Display Number of Real Time Response Policies

Count unique real time response policies

This is a query example for the Number of Real Time Response Policies widget in the CrowdStrike Falcon Devices: Policies dashboard of the crowdstrike/falcon-devices package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
json:prettyPrint()
| cid=*
| count(field="device_policies.remote_response.policy_id", distinct=True)

Introduction

This widget is used to count the total number of unique real time response policies configured across devices.

In this widget, the count() function is used to calculate the number of unique real time response policy IDs across all devices.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneagent_load_flagsagent_local_timeagent_versionbios_manufacturerbios_versionbuild_numbercidconfig_id_baseconfig_id_buildconfig_id_platformcpu_signaturedevice_iddevice_policies.device_control.applieddevice_policies.device_control.applied_datedevice_policies.device_control.assigned_datedevice_policies.device_control.policy_iddevice_policies.device_control.policy_typedevice_policies.firewall.applieddevice_policies.firewall.applied_datedevice_policies.firewall.assigned_datedevice_policies.firewall.policy_iddevice_policies.firewall.policy_typedevice_policies.firewall.rule_set_iddevice_policies.global_config.applieddevice_policies.global_config.applied_datedevice_policies.global_config.assigned_datedevice_policies.global_config.policy_iddevice_policies.global_config.policy_typedevice_policies.global_config.settings_hashdevice_policies.prevention.applieddevice_policies.prevention.applied_datedevice_policies.prevention.assigned_datedevice_policies.prevention.policy_iddevice_policies.prevention.policy_typedevice_policies.prevention.settings_hashdevice_policies.remote_response.applieddevice_policies.remote_response.applied_datedevice_policies.remote_response.assigned_datedevice_policies.remote_response.policy_iddevice_policies.remote_response.policy_typedevice_policies.remote_response.settings_hashdevice_policies.sensor_update.applieddevice_policies.sensor_update.applied_datedevice_policies.sensor_update.assigned_datedevice_policies.sensor_update.policy_iddevice_policies.sensor_update.policy_typedevice_policies.sensor_update.settings_hashdevice_policies.sensor_update.uninstall_protectionexternal_ipfirst_seengroup_hashhostnamelast_seenlocal_ipmac_addressmachine_domainmajor_versionmeta.versionminor_versionmodified_timestampos_buildos_versionplatform_idplatform_namepointer_sizepolicies[0].appliedpolicies[0].applied_datepolicies[0].assigned_datepolicies[0].policy_idpolicies[0].policy_typepolicies[0].settings_hashproduct_typeproduct_type_descprovision_statusreduced_functionality_modeserial_numberservice_pack_majorservice_pack_minorsite_nameslow_changing_modified_timestampstatussystem_manufacturersystem_product_name
2026-01-15T17:47:29trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-13:12:50:16 -0300' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-13:12:50:16 -0300' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_125_17684992492026-01-15T17:47:29{ "device_id": "DEV-7a8b9c0d", "cid": "a1b2c3d4e5f6g7h8i9j0", "agent_load_flags": "0", "agent_local_time": "2025-03-13:15:48:44 +0000", "agent_version": "6.42.15610.0", "bios_manufacturer": "Abc", "bios_version": "1.2.Abc", "build_number": "7601", "config_id_base": "65994753", "config_id_build": "12345", "config_id_platform": "0", "cpu_signature": "198372", "external_ip": "192.168.2.143", "mac_address": "00:1A:2B:3C:4D:5E", "hostname": "PROD-WEB01", "first_seen": "2025-03-13:10:15:22 -0500", "last_seen": "2025-03-13:17:30:15 +0200", "local_ip": "192.168.0.87", "machine_domain": "malicious-domain.com", "major_version": "0", "minor_version": "0", "os_version": "Windows", "os_build": "10240", "ou": [], "platform_id": "0", "platform_name": "Windows", "policies": [ { "policy_type": "prevention", "policy_id": "ef7027127a06486aadc1d5ae5f4ce79d", "applied": true, "settings_hash": "ad4dc0bf", "assigned_date": "2025-03-13:07:45:33 -0800", "applied_date": "2025-03-13:20:20:11 +0500", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "tagged|1;0", "assigned_date": "2025-03-13:23:05:48 +0800", "applied_date": "2025-03-13:16:15:29 +0100", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "b2b79cf7", "assigned_date": "2025-03-13:19:30:17 +0400", "applied_date": "2025-03-13:11:45:55 -0400", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": false, "assigned_date": "2025-03-14:02:10:23 +1100", "applied_date": "2025-03-13:09:25:44 -0600" }, "global_config": { "policy_type": "globalconfig", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "f472bd8e", "assigned_date": "2025-03-13:21:40:12 +0600", "applied_date": "2025-03-13:15:15:38 +0000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "3c5ea1d8", "assigned_date": "2025-03-13:18:30:19 +0300", "applied_date": "2025-03-13:08:45:27 -0700" }, "firewall": { "policy_type": "firewall", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "assigned_date": "2025-03-14:00:20:33 +0900", "applied_date": "2025-03-13:22:35:41 +0700", "rule_set_id": "7234044d31914848a24cf2851078c9bd" } }, "groups": [], "group_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "product_type": "1", "product_type_desc": "Workstation", "provision_status": "Provisioned", "serial_number": "VMware-42 1f 5d 1c 69 cd f9 03-8e 9d b9 6a d9 53 b7 35", "service_pack_major": "0", "service_pack_minor": "0", "pointer_size": "8", "site_name": "none", "status": "normal", "system_manufacturer": "Abc", "system_product_name": "Xyz", "tags": [], "modified_timestamp": "2025-03-13:12:50:16 -0300", "slow_changing_modified_timestamp": "2025-03-13:16:15:28 +0100", "meta": { "version": "16659" } } c87e08c4f61b5d6352363d8a226a89f70Z02025-03-13:15:48:44 +00006.42.15610.0Abc1.2.Abc7601a1b2c3d4e5f6g7h8i9j065994753123450198372DEV-7a8b9c0dfalse2025-03-13:09:25:44 -06002025-03-14:02:10:23 +11005f7d2bbd19f75ghcb0ee18f32ec6b297device-controlfalse2025-03-13:22:35:41 +07002025-03-14:00:20:33 +0900bceb71599f5c4b6ea3c62de722a1194bfirewall7234044d31914848a24cf2851078c9bdfalse2025-03-13:15:15:38 +00002025-03-13:21:40:12 +060034c2eda9f67446daa84d28fd239635e8globalconfigf472bd8efalse2025-03-13:16:15:29 +01002025-03-13:23:05:48 +080034c2eda9f67446daa84d28fd239635e8preventiontagged|1;0true2025-03-13:08:45:27 -07002025-03-13:18:30:19 +03006g8e3cce20g86hidc1ff29g43fd7c308remote-response3c5ea1d8true2025-03-13:11:45:55 -04002025-03-13:19:30:17 +04006g8e3cce20g86hidc1ff29g43fd7c308sensor-updateb2b79cf7DISABLED192.168.2.1432025-03-13:10:15:22 -0500e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855PROD-WEB012025-03-13:17:30:15 +0200192.168.0.8700:1A:2B:3C:4D:5Emalicious-domain.com01665902025-03-13:12:50:16 -030010240Windows0Windows8true2025-03-13:20:20:11 +05002025-03-13:07:45:33 -0800ef7027127a06486aadc1d5ae5f4ce79dpreventionad4dc0bf1WorkstationProvisionednoVMware-42 1f 5d 1c 69 cd f9 03-8e 9d b9 6a d9 53 b7 3500none2025-03-13:16:15:28 +0100normalAbcXyz
