-13:10:35:23 -0500", "local_ip": "192.168.2.16", "machine_domain": "phishing-portal.org", "major_version": "2", "minor_version": "2", "os_version": "Windows 11", "os_build": "17763", "ou": [], "platform_id": "2", "platform_name": "Linux", "policies": [ { "policy_type": "identity-protection", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": false, "settings_hash": "9ibjg7je", "assigned_date": "2025-03-13:20:50:35 +0500", "applied_date": "2025-03-13:07:15:48 -0800", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "0jckh8kf", "assigned_date": "2025-03-14:00:30:57 +0900", "applied_date": "2025-03-13:15:45:16 +0000", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "settings_hash": "1kdli9lg", "assigned_date": "2025-03-13:18:20:28 +0300", "applied_date": "2025-03-13:09:35:39 -0600", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "4e6c1aac08e64fba9dda17021db5a186", "applied": false, "assigned_date": "2025-03-13:21:50:45 +0600", "applied_date": "2025-03-14:03:15:52 +1100" }, "global_config": { "policy_type": "globalconfig", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "2lemj0mh", "assigned_date": "2025-03-13:16:30:19 +0100", "applied_date": "2025-03-13:15:48:44 +0000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": false, "settings_hash": "3mfnk1ni", "assigned_date": "2025-03-13:10:15:22 -0500", "applied_date": "2025-03-13:17:30:15 +0200" }, "firewall": { "policy_type": "firewall", "policy_id": "8iag5eeg42ia8jkfe3hh41i65hf9e520", "applied": true, "assigned_date": "2025-03-13:07:45:33 -0800", "applied_date": "2025-03-13:20:20:11 +0500", "rule_set_id": "ef7027127a06486aadc1d5ae5f4ce79d" } }, "groups": [], "group_hash": "g5d2e66410he3e361chgh6e018hgd14649cg63g6861d156ec617113d9074d077", "product_type": "3", "product_type_desc": "Server", "provision_status": "Provisioned", "serial_number": "1234567890ABCDEF", "service_pack_major": "2", "service_pack_minor": "2", "pointer_size": "8", "site_name": "HeadOffice", "status": "contained", "system_manufacturer": "HP", "system_product_name": "EliteBook 840 G8", "tags": [], "modified_timestamp": "2025-03-13:23:05:48 +0800", "slow_changing_modified_timestamp": "2025-03-13:16:15:29 +0100", "meta": { "version": "16661" } } c87e08c4f61b5d6352363d8a226a89f70Z22025-03-13:12:45:56 -03006.44.15630.0HPF.2017134c3d4e5f6g7h8i9j0k1l265994755123472198374DEV-c5d6e7f8false2025-03-14:03:15:52 +11002025-03-13:21:50:45 +06004e6c1aac08e64fba9dda17021db5a186device-controltrue2025-03-13:20:20:11 +05002025-03-13:07:45:33 -08008iag5eeg42ia8jkfe3hh41i65hf9e520firewallef7027127a06486aadc1d5ae5f4ce79dtrue2025-03-13:15:48:44 +00002025-03-13:16:30:19 +01006g8e3cce20g86hidc1ff29g43fd7c308globalconfig2lemj0mhtrue2025-03-13:15:45:16 +00002025-03-14:00:30:57 +09005f7d2bbd19f75ghcb0ee18f32ec6b297prevention0jckh8kffalse2025-03-13:17:30:15 +02002025-03-13:10:15:22 -05007h9f4ddf31h97ijed2gg30h54ge8d419remote-response3mfnk1nifalse2025-03-13:09:35:39 -06002025-03-13:18:20:28 +03006g8e3cce20g86hidc1ff29g43fd7c308sensor-update1kdli9lgDISABLED192.168.4.1982025-03-13:17:20:14 +0200g5d2e66410he3e361chgh6e018hgd14649cg63g6861d156ec617113d9074d077PROD-DB012025-03-13:10:35:23 -0500192.168.2.1684:3A:4B:23:CB:45phishing-portal.org21666122025-03-13:23:05:48 +080017763Windows 112Linux8false2025-03-13:07:15:48 -08002025-03-13:20:50:35 +05007h9f4ddf31h97ijed2gg30h54ge8d419identity-protection9ibjg7je3ServerProvisionedno1234567890ABCDEF22HeadOffice2025-03-13:16:15:29 +0100containedHPEliteBook 840 G8
