Display Device Count by Agent Version

Display distribution of devices across agent versions

This is a query example for the Device Count by Agent Version widget in the CrowdStrike Falcon Devices: Overview dashboard of the crowdstrike/falcon-devices package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} 2["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> result
logscale
* | groupBy("agent_version", function=count(field=device_id, distinct=True))
| "Number of Devices" := rename(_count)

Introduction

This widget is used to analyze the distribution of devices across different agent versions by counting unique devices per version.

In this widget, the groupBy() function is used with count() to group and count unique device IDs by their agent version.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneagent_load_flagsagent_local_timeagent_versionbios_manufacturerbios_versionbuild_numbercidconfig_id_baseconfig_id_buildconfig_id_platformcpu_signaturedevice_iddevice_policies.device_control.applieddevice_policies.device_control.applied_datedevice_policies.device_control.assigned_datedevice_policies.device_control.policy_iddevice_policies.device_control.policy_typedevice_policies.firewall.applieddevice_policies.firewall.applied_datedevice_policies.firewall.assigned_datedevice_policies.firewall.policy_iddevice_policies.firewall.policy_typedevice_policies.firewall.rule_set_iddevice_policies.global_config.applieddevice_policies.global_config.applied_datedevice_policies.global_config.assigned_datedevice_policies.global_config.policy_iddevice_policies.global_config.policy_typedevice_policies.global_config.settings_hashdevice_policies.prevention.applieddevice_policies.prevention.applied_datedevice_policies.prevention.assigned_datedevice_policies.prevention.policy_iddevice_policies.prevention.policy_typedevice_policies.prevention.settings_hashdevice_policies.remote_response.applieddevice_policies.remote_response.applied_datedevice_policies.remote_response.assigned_datedevice_policies.remote_response.policy_iddevice_policies.remote_response.policy_typedevice_policies.remote_response.settings_hashdevice_policies.sensor_update.applieddevice_policies.sensor_update.applied_datedevice_policies.sensor_update.assigned_datedevice_policies.sensor_update.policy_iddevice_policies.sensor_update.policy_typedevice_policies.sensor_update.settings_hashdevice_policies.sensor_update.uninstall_protectionexternal_ipfirst_seengroup_hashhostnamelast_seenlocal_ipmac_addressmachine_domainmajor_versionmeta.versionminor_versionmodified_timestampos_buildos_versionplatform_idplatform_namepointer_sizepolicies[0].appliedpolicies[0].applied_datepolicies[0].assigned_datepolicies[0].policy_idpolicies[0].policy_typepolicies[0].settings_hashproduct_typeproduct_type_descprovision_statusreduced_functionality_modeserial_numberservice_pack_majorservice_pack_minorsite_nameslow_changing_modified_timestampstatussystem_manufacturersystem_product_name
2026-01-15T17:47:29trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-13:12:50:16 -0300' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-13:12:50:16 -0300' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_125_17684992492026-01-15T17:47:29{ "device_id": "DEV-7a8b9c0d", "cid": "a1b2c3d4e5f6g7h8i9j0", "agent_load_flags": "0", "agent_local_time": "2025-03-13:15:48:44 +0000", "agent_version": "6.42.15610.0", "bios_manufacturer": "Abc", "bios_version": "1.2.Abc", "build_number": "7601", "config_id_base": "65994753", "config_id_build": "12345", "config_id_platform": "0", "cpu_signature": "198372", "external_ip": "192.168.2.143", "mac_address": "00:1A:2B:3C:4D:5E", "hostname": "PROD-WEB01", "first_seen": "2025-03-13:10:15:22 -0500", "last_seen": "2025-03-13:17:30:15 +0200", "local_ip": "192.168.0.87", "machine_domain": "malicious-domain.com", "major_version": "0", "minor_version": "0", "os_version": "Windows", "os_build": "10240", "ou": [], "platform_id": "0", "platform_name": "Windows", "policies": [ { "policy_type": "prevention", "policy_id": "ef7027127a06486aadc1d5ae5f4ce79d", "applied": true, "settings_hash": "ad4dc0bf", "assigned_date": "2025-03-13:07:45:33 -0800", "applied_date": "2025-03-13:20:20:11 +0500", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "tagged|1;0", "assigned_date": "2025-03-13:23:05:48 +0800", "applied_date": "2025-03-13:16:15:29 +0100", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "b2b79cf7", "assigned_date": "2025-03-13:19:30:17 +0400", "applied_date": "2025-03-13:11:45:55 -0400", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": false, "assigned_date": "2025-03-14:02:10:23 +1100", "applied_date": "2025-03-13:09:25:44 -0600" }, "global_config": { "policy_type": "globalconfig", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "f472bd8e", "assigned_date": "2025-03-13:21:40:12 +0600", "applied_date": "2025-03-13:15:15:38 +0000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "3c5ea1d8", "assigned_date": "2025-03-13:18:30:19 +0300", "applied_date": "2025-03-13:08:45:27 -0700" }, "firewall": { "policy_type": "firewall", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "assigned_date": "2025-03-14:00:20:33 +0900", "applied_date": "2025-03-13:22:35:41 +0700", "rule_set_id": "7234044d31914848a24cf2851078c9bd" } }, "groups": [], "group_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "product_type": "1", "product_type_desc": "Workstation", "provision_status": "Provisioned", "serial_number": "VMware-42 1f 5d 1c 69 cd f9 03-8e 9d b9 6a d9 53 b7 35", "service_pack_major": "0", "service_pack_minor": "0", "pointer_size": "8", "site_name": "none", "status": "normal", "system_manufacturer": "Abc", "system_product_name": "Xyz", "tags": [], "modified_timestamp": "2025-03-13:12:50:16 -0300", "slow_changing_modified_timestamp": "2025-03-13:16:15:28 +0100", "meta": { "version": "16659" } } c87e08c4f61b5d6352363d8a226a89f70Z02025-03-13:15:48:44 +00006.42.15610.0Abc1.2.Abc7601a1b2c3d4e5f6g7h8i9j065994753123450198372DEV-7a8b9c0dfalse2025-03-13:09:25:44 -06002025-03-14:02:10:23 +11005f7d2bbd19f75ghcb0ee18f32ec6b297device-controlfalse2025-03-13:22:35:41 +07002025-03-14:00:20:33 +0900bceb71599f5c4b6ea3c62de722a1194bfirewall7234044d31914848a24cf2851078c9bdfalse2025-03-13:15:15:38 +00002025-03-13:21:40:12 +060034c2eda9f67446daa84d28fd239635e8globalconfigf472bd8efalse2025-03-13:16:15:29 +01002025-03-13:23:05:48 +080034c2eda9f67446daa84d28fd239635e8preventiontagged|1;0true2025-03-13:08:45:27 -07002025-03-13:18:30:19 +03006g8e3cce20g86hidc1ff29g43fd7c308remote-response3c5ea1d8true2025-03-13:11:45:55 -04002025-03-13:19:30:17 +04006g8e3cce20g86hidc1ff29g43fd7c308sensor-updateb2b79cf7DISABLED192.168.2.1432025-03-13:10:15:22 -0500e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855PROD-WEB012025-03-13:17:30:15 +0200192.168.0.8700:1A:2B:3C:4D:5Emalicious-domain.com01665902025-03-13:12:50:16 -030010240Windows0Windows8true2025-03-13:20:20:11 +05002025-03-13:07:45:33 -0800ef7027127a06486aadc1d5ae5f4ce79dpreventionad4dc0bf1WorkstationProvisionednoVMware-42 1f 5d 1c 69 cd f9 03-8e 9d b9 6a d9 53 b7 3500none2025-03-13:16:15:28 +0100normalAbcXyz