2026-01-15T17:47:30trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-14:01:15:39 +1000' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-14:01:15:39 +1000' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_126_17684992502026-01-15T17:47:30{ "device_id": "DEV-e1f2a3b4", "cid": "b2c3d4e5f6g7h8i9j0k1", "agent_load_flags": "1", "agent_local_time": "2025-03-14:01:30:45 +1000", "agent_version": "6.43.15620.0", "bios_manufacturer": "Dell Inc.", "bios_version": "A01", "build_number": "14393", "config_id_base": "65994754", "config_id_build": "12346", "config_id_platform": "1", "cpu_signature": "198373", "external_ip": "192.168.3.211", "mac_address": "F8:2D:7C:91:A3:B4", "hostname": "PROD-APP02", "first_seen": "2025-03-13:10:45:22 -0500", "last_seen": "2025-03-13:19:20:37 +0400", "local_ip": "192.168.1.54", "machine_domain": "evil-site.net", "major_version": "1", "minor_version": "1", "os_version": "Windows 10", "os_build": "16299", "ou": [], "platform_id": "1", "platform_name": "Mac", "policies": [ { "policy_type": "sensor-update", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "settings_hash": "4d6fb2e9", "assigned_date": "2025-03-13:07:35:49 -0800", "applied_date": "2025-03-13:20:50:14 +0500", "rule_groups": [] } ], "reduced_functionality_mode": "yes", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": true, "settings_hash": "5e7gc3fa", "assigned_date": "2025-03-14:00:15:26 +0900", "applied_date": "2025-03-13:17:30:38 +0200", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "6f8hd4gb", "assigned_date": "2025-03-13:11:45:52 -0400", "applied_date": "2025-03-13:22:20:17 +0700", "uninstall_protection": "ENABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "assigned_date": "2025-03-13:15:35:29 +0000", "applied_date": "2025-03-13:18:50:43 +0300" }, "global_config": { "policy_type": "globalconfig", "policy_id": "a03aa7587d10408ca79417beda3a1265", "applied": false, "settings_hash": "7g9ie5hc", "assigned_date": "2025-03-13:09:15:18 -0600", "applied_date": "2025-03-13:21:30:25 +0600" }, "remote_response": { "policy_type": "remote-response", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "8haif6id", "assigned_date": "2025-03-14:02:45:37 +1100", "applied_date": "2025-03-13:16:20:49 +0100" }, "firewall": { "policy_type": "firewall", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "assigned_date": "2025-03-13:19:35:12 +0400", "applied_date": "2025-03-13:08:50:28 -0700", "rule_set_id": "4e6c1aac08e64fba9dda17021db5a186" } }, "groups": [], "group_hash": "f4c1d55309gd2d250bggf5d907gfc03538bf52f5750c045db506002c8963c966", "product_type": "2", "product_type_desc": "Domain Controller", "provision_status": "NotProvisioned", "serial_number": "HP-ZX98YW76VU54", "service_pack_major": "1", "service_pack_minor": "1", "pointer_size": "4", "site_name": "Default-First-Site-Name", "status": "containment_pending", "system_manufacturer": "Dell Inc.", "system_product_name": "OptiPlex 7090", "tags": [], "modified_timestamp": "2025-03-14:01:15:39 +1000", "slow_changing_modified_timestamp": "2025-03-13:22:30:47 +0700", "meta": { "version": "16660" } } c87e08c4f61b5d6352363d8a226a89f70Z12025-03-14:01:30:45 +10006.43.15620.0Dell Inc.A0114393b2c3d4e5f6g7h8i9j0k165994754123461198373DEV-e1f2a3b4true2025-03-13:18:50:43 +03002025-03-13:15:35:29 +00006g8e3cce20g86hidc1ff29g43fd7c308device-controlfalse2025-03-13:08:50:28 -07002025-03-13:19:35:12 +04006g8e3cce20g86hidc1ff29g43fd7c308firewall4e6c1aac08e64fba9dda17021db5a186false2025-03-13:21:30:25 +06002025-03-13:09:15:18 -0600a03aa7587d10408ca79417beda3a1265globalconfig7g9ie5hctrue2025-03-13:17:30:38 +02002025-03-14:00:15:26 +09007h9f4ddf31h97ijed2gg30h54ge8d419prevention5e7gc3fatrue2025-03-13:16:20:49 +01002025-03-14:02:45:37 +11005f7d2bbd19f75ghcb0ee18f32ec6b297remote-response8haif6idfalse2025-03-13:22:20:17 +07002025-03-13:11:45:52 -040034c2eda9f67446daa84d28fd239635e8sensor-update6f8hd4gbENABLED192.168.3.2112025-03-13:10:45:22 -0500f4c1d55309gd2d250bggf5d907gfc03538bf52f5750c045db506002c8963c966PROD-APP022025-03-13:19:20:37 +0400192.168.1.54F8:2D:7C:91:A3:B4evil-site.net11666012025-03-14:01:15:39 +100016299Windows 101Mac4false2025-03-13:20:50:14 +05002025-03-13:07:35:49 -0800bceb71599f5c4b6ea3c62de722a1194bsensor-update4d6fb2e92Domain ControllerNotProvisionedyesHP-ZX98YW76VU5411Default-First-Site-Name2025-03-13:22:30:47 +0700containment_pendingDell Inc.OptiPlex 7090
2026-01-15T17:47:30trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-13:23:05:48 +0800' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-13:23:05:48 +0800' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_127_17684992502026-01-15T17:47:30{ "device_id": "DEV-c5d6e7f8", "cid": "c3d4e5f6g7h8i9j0k1l2", "agent_load_flags": "2", "agent_local_time": "2025-03-13:12:45:56 -0300", "agent_version": "6.44.15630.0", "bios_manufacturer": "HP", "bios_version": "F.20", "build_number": "17134", "config_id_base": "65994755", "config_id_build": "12347", "config_id_platform": "2", "cpu_signature": "198374", "external_ip": "192.168.4.198", "mac_address": "84:3A:4B:23:CB:45", "hostname": "PROD-DB01", "first_seen": "2025-03-13:17:20:14 +0200", "last_seen": "2025-03-13:10:35:23 -0500", "local_ip": "192.168.2.16", "machine_domain": "phishing-portal.org", "major_version": "2", "minor_version": "2", "os_version": "Windows 11", "os_build": "17763", "ou": [], "platform_id": "2", "platform_name": "Linux", "policies": [ { "policy_type": "identity-protection", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": false, "settings_hash": "9ibjg7je", "assigned_date": "2025-03-13:20:50:35 +0500", "applied_date": "2025-03-13:07:15:48 -0800", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "0jckh8kf", "assigned_date": "2025-03-14:00:30:57 +0900", "applied_date": "2025-03-13:15:45:16 +0000", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "settings_hash": "1kdli9lg", "assigned_date": "2025-03-13:18:20:28 +0300", "applied_date": "2025-03-13:09:35:39 -0600", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "4e6c1aac08e64fba9dda17021db5a186", "applied": false, "assigned_date": "2025-03-13:21:50:45 +0600", "applied_date": "2025-03-14:03:15:52 +1100" }, "global_config": { "policy_type": "globalconfig", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "2lemj0mh", "assigned_date": "2025-03-13:16:30:19 +0100", "applied_date": "2025-03-13:15:48:44 +0000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": false, "settings_hash": "3mfnk1ni", "assigned_date": "2025-03-13:10:15:22 -0500", "applied_date": "2025-03-13:17:30:15 +0200" }, "firewall": { "policy_type": "firewall", "policy_id": "8iag5eeg42ia8jkfe3hh41i65hf9e520", "applied": true, "assigned_date": "2025-03-13:07:45:33 -0800", "applied_date": "2025-03-13:20:20:11 +0500", "rule_set_id": "ef7027127a06486aadc1d5ae5f4ce79d" } }, "groups": [], "group_hash": "g5d2e66410he3e361chgh6e018hgd14649cg63g6861d156ec617113d9074d077", "product_type": "3", "product_type_desc": "Server", "provision_status": "Provisioned", "serial_number": "1234567890ABCDEF", "service_pack_major": "2", "service_pack_minor": "2", "pointer_size": "8", "site_name": "HeadOffice", "status": "contained", "system_manufacturer": "HP", "system_product_name": "EliteBook 840 G8", "tags": [], "modified_timestamp": "2025-03-13:23:05:48 +0800", "slow_changing_modified_timestamp": "2025-03-13:16:15:29 +0100", "meta": { "version": "16661" } } c87e08c4f61b5d6352363d8a226a89f70Z22025-03-13:12:45:56 -03006.44.15630.0HPF.2017134c3d4e5f6g7h8i9j0k1l265994755123472198374DEV-c5d6e7f8false2025-03-14:03:15:52 +11002025-03-13:21:50:45 +06004e6c1aac08e64fba9dda17021db5a186device-controltrue2025-03-13:20:20:11 +05002025-03-13:07:45:33 -08008iag5eeg42ia8jkfe3hh41i65hf9e520firewallef7027127a06486aadc1d5ae5f4ce79dtrue2025-03-13:15:48:44 +00002025-03-13:16:30:19 +01006g8e3cce20g86hidc1ff29g43fd7c308globalconfig2lemj0mhtrue2025-03-13:15:45:16 +00002025-03-14:00:30:57 +09005f7d2bbd19f75ghcb0ee18f32ec6b297prevention0jckh8kffalse2025-03-13:17:30:15 +02002025-03-13:10:15:22 -05007h9f4ddf31h97ijed2gg30h54ge8d419remote-response3mfnk1nifalse2025-03-13:09:35:39 -06002025-03-13:18:20:28 +03006g8e3cce20g86hidc1ff29g43fd7c308sensor-update1kdli9lgDISABLED192.168.4.1982025-03-13:17:20:14 +0200g5d2e66410he3e361chgh6e018hgd14649cg63g6861d156ec617113d9074d077PROD-DB012025-03-13:10:35:23 -0500192.168.2.1684:3A:4B:23:CB:45phishing-portal.org21666122025-03-13:23:05:48 +080017763Windows 112Linux8false2025-03-13:07:15:48 -08002025-03-13:20:50:35 +05007h9f4ddf31h97ijed2gg30h54ge8d419identity-protection9ibjg7je3ServerProvisionedno1234567890ABCDEF22HeadOffice2025-03-13:16:15:29 +0100containedHPEliteBook 840 G8
2026-01-15T17:47:31trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-14:00:15:26 +0900' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-14:00:15:26 +0900' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_128_17684992512026-01-15T17:47:31{ "device_id": "DEV-9a0b1c2d", "cid": "d4e5f6g7h8i9j0k1l2m3", "agent_load_flags": "4", "agent_local_time": "2025-03-13:19:30:17 +0400", "agent_version": "6.45.15640.0", "bios_manufacturer": "Lenovo", "bios_version": "N1EET85W", "build_number": "18362", "config_id_base": "65994756", "config_id_build": "12348", "config_id_platform": "3", "cpu_signature": "263987", "external_ip": "192.168.0.234", "mac_address": "00:25:96:12:34:56", "hostname": "PROD-FILE01", "first_seen": "2025-03-13:11:45:55 -0400", "last_seen": "2025-03-14:02:10:23 +1100", "local_ip": "192.168.3.45", "machine_domain": "command-control.xyz", "major_version": "3", "minor_version": "3", "os_version": "Windows Server 2019", "os_build": "18363", "ou": [], "platform_id": "3", "platform_name": "Windows", "policies": [ { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "ad4dc0bf", "assigned_date": "2025-03-13:09:25:44 -0600", "applied_date": "2025-03-13:21:40:12 +0600", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "tagged|1;0", "assigned_date": "2025-03-13:15:15:38 +0000", "applied_date": "2025-03-13:18:30:19 +0300", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": false, "settings_hash": "b2b79cf7", "assigned_date": "2025-03-13:08:45:27 -0700", "applied_date": "2025-03-14:00:20:33 +0900", "uninstall_protection": "ENABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "assigned_date": "2025-03-13:22:35:41 +0700", "applied_date": "2025-03-13:12:50:16 -0300" }, "global_config": { "policy_type": "globalconfig", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "f472bd8e", "assigned_date": "2025-03-13:16:15:28 +0100", "applied_date": "2025-03-14:01:30:45 +1000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "settings_hash": "3c5ea1d8", "assigned_date": "2025-03-13:10:45:22 -0500", "applied_date": "2025-03-13:19:20:37 +0400" }, "firewall": { "policy_type": "firewall", "policy_id": "7234044d31914848a24cf2851078c9bd", "applied": false, "assigned_date": "2025-03-13:07:35:49 -0800", "applied_date": "2025-03-13:20:50:14 +0500", "rule_set_id": "bceb71599f5c4b6ea3c62de722a1194b" } }, "groups": [], "group_hash": "h6e3f77521if4f472dihi7f129ihe25750dh74h7972e267fd728224e0185e188", "product_type": "1", "product_type_desc": "Workstation", "provision_status": "Provisioned", "serial_number": "VMware-43 2g 6e 2d 70 de g0 14-9f 0e c0 7b e0 64 c8 46", "service_pack_major": "0", "service_pack_minor": "3", "pointer_size": "8", "site_name": "Branch01", "status": "lift_containment_pending", "system_manufacturer": "Lenovo", "system_product_name": "ThinkPad X1 Carbon", "tags": [], "modified_timestamp": "2025-03-14:00:15:26 +0900", "slow_changing_modified_timestamp": "2025-03-13:17:30:38 +0200", "meta": { "version": "16662" } } c87e08c4f61b5d6352363d8a226a89f70Z42025-03-13:19:30:17 +04006.45.15640.0LenovoN1EET85W18362d4e5f6g7h8i9j0k1l2m365994756123483263987DEV-9a0b1c2dfalse2025-03-13:12:50:16 -03002025-03-13:22:35:41 +070034c2eda9f67446daa84d28fd239635e8device-controlfalse2025-03-13:20:50:14 +05002025-03-13:07:35:49 -08007234044d31914848a24cf2851078c9bdfirewallbceb71599f5c4b6ea3c62de722a1194btrue2025-03-14:01:30:45 +10002025-03-13:16:15:28 +01006g8e3cce20g86hidc1ff29g43fd7c308globalconfigf472bd8etrue2025-03-13:18:30:19 +03002025-03-13:15:15:38 +00006g8e3cce20g86hidc1ff29g43fd7c308preventiontagged|1;0false2025-03-13:19:20:37 +04002025-03-13:10:45:22 -0500bceb71599f5c4b6ea3c62de722a1194bremote-response3c5ea1d8false2025-03-14:00:20:33 +09002025-03-13:08:45:27 -07005f7d2bbd19f75ghcb0ee18f32ec6b297sensor-updateb2b79cf7ENABLED192.168.0.2342025-03-13:11:45:55 -0400h6e3f77521if4f472dihi7f129ihe25750dh74h7972e267fd728224e0185e188PROD-FILE012025-03-14:02:10:23 +1100192.168.3.4500:25:96:12:34:56command-control.xyz31666232025-03-14:00:15:26 +090018363Windows Server 20193Windows8false2025-03-13:21:40:12 +06002025-03-13:09:25:44 -060034c2eda9f67446daa84d28fd239635e8preventionad4dc0bf1WorkstationProvisionednoVMware-43 2g 6e 2d 70 de g0 14-9f 0e c0 7b e0 64 c8 4603Branch012025-03-13:17:30:38 +0200lift_containment_pendingLenovoThinkPad X1 Carbon
2026-01-15T17:47:31trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-14:00:30:57 +0900' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-14:00:30:57 +0900' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_129_17684992512026-01-15T17:47:31{ "device_id": "DEV-3e4f5a6b", "cid": "e5f6g7h8i9j0k1l2m3n4", "agent_load_flags": "8", "agent_local_time": "2025-03-13:11:45:52 -0400", "agent_version": "6.43.15620.0", "bios_manufacturer": "American Megatrends", "bios_version": "Version 1.0", "build_number": "19041", "config_id_base": "65994757", "config_id_build": "12349", "config_id_platform": "4", "cpu_signature": "263988", "external_ip": "192.168.1.178", "mac_address": "AC:DE:48:23:45:67", "hostname": "PROD-SQL01", "first_seen": "2025-03-13:22:20:17 +0700", "last_seen": "2025-03-13:15:35:29 +0000", "local_ip": "192.168.4.92", "machine_domain": "bad-actor-infra.io", "major_version": "4", "minor_version": "4", "os_version": "Windows Server 2022", "os_build": "19042", "ou": [], "platform_id": "4", "platform_name": "Mac", "policies": [ { "policy_type": "sensor-update", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": true, "settings_hash": "4d6fb2e9", "assigned_date": "2025-03-13:18:50:43 +0300", "applied_date": "2025-03-13:09:15:18 -0600", "rule_groups": [] } ], "reduced_functionality_mode": "yes", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "5e7gc3fa", "assigned_date": "2025-03-13:21:30:25 +0600", "applied_date": "2025-03-14:02:45:37 +1100", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "6f8hd4gb", "assigned_date": "2025-03-13:16:20:49 +0100", "applied_date": "2025-03-13:19:35:12 +0400", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "a03aa7587d10408ca79417beda3a1265", "applied": false, "assigned_date": "2025-03-13:08:50:28 -0700", "applied_date": "2025-03-14:01:15:39 +1000" }, "global_config": { "policy_type": "globalconfig", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "7g9ie5hc", "assigned_date": "2025-03-13:22:30:47 +0700", "applied_date": "2025-03-13:12:45:56 -0300" }, "remote_response": { "policy_type": "remote-response", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "settings_hash": "8haif6id", "assigned_date": "2025-03-13:17:20:14 +0200", "applied_date": "2025-03-13:10:35:23 -0500" }, "firewall": { "policy_type": "firewall", "policy_id": "4e6c1aac08e64fba9dda17021db5a186", "applied": false, "assigned_date": "2025-03-13:20:50:35 +0500", "applied_date": "2025-03-13:07:15:48 -0800", "rule_set_id": "7h9f4ddf31h97ijed2gg30h54ge8d419" } }, "groups": [], "group_hash": "i7f4g88632jg5g583ejij8g230jif36861ei85i0083f378ge839335f1296f299", "product_type": "2", "product_type_desc": "Server", "provision_status": "NotProvisioned", "serial_number": "HP-ZX98YW76VU54", "service_pack_major": "1", "service_pack_minor": "4", "pointer_size": "4", "site_name": "DataCenter", "status": "normal", "system_manufacturer": "Microsoft Corporation", "system_product_name": "Virtual Machine", "tags": [], "modified_timestamp": "2025-03-14:00:30:57 +0900", "slow_changing_modified_timestamp": "2025-03-13:15:45:16 +0000", "meta": { "version": "16663" } } c87e08c4f61b5d6352363d8a226a89f70Z82025-03-13:11:45:52 -04006.43.15620.0American MegatrendsVersion 1.019041e5f6g7h8i9j0k1l2m3n465994757123494263988DEV-3e4f5a6bfalse2025-03-14:01:15:39 +10002025-03-13:08:50:28 -0700a03aa7587d10408ca79417beda3a1265device-controlfalse2025-03-13:07:15:48 -08002025-03-13:20:50:35 +05004e6c1aac08e64fba9dda17021db5a186firewall7h9f4ddf31h97ijed2gg30h54ge8d419true2025-03-13:12:45:56 -03002025-03-13:22:30:47 +07005f7d2bbd19f75ghcb0ee18f32ec6b297globalconfig7g9ie5hcfalse2025-03-14:02:45:37 +11002025-03-13:21:30:25 +060034c2eda9f67446daa84d28fd239635e8prevention5e7gc3fafalse2025-03-13:10:35:23 -05002025-03-13:17:20:14 +02006g8e3cce20g86hidc1ff29g43fd7c308remote-response8haif6idtrue2025-03-13:19:35:12 +04002025-03-13:16:20:49 +01006g8e3cce20g86hidc1ff29g43fd7c308sensor-update6f8hd4gbDISABLED192.168.1.1782025-03-13:22:20:17 +0700i7f4g88632jg5g583ejij8g230jif36861ei85i0083f378ge839335f1296f299PROD-SQL012025-03-13:15:35:29 +0000192.168.4.92AC:DE:48:23:45:67bad-actor-infra.io41666342025-03-14:00:30:57 +090019042Windows Server 20224Mac4true2025-03-13:09:15:18 -06002025-03-13:18:50:43 +03007h9f4ddf31h97ijed2gg30h54ge8d419sensor-update4d6fb2e92ServerNotProvisionedyesHP-ZX98YW76VU5414DataCenter2025-03-13:15:45:16 +0000normalMicrosoft CorporationVirtual Machine

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    json:prettyPrint()

    Formats the JSON data in a human-readable structure with proper indentation and line breaks.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | cid=*

    Filters to include only events that contain a cid field with any value.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | count(field="device_policies.remote_response.policy_id", distinct=True)

    Counts the number of unique values in the device_policies.remote_response.policy_id field, and returns the results in a _count field. The distinct parameter set to true ensures each policy is counted only once.

  5. Event Result set.

Summary and Results

Sample output from the incoming example data:

_count
10

The output shows the total count of unique real time response policy IDs found in the data.