Display Devices With Uninstall Protection Disabled

Display devices with disabled uninstall protection

This is a query example for the Devices with Uninstall Protection Disabled widget in the CrowdStrike Falcon Devices: Overview dashboard of the crowdstrike/falcon-devices package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result
logscale
* device_policies.sensor_update.uninstall_protection=DISABLED
| count(field=device_id, distinct=True, as="Device Count")

Introduction

This widget is used to identify and count devices that have their uninstall protection disabled, which may present a security risk.

In this widget, the count() function is used to count unique device IDs where the uninstall protection setting is disabled.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneagent_load_flagsagent_local_timeagent_versionbios_manufacturerbios_versionbuild_numbercidconfig_id_baseconfig_id_buildconfig_id_platformcpu_signaturedevice_iddevice_policies.device_control.applieddevice_policies.device_control.applied_datedevice_policies.device_control.assigned_datedevice_policies.device_control.policy_iddevice_policies.device_control.policy_typedevice_policies.firewall.applieddevice_policies.firewall.applied_datedevice_policies.firewall.assigned_datedevice_policies.firewall.policy_iddevice_policies.firewall.policy_typedevice_policies.firewall.rule_set_iddevice_policies.global_config.applieddevice_policies.global_config.applied_datedevice_policies.global_config.assigned_datedevice_policies.global_config.policy_iddevice_policies.global_config.policy_typedevice_policies.global_config.settings_hashdevice_policies.prevention.applieddevice_policies.prevention.applied_datedevice_policies.prevention.assigned_datedevice_policies.prevention.policy_iddevice_policies.prevention.policy_typedevice_policies.prevention.settings_hashdevice_policies.remote_response.applieddevice_policies.remote_response.applied_datedevice_policies.remote_response.assigned_datedevice_policies.remote_response.policy_iddevice_policies.remote_response.policy_typedevice_policies.remote_response.settings_hashdevice_policies.sensor_update.applieddevice_policies.sensor_update.applied_datedevice_policies.sensor_update.assigned_datedevice_policies.sensor_update.policy_iddevice_policies.sensor_update.policy_typedevice_policies.sensor_update.settings_hashdevice_policies.sensor_update.uninstall_protectionexternal_ipfirst_seengroup_hashhostnamelast_seenlocal_ipmac_addressmachine_domainmajor_versionmeta.versionminor_versionmodified_timestampos_buildos_versionplatform_idplatform_namepointer_sizepolicies[0].appliedpolicies[0].applied_datepolicies[0].assigned_datepolicies[0].policy_idpolicies[0].policy_typepolicies[0].settings_hashproduct_typeproduct_type_descprovision_statusreduced_functionality_modeserial_numberservice_pack_majorservice_pack_minorsite_nameslow_changing_modified_timestampstatussystem_manufacturersystem_product_name
2026-01-15T17:47:29trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-13:12:50:16 -0300' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-13:12:50:16 -0300' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_125_17684992492026-01-15T17:47:29{ "device_id": "DEV-7a8b9c0d", "cid": "a1b2c3d4e5f6g7h8i9j0", "agent_load_flags": "0", "agent_local_time": "2025-03-13:15:48:44 +0000", "agent_version": "6.42.15610.0", "bios_manufacturer": "Abc", "bios_version": "1.2.Abc", "build_number": "7601", "config_id_base": "65994753", "config_id_build": "12345", "config_id_platform": "0", "cpu_signature": "198372", "external_ip": "192.168.2.143", "mac_address": "00:1A:2B:3C:4D:5E", "hostname": "PROD-WEB01", "first_seen": "2025-03-13:10:15:22 -0500", "last_seen": "2025-03-13:17:30:15 +0200", "local_ip": "192.168.0.87", "machine_domain": "malicious-domain.com", "major_version": "0", "minor_version": "0", "os_version": "Windows", "os_build": "10240", "ou": [], "platform_id": "0", "platform_name": "Windows", "policies": [ { "policy_type": "prevention", "policy_id": "ef7027127a06486aadc1d5ae5f4ce79d", "applied": true, "settings_hash": "ad4dc0bf", "assigned_date": "2025-03-13:07:45:33 -0800", "applied_date": "2025-03-13:20:20:11 +0500", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "tagged|1;0", "assigned_date": "2025-03-13:23:05:48 +0800", "applied_date": "2025-03-13:16:15:29 +0100", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "b2b79cf7", "assigned_date": "2025-03-13:19:30:17 +0400", "applied_date": "2025-03-13:11:45:55 -0400", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": false, "assigned_date": "2025-03-14:02:10:23 +1100", "applied_date": "2025-03-13:09:25:44 -0600" }, "global_config": { "policy_type": "globalconfig", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "f472bd8e", "assigned_date": "2025-03-13:21:40:12 +0600", "applied_date": "2025-03-13:15:15:38 +0000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "3c5ea1d8", "assigned_date": "2025-03-13:18:30:19 +0300", "applied_date": "2025-03-13:08:45:27 -0700" }, "firewall": { "policy_type": "firewall", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "assigned_date": "2025-03-14:00:20:33 +0900", "applied_date": "2025-03-13:22:35:41 +0700", "rule_set_id": "7234044d31914848a24cf2851078c9bd" } }, "groups": [], "group_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "product_type": "1", "product_type_desc": "Workstation", "provision_status": "Provisioned", "serial_number": "VMware-42 1f 5d 1c 69 cd f9 03-8e 9d b9 6a d9 53 b7 35", "service_pack_major": "0", "service_pack_minor": "0", "pointer_size": "8", "site_name": "none", "status": "normal", "system_manufacturer": "Abc", "system_product_name": "Xyz", "tags": [], "modified_timestamp": "2025-03-13:12:50:16 -0300", "slow_changing_modified_timestamp": "2025-03-13:16:15:28 +0100", "meta": { "version": "16659" } } c87e08c4f61b5d6352363d8a226a89f70Z02025-03-13:15:48:44 +00006.42.15610.0Abc1.2.Abc7601a1b2c3d4e5f6g7h8i9j065994753123450198372DEV-7a8b9c0dfalse2025-03-13:09:25:44 -06002025-03-14:02:10:23 +11005f7d2bbd19f75ghcb0ee18f32ec6b297device-controlfalse2025-03-13:22:35:41 +07002025-03-14:00:20:33 +0900bceb71599f5c4b6ea3c62de722a1194bfirewall7234044d31914848a24cf2851078c9bdfalse2025-03-13:15:15:38 +00002025-03-13:21:40:12 +060034c2eda9f67446daa84d28fd239635e8globalconfigf472bd8efalse2025-03-13:16:15:29 +01002025-03-13:23:05:48 +080034c2eda9f67446daa84d28fd239635e8preventiontagged|1;0true2025-03-13:08:45:27 -07002025-03-13:18:30:19 +03006g8e3cce20g86hidc1ff29g43fd7c308remote-response3c5ea1d8true2025-03-13:11:45:55 -04002025-03-13:19:30:17 +04006g8e3cce20g86hidc1ff29g43fd7c308sensor-updateb2b79cf7DISABLED192.168.2.1432025-03-13:10:15:22 -0500e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855PROD-WEB012025-03-13:17:30:15 +0200192.168.0.8700:1A:2B:3C:4D:5Emalicious-domain.com01665902025-03-13:12:50:16 -030010240Windows0Windows8true2025-03-13:20:20:11 +05002025-03-13:07:45:33 -0800ef7027127a06486aadc1d5ae5f4ce79dpreventionad4dc0bf1WorkstationProvisionednoVMware-42 1f 5d 1c 69 cd f9 03-8e 9d b9 6a d9 53 b7 3500none2025-03-13:16:15:28 +0100normalAbcXyz