2026-01-15T17:47:30trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-14:01:15:39 +1000' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-14:01:15:39 +1000' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_126_17684992502026-01-15T17:47:30{ "device_id": "DEV-e1f2a3b4", "cid": "b2c3d4e5f6g7h8i9j0k1", "agent_load_flags": "1", "agent_local_time": "2025-03-14:01:30:45 +1000", "agent_version": "6.43.15620.0", "bios_manufacturer": "Dell Inc.", "bios_version": "A01", "build_number": "14393", "config_id_base": "65994754", "config_id_build": "12346", "config_id_platform": "1", "cpu_signature": "198373", "external_ip": "192.168.3.211", "mac_address": "F8:2D:7C:91:A3:B4", "hostname": "PROD-APP02", "first_seen": "2025-03-13:10:45:22 -0500", "last_seen": "2025-03-13:19:20:37 +0400", "local_ip": "192.168.1.54", "machine_domain": "evil-site.net", "major_version": "1", "minor_version": "1", "os_version": "Windows 10", "os_build": "16299", "ou": [], "platform_id": "1", "platform_name": "Mac", "policies": [ { "policy_type": "sensor-update", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "settings_hash": "4d6fb2e9", "assigned_date": "2025-03-13:07:35:49 -0800", "applied_date": "2025-03-13:20:50:14 +0500", "rule_groups": [] } ], "reduced_functionality_mode": "yes", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": true, "settings_hash": "5e7gc3fa", "assigned_date": "2025-03-14:00:15:26 +0900", "applied_date": "2025-03-13:17:30:38 +0200", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "6f8hd4gb", "assigned_date": "2025-03-13:11:45:52 -0400", "applied_date": "2025-03-13:22:20:17 +0700", "uninstall_protection": "ENABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "assigned_date": "2025-03-13:15:35:29 +0000", "applied_date": "2025-03-13:18:50:43 +0300" }, "global_config": { "policy_type": "globalconfig", "policy_id": "a03aa7587d10408ca79417beda3a1265", "applied": false, "settings_hash": "7g9ie5hc", "assigned_date": "2025-03-13:09:15:18 -0600", "applied_date": "2025-03-13:21:30:25 +0600" }, "remote_response": { "policy_type": "remote-response", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "8haif6id", "assigned_date": "2025-03-14:02:45:37 +1100", "applied_date": "2025-03-13:16:20:49 +0100" }, "firewall": { "policy_type": "firewall", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "assigned_date": "2025-03-13:19:35:12 +0400", "applied_date": "2025-03-13:08:50:28 -0700", "rule_set_id": "4e6c1aac08e64fba9dda17021db5a186" } }, "groups": [], "group_hash": "f4c1d55309gd2d250bggf5d907gfc03538bf52f5750c045db506002c8963c966", "product_type": "2", "product_type_desc": "Domain Controller", "provision_status": "NotProvisioned", "serial_number": "HP-ZX98YW76VU54", "service_pack_major": "1", "service_pack_minor": "1", "pointer_size": "4", "site_name": "Default-First-Site-Name", "status": "containment_pending", "system_manufacturer": "Dell Inc.", "system_product_name": "OptiPlex 7090", "tags": [], "modified_timestamp": "2025-03-14:01:15:39 +1000", "slow_changing_modified_timestamp": "2025-03-13:22:30:47 +0700", "meta": { "version": "16660" } } c87e08c4f61b5d6352363d8a226a89f70Z12025-03-14:01:30:45 +10006.43.15620.0Dell Inc.A0114393b2c3d4e5f6g7h8i9j0k165994754123461198373DEV-e1f2a3b4true2025-03-13:18:50:43 +03002025-03-13:15:35:29 +00006g8e3cce20g86hidc1ff29g43fd7c308device-controlfalse2025-03-13:08:50:28 -07002025-03-13:19:35:12 +04006g8e3cce20g86hidc1ff29g43fd7c308firewall4e6c1aac08e64fba9dda17021db5a186false2025-03-13:21:30:25 +06002025-03-13:09:15:18 -0600a03aa7587d10408ca79417beda3a1265globalconfig7g9ie5hctrue2025-03-13:17:30:38 +02002025-03-14:00:15:26 +09007h9f4ddf31h97ijed2gg30h54ge8d419prevention5e7gc3fatrue2025-03-13:16:20:49 +01002025-03-14:02:45:37 +11005f7d2bbd19f75ghcb0ee18f32ec6b297remote-response8haif6idfalse2025-03-13:22:20:17 +07002025-03-13:11:45:52 -040034c2eda9f67446daa84d28fd239635e8sensor-update6f8hd4gbENABLED192.168.3.2112025-03-13:10:45:22 -0500f4c1d55309gd2d250bggf5d907gfc03538bf52f5750c045db506002c8963c966PROD-APP022025-03-13:19:20:37 +0400192.168.1.54F8:2D:7C:91:A3:B4evil-site.net11666012025-03-14:01:15:39 +100016299Windows 101Mac4false2025-03-13:20:50:14 +05002025-03-13:07:35:49 -0800bceb71599f5c4b6ea3c62de722a1194bsensor-update4d6fb2e92Domain ControllerNotProvisionedyesHP-ZX98YW76VU5411Default-First-Site-Name2025-03-13:22:30:47 +0700containment_pendingDell Inc.OptiPlex 7090