2026-01-15T17:47:31trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-14:00:15:26 +0900' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-14:00:15:26 +0900' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_128_17684992512026-01-15T17:47:31{ "device_id": "DEV-9a0b1c2d", "cid": "d4e5f6g7h8i9j0k1l2m3", "agent_load_flags": "4", "agent_local_time": "2025-03-13:19:30:17 +0400", "agent_version": "6.45.15640.0", "bios_manufacturer": "Lenovo", "bios_version": "N1EET85W", "build_number": "18362", "config_id_base": "65994756", "config_id_build": "12348", "config_id_platform": "3", "cpu_signature": "263987", "external_ip": "192.168.0.234", "mac_address": "00:25:96:12:34:56", "hostname": "PROD-FILE01", "first_seen": "2025-03-13:11:45:55 -0400", "last_seen": "2025-03-14:02:10:23 +1100", "local_ip": "192.168.3.45", "machine_domain": "command-control.xyz", "major_version": "3", "minor_version": "3", "os_version": "Windows Server 2019", "os_build": "18363", "ou": [], "platform_id": "3", "platform_name": "Windows", "policies": [ { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "ad4dc0bf", "assigned_date": "2025-03-13:09:25:44 -0600", "applied_date": "2025-03-13:21:40:12 +0600", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "tagged|1;0", "assigned_date": "2025-03-13:15:15:38 +0000", "applied_date": "2025-03-13:18:30:19 +0300", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": false, "settings_hash": "b2b79cf7", "assigned_date": "2025-03-13:08:45:27 -0700", "applied_date": "2025-03-14:00:20:33 +0900", "uninstall_protection": "ENABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "assigned_date": "2025-03-13:22:35:41 +0700", "applied_date": "2025-03-13:12:50:16 -0300" }, "global_config": { "policy_type": "globalconfig", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "f472bd8e", "assigned_date": "2025-03-13:16:15:28 +0100", "applied_date": "2025-03-14:01:30:45 +1000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "settings_hash": "3c5ea1d8", "assigned_date": "2025-03-13:10:45:22 -0500", "applied_date": "2025-03-13:19:20:37 +0400" }, "firewall": { "policy_type": "firewall", "policy_id": "7234044d31914848a24cf2851078c9bd", "applied": false, "assigned_date": "2025-03-13:07:35:49 -0800", "applied_date": "2025-03-13:20:50:14 +0500", "rule_set_id": "bceb71599f5c4b6ea3c62de722a1194b" } }, "groups": [], "group_hash": "h6e3f77521if4f472dihi7f129ihe25750dh74h7972e267fd728224e0185e188", "product_type": "1", "product_type_desc": "Workstation", "provision_status": "Provisioned", "serial_number": "VMware-43 2g 6e 2d 70 de g0 14-9f 0e c0 7b e0 64 c8 46", "service_pack_major": "0", "service_pack_minor": "3", "pointer_size": "8", "site_name": "Branch01", "status": "lift_containment_pending", "system_manufacturer": "Lenovo", "system_product_name": "ThinkPad X1 Carbon", "tags": [], "modified_timestamp": "2025-03-14:00:15:26 +0900", "slow_changing_modified_timestamp": "2025-03-13:17:30:38 +0200", "meta": { "version": "16662" } } c87e08c4f61b5d6352363d8a226a89f70Z42025-03-13:19:30:17 +04006.45.15640.0LenovoN1EET85W18362d4e5f6g7h8i9j0k1l2m365994756123483263987DEV-9a0b1c2dfalse2025-03-13:12:50:16 -03002025-03-13:22:35:41 +070034c2eda9f67446daa84d28fd239635e8device-controlfalse2025-03-13:20:50:14 +05002025-03-13:07:35:49 -08007234044d31914848a24cf2851078c9bdfirewallbceb71599f5c4b6ea3c62de722a1194btrue2025-03-14:01:30:45 +10002025-03-13:16:15:28 +01006g8e3cce20g86hidc1ff29g43fd7c308globalconfigf472bd8etrue2025-03-13:18:30:19 +03002025-03-13:15:15:38 +00006g8e3cce20g86hidc1ff29g43fd7c308preventiontagged|1;0false2025-03-13:19:20:37 +04002025-03-13:10:45:22 -0500bceb71599f5c4b6ea3c62de722a1194bremote-response3c5ea1d8false2025-03-14:00:20:33 +09002025-03-13:08:45:27 -07005f7d2bbd19f75ghcb0ee18f32ec6b297sensor-updateb2b79cf7ENABLED192.168.0.2342025-03-13:11:45:55 -0400h6e3f77521if4f472dihi7f129ihe25750dh74h7972e267fd728224e0185e188PROD-FILE012025-03-14:02:10:23 +1100192.168.3.4500:25:96:12:34:56command-control.xyz31666232025-03-14:00:15:26 +090018363Windows Server 20193Windows8false2025-03-13:21:40:12 +06002025-03-13:09:25:44 -060034c2eda9f67446daa84d28fd239635e8preventionad4dc0bf1WorkstationProvisionednoVMware-43 2g 6e 2d 70 de g0 14-9f 0e c0 7b e0 64 c8 4603Branch012025-03-13:17:30:38 +0200lift_containment_pendingLenovoThinkPad X1 Carbon
2026-01-15T17:47:31trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-14:00:30:57 +0900' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-14:00:30:57 +0900' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_129_17684992512026-01-15T17:47:31{ "device_id": "DEV-3e4f5a6b", "cid": "e5f6g7h8i9j0k1l2m3n4", "agent_load_flags": "8", "agent_local_time": "2025-03-13:11:45:52 -0400", "agent_version": "6.43.15620.0", "bios_manufacturer": "American Megatrends", "bios_version": "Version 1.0", "build_number": "19041", "config_id_base": "65994757", "config_id_build": "12349", "config_id_platform": "4", "cpu_signature": "263988", "external_ip": "192.168.1.178", "mac_address": "AC:DE:48:23:45:67", "hostname": "PROD-SQL01", "first_seen": "2025-03-13:22:20:17 +0700", "last_seen": "2025-03-13:15:35:29 +0000", "local_ip": "192.168.4.92", "machine_domain": "bad-actor-infra.io", "major_version": "4", "minor_version": "4", "os_version": "Windows Server 2022", "os_build": "19042", "ou": [], "platform_id": "4", "platform_name": "Mac", "policies": [ { "policy_type": "sensor-update", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": true, "settings_hash": "4d6fb2e9", "assigned_date": "2025-03-13:18:50:43 +0300", "applied_date": "2025-03-13:09:15:18 -0600", "rule_groups": [] } ], "reduced_functionality_mode": "yes", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "5e7gc3fa", "assigned_date": "2025-03-13:21:30:25 +0600", "applied_date": "2025-03-14:02:45:37 +1100", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "6f8hd4gb", "assigned_date": "2025-03-13:16:20:49 +0100", "applied_date": "2025-03-13:19:35:12 +0400", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "a03aa7587d10408ca79417beda3a1265", "applied": false, "assigned_date": "2025-03-13:08:50:28 -0700", "applied_date": "2025-03-14:01:15:39 +1000" }, "global_config": { "policy_type": "globalconfig", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "7g9ie5hc", "assigned_date": "2025-03-13:22:30:47 +0700", "applied_date": "2025-03-13:12:45:56 -0300" }, "remote_response": { "policy_type": "remote-response", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "settings_hash": "8haif6id", "assigned_date": "2025-03-13:17:20:14 +0200", "applied_date": "2025-03-13:10:35:23 -0500" }, "firewall": { "policy_type": "firewall", "policy_id": "4e6c1aac08e64fba9dda17021db5a186", "applied": false, "assigned_date": "2025-03-13:20:50:35 +0500", "applied_date": "2025-03-13:07:15:48 -0800", "rule_set_id": "7h9f4ddf31h97ijed2gg30h54ge8d419" } }, "groups": [], "group_hash": "i7f4g88632jg5g583ejij8g230jif36861ei85i0083f378ge839335f1296f299", "product_type": "2", "product_type_desc": "Server", "provision_status": "NotProvisioned", "serial_number": "HP-ZX98YW76VU54", "service_pack_major": "1", "service_pack_minor": "4", "pointer_size": "4", "site_name": "DataCenter", "status": "normal", "system_manufacturer": "Microsoft Corporation", "system_product_name": "Virtual Machine", "tags": [], "modified_timestamp": "2025-03-14:00:30:57 +0900", "slow_changing_modified_timestamp": "2025-03-13:15:45:16 +0000", "meta": { "version": "16663" } } c87e08c4f61b5d6352363d8a226a89f70Z82025-03-13:11:45:52 -04006.43.15620.0American MegatrendsVersion 1.019041e5f6g7h8i9j0k1l2m3n465994757123494263988DEV-3e4f5a6bfalse2025-03-14:01:15:39 +10002025-03-13:08:50:28 -0700a03aa7587d10408ca79417beda3a1265device-controlfalse2025-03-13:07:15:48 -08002025-03-13:20:50:35 +05004e6c1aac08e64fba9dda17021db5a186firewall7h9f4ddf31h97ijed2gg30h54ge8d419true2025-03-13:12:45:56 -03002025-03-13:22:30:47 +07005f7d2bbd19f75ghcb0ee18f32ec6b297globalconfig7g9ie5hcfalse2025-03-14:02:45:37 +11002025-03-13:21:30:25 +060034c2eda9f67446daa84d28fd239635e8prevention5e7gc3fafalse2025-03-13:10:35:23 -05002025-03-13:17:20:14 +02006g8e3cce20g86hidc1ff29g43fd7c308remote-response8haif6idtrue2025-03-13:19:35:12 +04002025-03-13:16:20:49 +01006g8e3cce20g86hidc1ff29g43fd7c308sensor-update6f8hd4gbDISABLED192.168.1.1782025-03-13:22:20:17 +0700i7f4g88632jg5g583ejij8g230jif36861ei85i0083f378ge839335f1296f299PROD-SQL012025-03-13:15:35:29 +0000192.168.4.92AC:DE:48:23:45:67bad-actor-infra.io41666342025-03-14:00:30:57 +090019042Windows Server 20224Mac4true2025-03-13:09:15:18 -06002025-03-13:18:50:43 +03007h9f4ddf31h97ijed2gg30h54ge8d419sensor-update4d6fb2e92ServerNotProvisionedyesHP-ZX98YW76VU5414DataCenter2025-03-13:15:45:16 +0000normalMicrosoft CorporationVirtual Machine

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} 3["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    * "product_type_desc" = Mobile

    Filters events to include only those where product_type_desc equals Mobile.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} 3["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | count(field=device_id, distinct=True)

    Counts the number of unique values in the device_id field, and returns the results in a _count field. The distinct parameter set to true ensures each device is counted only once.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} 3["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | "Number of Devices" := rename(_count)

    Renames the output field from the default _count to Number of Devices for better readability in the results.

  5. Event Result set.

Summary and Results

The widget is used to monitor the number of mobile devices in the environment.

This widget is useful to maintain an accurate inventory of mobile devices and track their presence over time.

Sample output from the incoming example data:

Number of Devices
0

The output shows zero mobile devices were found in the analyzed data set.