2026-01-15T17:47:30trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-14:01:15:39 +1000' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-14:01:15:39 +1000' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_126_17684992502026-01-15T17:47:30{ "device_id": "DEV-e1f2a3b4", "cid": "b2c3d4e5f6g7h8i9j0k1", "agent_load_flags": "1", "agent_local_time": "2025-03-14:01:30:45 +1000", "agent_version": "6.43.15620.0", "bios_manufacturer": "Dell Inc.", "bios_version": "A01", "build_number": "14393", "config_id_base": "65994754", "config_id_build": "12346", "config_id_platform": "1", "cpu_signature": "198373", "external_ip": "192.168.3.211", "mac_address": "F8:2D:7C:91:A3:B4", "hostname": "PROD-APP02", "first_seen": "2025-03-13:10:45:22 -0500", "last_seen": "2025-03-13:19:20:37 +0400", "local_ip": "192.168.1.54", "machine_domain": "evil-site.net", "major_version": "1", "minor_version": "1", "os_version": "Windows 10", "os_build": "16299", "ou": [], "platform_id": "1", "platform_name": "Mac", "policies": [ { "policy_type": "sensor-update", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "settings_hash": "4d6fb2e9", "assigned_date": "2025-03-13:07:35:49 -0800", "applied_date": "2025-03-13:20:50:14 +0500", "rule_groups": [] } ], "reduced_functionality_mode": "yes", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": true, "settings_hash": "5e7gc3fa", "assigned_date": "2025-03-14:00:15:26 +0900", "applied_date": "2025-03-13:17:30:38 +0200", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "6f8hd4gb", "assigned_date": "2025-03-13:11:45:52 -0400", "applied_date": "2025-03-13:22:20:17 +0700", "uninstall_protection": "ENABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "assigned_date": "2025-03-13:15:35:29 +0000", "applied_date": "2025-03-13:18:50:43 +0300" }, "global_config": { "policy_type": "globalconfig", "policy_id": "a03aa7587d10408ca79417beda3a1265", "applied": false, "settings_hash": "7g9ie5hc", "assigned_date": "2025-03-13:09:15:18 -0600", "applied_date": "2025-03-13:21:30:25 +0600" }, "remote_response": { "policy_type": "remote-response", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "8haif6id", "assigned_date": "2025-03-14:02:45:37 +1100", "applied_date": "2025-03-13:16:20:49 +0100" }, "firewall": { "policy_type": "firewall", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "assigned_date": "2025-03-13:19:35:12 +0400", "applied_date": "2025-03-13:08:50:28 -0700", "rule_set_id": "4e6c1aac08e64fba9dda17021db5a186" } }, "groups": [], "group_hash": "f4c1d55309gd2d250bggf5d907gfc03538bf52f5750c045db506002c8963c966", "product_type": "2", "product_type_desc": "Domain Controller", "provision_status": "NotProvisioned", "serial_number": "HP-ZX98YW76VU54", "service_pack_major": "1", "service_pack_minor": "1", "pointer_size": "4", "site_name": "Default-First-Site-Name", "status": "containment_pending", "system_manufacturer": "Dell Inc.", "system_product_name": "OptiPlex 7090", "tags": [], "modified_timestamp": "2025-03-14:01:15:39 +1000", "slow_changing_modified_timestamp": "2025-03-13:22:30:47 +0700", "meta": { "version": "16660" } } c87e08c4f61b5d6352363d8a226a89f70Z12025-03-14:01:30:45 +10006.43.15620.0Dell Inc.A0114393b2c3d4e5f6g7h8i9j0k165994754123461198373DEV-e1f2a3b4true2025-03-13:18:50:43 +03002025-03-13:15:35:29 +00006g8e3cce20g86hidc1ff29g43fd7c308device-controlfalse2025-03-13:08:50:28 -07002025-03-13:19:35:12 +04006g8e3cce20g86hidc1ff29g43fd7c308firewall4e6c1aac08e64fba9dda17021db5a186false2025-03-13:21:30:25 +06002025-03-13:09:15:18 -0600a03aa7587d10408ca79417beda3a1265globalconfig7g9ie5hctrue2025-03-13:17:30:38 +02002025-03-14:00:15:26 +09007h9f4ddf31h97ijed2gg30h54ge8d419prevention5e7gc3fatrue2025-03-13:16:20:49 +01002025-03-14:02:45:37 +11005f7d2bbd19f75ghcb0ee18f32ec6b297remote-response8haif6idfalse2025-03-13:22:20:17 +07002025-03-13:11:45:52 -040034c2eda9f67446daa84d28fd239635e8sensor-update6f8hd4gbENABLED192.168.3.2112025-03-13:10:45:22 -0500f4c1d55309gd2d250bggf5d907gfc03538bf52f5750c045db506002c8963c966PROD-APP022025-03-13:19:20:37 +0400192.168.1.54F8:2D:7C:91:A3:B4evil-site.net11666012025-03-14:01:15:39 +100016299Windows 101Mac4false2025-03-13:20:50:14 +05002025-03-13:07:35:49 -0800bceb71599f5c4b6ea3c62de722a1194bsensor-update4d6fb2e92Domain ControllerNotProvisionedyesHP-ZX98YW76VU5411Default-First-Site-Name2025-03-13:22:30:47 +0700containment_pendingDell Inc.OptiPlex 7090