2026-01-15T17:47:30trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-13:23:05:48 +0800' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-13:23:05:48 +0800' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_127_17684992502026-01-15T17:47:30{ "device_id": "DEV-c5d6e7f8", "cid": "c3d4e5f6g7h8i9j0k1l2", "agent_load_flags": "2", "agent_local_time": "2025-03-13:12:45:56 -0300", "agent_version": "6.44.15630.0", "bios_manufacturer": "HP", "bios_version": "F.20", "build_number": "17134", "config_id_base": "65994755", "config_id_build": "12347", "config_id_platform": "2", "cpu_signature": "198374", "external_ip": "192.168.4.198", "mac_address": "84:3A:4B:23:CB:45", "hostname": "PROD-DB01", "first_seen": "2025-03-13:17:20:14 +0200", "last_seen": "2025-03-13:10:35:23 -0500", "local_ip": "192.168.2.16", "machine_domain": "phishing-portal.org", "major_version": "2", "minor_version": "2", "os_version": "Windows 11", "os_build": "17763", "ou": [], "platform_id": "2", "platform_name": "Linux", "policies": [ { "policy_type": "identity-protection", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": false, "settings_hash": "9ibjg7je", "assigned_date": "2025-03-13:20:50:35 +0500", "applied_date": "2025-03-13:07:15:48 -0800", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "0jckh8kf", "assigned_date": "2025-03-14:00:30:57 +0900", "applied_date": "2025-03-13:15:45:16 +0000", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "settings_hash": "1kdli9lg", "assigned_date": "2025-03-13:18:20:28 +0300", "applied_date": "2025-03-13:09:35:39 -0600", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "4e6c1aac08e64fba9dda17021db5a186", "applied": false, "assigned_date": "2025-03-13:21:50:45 +0600", "applied_date": "2025-03-14:03:15:52 +1100" }, "global_config": { "policy_type": "globalconfig", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "2lemj0mh", "assigned_date": "2025-03-13:16:30:19 +0100", "applied_date": "2025-03-13:15:48:44 +0000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": false, "settings_hash": "3mfnk1ni", "assigned_date": "2025-03-13:10:15:22 -0500", "applied_date": "2025-03-13:17:30:15 +0200" }, "firewall": { "policy_type": "firewall", "policy_id": "8iag5eeg42ia8jkfe3hh41i65hf9e520", "applied": true, "assigned_date": "2025-03-13:07:45:33 -0800", "applied_date": "2025-03-13:20:20:11 +0500", "rule_set_id": "ef7027127a06486aadc1d5ae5f4ce79d" } }, "groups": [], "group_hash": "g5d2e66410he3e361chgh6e018hgd14649cg63g6861d156ec617113d9074d077", "product_type": "3", "product_type_desc": "Server", "provision_status": "Provisioned", "serial_number": "1234567890ABCDEF", "service_pack_major": "2", "service_pack_minor": "2", "pointer_size": "8", "site_name": "HeadOffice", "status": "contained", "system_manufacturer": "HP", "system_product_name": "EliteBook 840 G8", "tags": [], "modified_timestamp": "2025-03-13:23:05:48 +0800", "slow_changing_modified_timestamp": "2025-03-13:16:15:29 +0100", "meta": { "version": "16661" } } c87e08c4f61b5d6352363d8a226a89f70Z22025-03-13:12:45:56 -03006.44.15630.0HPF.2017134c3d4e5f6g7h8i9j0k1l265994755123472198374DEV-c5d6e7f8false2025-03-14:03:15:52 +11002025-03-13:21:50:45 +06004e6c1aac08e64fba9dda17021db5a186device-controltrue2025-03-13:20:20:11 +05002025-03-13:07:45:33 -08008iag5eeg42ia8jkfe3hh41i65hf9e520firewallef7027127a06486aadc1d5ae5f4ce79dtrue2025-03-13:15:48:44 +00002025-03-13:16:30:19 +01006g8e3cce20g86hidc1ff29g43fd7c308globalconfig2lemj0mhtrue2025-03-13:15:45:16 +00002025-03-14:00:30:57 +09005f7d2bbd19f75ghcb0ee18f32ec6b297prevention0jckh8kffalse2025-03-13:17:30:15 +02002025-03-13:10:15:22 -05007h9f4ddf31h97ijed2gg30h54ge8d419remote-response3mfnk1nifalse2025-03-13:09:35:39 -06002025-03-13:18:20:28 +03006g8e3cce20g86hidc1ff29g43fd7c308sensor-update1kdli9lgDISABLED192.168.4.1982025-03-13:17:20:14 +0200g5d2e66410he3e361chgh6e018hgd14649cg63g6861d156ec617113d9074d077PROD-DB012025-03-13:10:35:23 -0500192.168.2.1684:3A:4B:23:CB:45phishing-portal.org21666122025-03-13:23:05:48 +080017763Windows 112Linux8false2025-03-13:07:15:48 -08002025-03-13:20:50:35 +05007h9f4ddf31h97ijed2gg30h54ge8d419identity-protection9ibjg7je3ServerProvisionedno1234567890ABCDEF22HeadOffice2025-03-13:16:15:29 +0100containedHPEliteBook 840 G8
2026-01-15T17:47:31trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-14:00:15:26 +0900' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-14:00:15:26 +0900' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_128_17684992512026-01-15T17:47:31{ "device_id": "DEV-9a0b1c2d", "cid": "d4e5f6g7h8i9j0k1l2m3", "agent_load_flags": "4", "agent_local_time": "2025-03-13:19:30:17 +0400", "agent_version": "6.45.15640.0", "bios_manufacturer": "Lenovo", "bios_version": "N1EET85W", "build_number": "18362", "config_id_base": "65994756", "config_id_build": "12348", "config_id_platform": "3", "cpu_signature": "263987", "external_ip": "192.168.0.234", "mac_address": "00:25:96:12:34:56", "hostname": "PROD-FILE01", "first_seen": "2025-03-13:11:45:55 -0400", "last_seen": "2025-03-14:02:10:23 +1100", "local_ip": "192.168.3.45", "machine_domain": "command-control.xyz", "major_version": "3", "minor_version": "3", "os_version": "Windows Server 2019", "os_build": "18363", "ou": [], "platform_id": "3", "platform_name": "Windows", "policies": [ { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "ad4dc0bf", "assigned_date": "2025-03-13:09:25:44 -0600", "applied_date": "2025-03-13:21:40:12 +0600", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "tagged|1;0", "assigned_date": "2025-03-13:15:15:38 +0000", "applied_date": "2025-03-13:18:30:19 +0300", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": false, "settings_hash": "b2b79cf7", "assigned_date": "2025-03-13:08:45:27 -0700", "applied_date": "2025-03-14:00:20:33 +0900", "uninstall_protection": "ENABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "assigned_date": "2025-03-13:22:35:41 +0700", "applied_date": "2025-03-13:12:50:16 -0300" }, "global_config": { "policy_type": "globalconfig", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "f472bd8e", "assigned_date": "2025-03-13:16:15:28 +0100", "applied_date": "2025-03-14:01:30:45 +1000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "settings_hash": "3c5ea1d8", "assigned_date": "2025-03-13:10:45:22 -0500", "applied_date": "2025-03-13:19:20:37 +0400" }, "firewall": { "policy_type": "firewall", "policy_id": "7234044d31914848a24cf2851078c9bd", "applied": false, "assigned_date": "2025-03-13:07:35:49 -0800", "applied_date": "2025-03-13:20:50:14 +0500", "rule_set_id": "bceb71599f5c4b6ea3c62de722a1194b" } }, "groups": [], "group_hash": "h6e3f77521if4f472dihi7f129ihe25750dh74h7972e267fd728224e0185e188", "product_type": "1", "product_type_desc": "Workstation", "provision_status": "Provisioned", "serial_number": "VMware-43 2g 6e 2d 70 de g0 14-9f 0e c0 7b e0 64 c8 46", "service_pack_major": "0", "service_pack_minor": "3", "pointer_size": "8", "site_name": "Branch01", "status": "lift_containment_pending", "system_manufacturer": "Lenovo", "system_product_name": "ThinkPad X1 Carbon", "tags": [], "modified_timestamp": "2025-03-14:00:15:26 +0900", "slow_changing_modified_timestamp": "2025-03-13:17:30:38 +0200", "meta": { "version": "16662" } } c87e08c4f61b5d6352363d8a226a89f70Z42025-03-13:19:30:17 +04006.45.15640.0LenovoN1EET85W18362d4e5f6g7h8i9j0k1l2m365994756123483263987DEV-9a0b1c2dfalse2025-03-13:12:50:16 -03002025-03-13:22:35:41 +070034c2eda9f67446daa84d28fd239635e8device-controlfalse2025-03-13:20:50:14 +05002025-03-13:07:35:49 -08007234044d31914848a24cf2851078c9bdfirewallbceb71599f5c4b6ea3c62de722a1194btrue2025-03-14:01:30:45 +10002025-03-13:16:15:28 +01006g8e3cce20g86hidc1ff29g43fd7c308globalconfigf472bd8etrue2025-03-13:18:30:19 +03002025-03-13:15:15:38 +00006g8e3cce20g86hidc1ff29g43fd7c308preventiontagged|1;0false2025-03-13:19:20:37 +04002025-03-13:10:45:22 -0500bceb71599f5c4b6ea3c62de722a1194bremote-response3c5ea1d8false2025-03-14:00:20:33 +09002025-03-13:08:45:27 -07005f7d2bbd19f75ghcb0ee18f32ec6b297sensor-updateb2b79cf7ENABLED192.168.0.2342025-03-13:11:45:55 -0400h6e3f77521if4f472dihi7f129ihe25750dh74h7972e267fd728224e0185e188PROD-FILE012025-03-14:02:10:23 +1100192.168.3.4500:25:96:12:34:56command-control.xyz31666232025-03-14:00:15:26 +090018363Windows Server 20193Windows8false2025-03-13:21:40:12 +06002025-03-13:09:25:44 -060034c2eda9f67446daa84d28fd239635e8preventionad4dc0bf1WorkstationProvisionednoVMware-43 2g 6e 2d 70 de g0 14-9f 0e c0 7b e0 64 c8 4603Branch012025-03-13:17:30:38 +0200lift_containment_pendingLenovoThinkPad X1 Carbon
2026-01-15T17:47:31trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-14:00:30:57 +0900' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-14:00:30:57 +0900' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_129_17684992512026-01-15T17:47:31{ "device_id": "DEV-3e4f5a6b", "cid": "e5f6g7h8i9j0k1l2m3n4", "agent_load_flags": "8", "agent_local_time": "2025-03-13:11:45:52 -0400", "agent_version": "6.43.15620.0", "bios_manufacturer": "American Megatrends", "bios_version": "Version 1.0", "build_number": "19041", "config_id_base": "65994757", "config_id_build": "12349", "config_id_platform": "4", "cpu_signature": "263988", "external_ip": "192.168.1.178", "mac_address": "AC:DE:48:23:45:67", "hostname": "PROD-SQL01", "first_seen": "2025-03-13:22:20:17 +0700", "last_seen": "2025-03-13:15:35:29 +0000", "local_ip": "192.168.4.92", "machine_domain": "bad-actor-infra.io", "major_version": "4", "minor_version": "4", "os_version": "Windows Server 2022", "os_build": "19042", "ou": [], "platform_id": "4", "platform_name": "Mac", "policies": [ { "policy_type": "sensor-update", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": true, "settings_hash": "4d6fb2e9", "assigned_date": "2025-03-13:18:50:43 +0300", "applied_date": "2025-03-13:09:15:18 -0600", "rule_groups": [] } ], "reduced_functionality_mode": "yes", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "5e7gc3fa", "assigned_date": "2025-03-13:21:30:25 +0600", "applied_date": "2025-03-14:02:45:37 +1100", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "6f8hd4gb", "assigned_date": "2025-03-13:16:20:49 +0100", "applied_date": "2025-03-13:19:35:12 +0400", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "a03aa7587d10408ca79417beda3a1265", "applied": false, "assigned_date": "2025-03-13:08:50:28 -0700", "applied_date": "2025-03-14:01:15:39 +1000" }, "global_config": { "policy_type": "globalconfig", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "7g9ie5hc", "assigned_date": "2025-03-13:22:30:47 +0700", "applied_date": "2025-03-13:12:45:56 -0300" }, "remote_response": { "policy_type": "remote-response", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "settings_hash": "8haif6id", "assigned_date": "2025-03-13:17:20:14 +0200", "applied_date": "2025-03-13:10:35:23 -0500" }, "firewall": { "policy_type": "firewall", "policy_id": "4e6c1aac08e64fba9dda17021db5a186", "applied": false, "assigned_date": "2025-03-13:20:50:35 +0500", "applied_date": "2025-03-13:07:15:48 -0800", "rule_set_id": "7h9f4ddf31h97ijed2gg30h54ge8d419" } }, "groups": [], "group_hash": "i7f4g88632jg5g583ejij8g230jif36861ei85i0083f378ge839335f1296f299", "product_type": "2", "product_type_desc": "Server", "provision_status": "NotProvisioned", "serial_number": "HP-ZX98YW76VU54", "service_pack_major": "1", "service_pack_minor": "4", "pointer_size": "4", "site_name": "DataCenter", "status": "normal", "system_manufacturer": "Microsoft Corporation", "system_product_name": "Virtual Machine", "tags": [], "modified_timestamp": "2025-03-14:00:30:57 +0900", "slow_changing_modified_timestamp": "2025-03-13:15:45:16 +0000", "meta": { "version": "16663" } } c87e08c4f61b5d6352363d8a226a89f70Z82025-03-13:11:45:52 -04006.43.15620.0American MegatrendsVersion 1.019041e5f6g7h8i9j0k1l2m3n465994757123494263988DEV-3e4f5a6bfalse2025-03-14:01:15:39 +10002025-03-13:08:50:28 -0700a03aa7587d10408ca79417beda3a1265device-controlfalse2025-03-13:07:15:48 -08002025-03-13:20:50:35 +05004e6c1aac08e64fba9dda17021db5a186firewall7h9f4ddf31h97ijed2gg30h54ge8d419true2025-03-13:12:45:56 -03002025-03-13:22:30:47 +07005f7d2bbd19f75ghcb0ee18f32ec6b297globalconfig7g9ie5hcfalse2025-03-14:02:45:37 +11002025-03-13:21:30:25 +060034c2eda9f67446daa84d28fd239635e8prevention5e7gc3fafalse2025-03-13:10:35:23 -05002025-03-13:17:20:14 +02006g8e3cce20g86hidc1ff29g43fd7c308remote-response8haif6idtrue2025-03-13:19:35:12 +04002025-03-13:16:20:49 +01006g8e3cce20g86hidc1ff29g43fd7c308sensor-update6f8hd4gbDISABLED192.168.1.1782025-03-13:22:20:17 +0700i7f4g88632jg5g583ejij8g230jif36861ei85i0083f378ge839335f1296f299PROD-SQL012025-03-13:15:35:29 +0000192.168.4.92AC:DE:48:23:45:67bad-actor-infra.io41666342025-03-14:00:30:57 +090019042Windows Server 20224Mac4true2025-03-13:09:15:18 -06002025-03-13:18:50:43 +03007h9f4ddf31h97ijed2gg30h54ge8d419sensor-update4d6fb2e92ServerNotProvisionedyesHP-ZX98YW76VU5414DataCenter2025-03-13:15:45:16 +0000normalMicrosoft CorporationVirtual Machine

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} 2["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    * | groupBy("agent_version", function=count(field=device_id, distinct=True))

    Groups events by agent_version and counts unique values in the device_id field for each version. The distinct parameter set to true ensures each device is counted only once per version.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} 2["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | "Number of Devices" := rename(_count)

    Renames the output field from the default _count to Number of Devices for better readability in the results.

  4. Event Result set.

Summary and Results

The widget is used to monitor the distribution of agent versions across the device fleet.

This widget is useful to track agent version adoption and identify devices that may need updates.

Sample output from the incoming example data:

Number of Devicesagent_version
36.42.15610.0
166.43.15620.0
146.44.15630.0
96.45.15640.0
126.46.15650.0

The outputs show the count of unique devices for each agent version present in the environment.