2026-01-15T17:47:30trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-13:23:05:48 +0800' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-13:23:05:48 +0800' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_127_17684992502026-01-15T17:47:30{ "device_id": "DEV-c5d6e7f8", "cid": "c3d4e5f6g7h8i9j0k1l2", "agent_load_flags": "2", "agent_local_time": "2025-03-13:12:45:56 -0300", "agent_version": "6.44.15630.0", "bios_manufacturer": "HP", "bios_version": "F.20", "build_number": "17134", "config_id_base": "65994755", "config_id_build": "12347", "config_id_platform": "2", "cpu_signature": "198374", "external_ip": "192.168.4.198", "mac_address": "84:3A:4B:23:CB:45", "hostname": "PROD-DB01", "first_seen": "2025-03-13:17:20:14 +0200", "last_seen": "2025-03-13:10:35:23 -0500", "local_ip": "192.168.2.16", "machine_domain": "phishing-portal.org", "major_version": "2", "minor_version": "2", "os_version": "Windows 11", "os_build": "17763", "ou": [], "platform_id": "2", "platform_name": "Linux", "policies": [ { "policy_type": "identity-protection", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": false, "settings_hash": "9ibjg7je", "assigned_date": "2025-03-13:20:50:35 +0500", "applied_date": "2025-03-13:07:15:48 -0800", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "0jckh8kf", "assigned_date": "2025-03-14:00:30:57 +0900", "applied_date": "2025-03-13:15:45:16 +0000", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "settings_hash": "1kdli9lg", "assigned_date": "2025-03-13:18:20:28 +0300", "applied_date": "2025-03-13:09:35:39 -0600", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "4e6c1aac08e64fba9dda17021db5a186", "applied": false, "assigned_date": "2025-03-13:21:50:45 +0600", "applied_date": "2025-03-14:03:15:52 +1100" }, "global_config": { "policy_type": "globalconfig", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "2lemj0mh", "assigned_date": "2025-03-13:16:30:19 +0100", "applied_date": "2025-03-13:15:48:44 +0000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": false, "settings_hash": "3mfnk1ni", "assigned_date": "2025-03-13:10:15:22 -0500", "applied_date": "2025-03-13:17:30:15 +0200" }, "firewall": { "policy_type": "firewall", "policy_id": "8iag5eeg42ia8jkfe3hh41i65hf9e520", "applied": true, "assigned_date": "2025-03-13:07:45:33 -0800", "applied_date": "2025-03-13:20:20:11 +0500", "rule_set_id": "ef7027127a06486aadc1d5ae5f4ce79d" } }, "groups": [], "group_hash": "g5d2e66410he3e361chgh6e018hgd14649cg63g6861d156ec617113d9074d077", "product_type": "3", "product_type_desc": "Server", "provision_status": "Provisioned", "serial_number": "1234567890ABCDEF", "service_pack_major": "2", "service_pack_minor": "2", "pointer_size": "8", "site_name": "HeadOffice", "status": "contained", "system_manufacturer": "HP", "system_product_name": "EliteBook 840 G8", "tags": [], "modified_timestamp": "2025-03-13:23:05:48 +0800", "slow_changing_modified_timestamp": "2025-03-13:16:15:29 +0100", "meta": { "version": "16661" } } c87e08c4f61b5d6352363d8a226a89f70Z22025-03-13:12:45:56 -03006.44.15630.0HPF.2017134c3d4e5f6g7h8i9j0k1l265994755123472198374DEV-c5d6e7f8false2025-03-14:03:15:52 +11002025-03-13:21:50:45 +06004e6c1aac08e64fba9dda17021db5a186device-controltrue2025-03-13:20:20:11 +05002025-03-13:07:45:33 -08008iag5eeg42ia8jkfe3hh41i65hf9e520firewallef7027127a06486aadc1d5ae5f4ce79dtrue2025-03-13:15:48:44 +00002025-03-13:16:30:19 +01006g8e3cce20g86hidc1ff29g43fd7c308globalconfig2lemj0mhtrue2025-03-13:15:45:16 +00002025-03-14:00:30:57 +09005f7d2bbd19f75ghcb0ee18f32ec6b297prevention0jckh8kffalse2025-03-13:17:30:15 +02002025-03-13:10:15:22 -05007h9f4ddf31h97ijed2gg30h54ge8d419remote-response3mfnk1nifalse2025-03-13:09:35:39 -06002025-03-13:18:20:28 +03006g8e3cce20g86hidc1ff29g43fd7c308sensor-update1kdli9lgDISABLED192.168.4.1982025-03-13:17:20:14 +0200g5d2e66410he3e361chgh6e018hgd14649cg63g6861d156ec617113d9074d077PROD-DB012025-03-13:10:35:23 -0500192.168.2.1684:3A:4B:23:CB:45phishing-portal.org21666122025-03-13:23:05:48 +080017763Windows 112Linux8false2025-03-13:07:15:48 -08002025-03-13:20:50:35 +05007h9f4ddf31h97ijed2gg30h54ge8d419identity-protection9ibjg7je3ServerProvisionedno1234567890ABCDEF22HeadOffice2025-03-13:16:15:29 +0100containedHPEliteBook 840 G8
2026-01-15T17:47:31trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-14:00:15:26 +0900' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-14:00:15:26 +0900' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_128_17684992512026-01-15T17:47:31{ "device_id": "DEV-9a0b1c2d", "cid": "d4e5f6g7h8i9j0k1l2m3", "agent_load_flags": "4", "agent_local_time": "2025-03-13:19:30:17 +0400", "agent_version": "6.45.15640.0", "bios_manufacturer": "Lenovo", "bios_version": "N1EET85W", "build_number": "18362", "config_id_base": "65994756", "config_id_build": "12348", "config_id_platform": "3", "cpu_signature": "263987", "external_ip": "192.168.0.234", "mac_address": "00:25:96:12:34:56", "hostname": "PROD-FILE01", "first_seen": "2025-03-13:11:45:55 -0400", "last_seen": "2025-03-14:02:10:23 +1100", "local_ip": "192.168.3.45", "machine_domain": "command-control.xyz", "major_version": "3", "minor_version": "3", "os_version": "Windows Server 2019", "os_build": "18363", "ou": [], "platform_id": "3", "platform_name": "Windows", "policies": [ { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "ad4dc0bf", "assigned_date": "2025-03-13:09:25:44 -0600", "applied_date": "2025-03-13:21:40:12 +0600", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "tagged|1;0", "assigned_date": "2025-03-13:15:15:38 +0000", "applied_date": "2025-03-13:18:30:19 +0300", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": false, "settings_hash": "b2b79cf7", "assigned_date": "2025-03-13:08:45:27 -0700", "applied_date": "2025-03-14:00:20:33 +0900", "uninstall_protection": "ENABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "assigned_date": "2025-03-13:22:35:41 +0700", "applied_date": "2025-03-13:12:50:16 -0300" }, "global_config": { "policy_type": "globalconfig", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "f472bd8e", "assigned_date": "2025-03-13:16:15:28 +0100", "applied_date": "2025-03-14:01:30:45 +1000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "settings_hash": "3c5ea1d8", "assigned_date": "2025-03-13:10:45:22 -0500", "applied_date": "2025-03-13:19:20:37 +0400" }, "firewall": { "policy_type": "firewall", "policy_id": "7234044d31914848a24cf2851078c9bd", "applied": false, "assigned_date": "2025-03-13:07:35:49 -0800", "applied_date": "2025-03-13:20:50:14 +0500", "rule_set_id": "bceb71599f5c4b6ea3c62de722a1194b" } }, "groups": [], "group_hash": "h6e3f77521if4f472dihi7f129ihe25750dh74h7972e267fd728224e0185e188", "product_type": "1", "product_type_desc": "Workstation", "provision_status": "Provisioned", "serial_number": "VMware-43 2g 6e 2d 70 de g0 14-9f 0e c0 7b e0 64 c8 46", "service_pack_major": "0", "service_pack_minor": "3", "pointer_size": "8", "site_name": "Branch01", "status": "lift_containment_pending", "system_manufacturer": "Lenovo", "system_product_name": "ThinkPad X1 Carbon", "tags": [], "modified_timestamp": "2025-03-14:00:15:26 +0900", "slow_changing_modified_timestamp": "2025-03-13:17:30:38 +0200", "meta": { "version": "16662" } } c87e08c4f61b5d6352363d8a226a89f70Z42025-03-13:19:30:17 +04006.45.15640.0LenovoN1EET85W18362d4e5f6g7h8i9j0k1l2m365994756123483263987DEV-9a0b1c2dfalse2025-03-13:12:50:16 -03002025-03-13:22:35:41 +070034c2eda9f67446daa84d28fd239635e8device-controlfalse2025-03-13:20:50:14 +05002025-03-13:07:35:49 -08007234044d31914848a24cf2851078c9bdfirewallbceb71599f5c4b6ea3c62de722a1194btrue2025-03-14:01:30:45 +10002025-03-13:16:15:28 +01006g8e3cce20g86hidc1ff29g43fd7c308globalconfigf472bd8etrue2025-03-13:18:30:19 +03002025-03-13:15:15:38 +00006g8e3cce20g86hidc1ff29g43fd7c308preventiontagged|1;0false2025-03-13:19:20:37 +04002025-03-13:10:45:22 -0500bceb71599f5c4b6ea3c62de722a1194bremote-response3c5ea1d8false2025-03-14:00:20:33 +09002025-03-13:08:45:27 -07005f7d2bbd19f75ghcb0ee18f32ec6b297sensor-updateb2b79cf7ENABLED192.168.0.2342025-03-13:11:45:55 -0400h6e3f77521if4f472dihi7f129ihe25750dh74h7972e267fd728224e0185e188PROD-FILE012025-03-14:02:10:23 +1100192.168.3.4500:25:96:12:34:56command-control.xyz31666232025-03-14:00:15:26 +090018363Windows Server 20193Windows8false2025-03-13:21:40:12 +06002025-03-13:09:25:44 -060034c2eda9f67446daa84d28fd239635e8preventionad4dc0bf1WorkstationProvisionednoVMware-43 2g 6e 2d 70 de g0 14-9f 0e c0 7b e0 64 c8 4603Branch012025-03-13:17:30:38 +0200lift_containment_pendingLenovoThinkPad X1 Carbon
2026-01-15T17:47:31trueauto-dashboard-queriesCrowdStrike_Falcon_DevicestrueError parsing timestamp. errormsg="Text '2025-03-14:00:30:57 +0900' could not be parsed at index 10" zone=""Error parsing timestamp. errormsg="Text '2025-03-14:00:30:57 +0900' could not be parsed at index 10" zone=""false1sQGV7fQ8QZ5E5UlagdqsmIs_4_129_17684992512026-01-15T17:47:31{ "device_id": "DEV-3e4f5a6b", "cid": "e5f6g7h8i9j0k1l2m3n4", "agent_load_flags": "8", "agent_local_time": "2025-03-13:11:45:52 -0400", "agent_version": "6.43.15620.0", "bios_manufacturer": "American Megatrends", "bios_version": "Version 1.0", "build_number": "19041", "config_id_base": "65994757", "config_id_build": "12349", "config_id_platform": "4", "cpu_signature": "263988", "external_ip": "192.168.1.178", "mac_address": "AC:DE:48:23:45:67", "hostname": "PROD-SQL01", "first_seen": "2025-03-13:22:20:17 +0700", "last_seen": "2025-03-13:15:35:29 +0000", "local_ip": "192.168.4.92", "machine_domain": "bad-actor-infra.io", "major_version": "4", "minor_version": "4", "os_version": "Windows Server 2022", "os_build": "19042", "ou": [], "platform_id": "4", "platform_name": "Mac", "policies": [ { "policy_type": "sensor-update", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": true, "settings_hash": "4d6fb2e9", "assigned_date": "2025-03-13:18:50:43 +0300", "applied_date": "2025-03-13:09:15:18 -0600", "rule_groups": [] } ], "reduced_functionality_mode": "yes", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "5e7gc3fa", "assigned_date": "2025-03-13:21:30:25 +0600", "applied_date": "2025-03-14:02:45:37 +1100", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "6f8hd4gb", "assigned_date": "2025-03-13:16:20:49 +0100", "applied_date": "2025-03-13:19:35:12 +0400", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "a03aa7587d10408ca79417beda3a1265", "applied": false, "assigned_date": "2025-03-13:08:50:28 -0700", "applied_date": "2025-03-14:01:15:39 +1000" }, "global_config": { "policy_type": "globalconfig", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "7g9ie5hc", "assigned_date": "2025-03-13:22:30:47 +0700", "applied_date": "2025-03-13:12:45:56 -0300" }, "remote_response": { "policy_type": "remote-response", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "settings_hash": "8haif6id", "assigned_date": "2025-03-13:17:20:14 +0200", "applied_date": "2025-03-13:10:35:23 -0500" }, "firewall": { "policy_type": "firewall", "policy_id": "4e6c1aac08e64fba9dda17021db5a186", "applied": false, "assigned_date": "2025-03-13:20:50:35 +0500", "applied_date": "2025-03-13:07:15:48 -0800", "rule_set_id": "7h9f4ddf31h97ijed2gg30h54ge8d419" } }, "groups": [], "group_hash": "i7f4g88632jg5g583ejij8g230jif36861ei85i0083f378ge839335f1296f299", "product_type": "2", "product_type_desc": "Server", "provision_status": "NotProvisioned", "serial_number": "HP-ZX98YW76VU54", "service_pack_major": "1", "service_pack_minor": "4", "pointer_size": "4", "site_name": "DataCenter", "status": "normal", "system_manufacturer": "Microsoft Corporation", "system_product_name": "Virtual Machine", "tags": [], "modified_timestamp": "2025-03-14:00:30:57 +0900", "slow_changing_modified_timestamp": "2025-03-13:15:45:16 +0000", "meta": { "version": "16663" } } c87e08c4f61b5d6352363d8a226a89f70Z82025-03-13:11:45:52 -04006.43.15620.0American MegatrendsVersion 1.019041e5f6g7h8i9j0k1l2m3n465994757123494263988DEV-3e4f5a6bfalse2025-03-14:01:15:39 +10002025-03-13:08:50:28 -0700a03aa7587d10408ca79417beda3a1265device-controlfalse2025-03-13:07:15:48 -08002025-03-13:20:50:35 +05004e6c1aac08e64fba9dda17021db5a186firewall7h9f4ddf31h97ijed2gg30h54ge8d419true2025-03-13:12:45:56 -03002025-03-13:22:30:47 +07005f7d2bbd19f75ghcb0ee18f32ec6b297globalconfig7g9ie5hcfalse2025-03-14:02:45:37 +11002025-03-13:21:30:25 +060034c2eda9f67446daa84d28fd239635e8prevention5e7gc3fafalse2025-03-13:10:35:23 -05002025-03-13:17:20:14 +02006g8e3cce20g86hidc1ff29g43fd7c308remote-response8haif6idtrue2025-03-13:19:35:12 +04002025-03-13:16:20:49 +01006g8e3cce20g86hidc1ff29g43fd7c308sensor-update6f8hd4gbDISABLED192.168.1.1782025-03-13:22:20:17 +0700i7f4g88632jg5g583ejij8g230jif36861ei85i0083f378ge839335f1296f299PROD-SQL012025-03-13:15:35:29 +0000192.168.4.92AC:DE:48:23:45:67bad-actor-infra.io41666342025-03-14:00:30:57 +090019042Windows Server 20224Mac4true2025-03-13:09:15:18 -06002025-03-13:18:50:43 +03007h9f4ddf31h97ijed2gg30h54ge8d419sensor-update4d6fb2e92ServerNotProvisionedyesHP-ZX98YW76VU5414DataCenter2025-03-13:15:45:16 +0000normalMicrosoft CorporationVirtual Machine

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    * device_policies.sensor_update.uninstall_protection=DISABLED

    Filters events to include only those where device_policies.sensor_update.uninstall_protection equals DISABLED.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | count(field=device_id, distinct=True, as="Device Count")

    Counts the number of unique values in the device_id field, and returns the results in a field named Device Count. The distinct parameter set to true ensures each device is counted only once.

  4. Event Result set.

Summary and Results

The widget is used to monitor devices that have their uninstall protection disabled, which could represent a security vulnerability.

This widget is useful to identify devices that need their security settings reviewed and potentially adjusted.

Sample output from the incoming example data:

Device Count
17

The output shows the total count of unique devices that have uninstall protection disabled.