Display Windows Devices

Display count of Windows devices

This is a query example for the Windows Devices widget in the CrowdStrike Falcon Devices: Overview dashboard of the crowdstrike/falcon-devices package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} 3["Expression"] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result

logscale

* platform_name="Windows"
| count(field=device_id, distinct=True)
| count:= rename(_count)
| sort(count)

Introduction

This widget is used to identify and count Windows devices in your environment by analyzing the platform name field.

In this widget, the count() function is used to count unique device IDs where the platform is Windows.

Example incoming data might look like this:

@timestamp	#error	#repo	#type	@error	@error_msg	@error_msg[0]	@event_parsed	@id	@ingesttimestamp	@rawstring	@timezone	agent_load_flags	agent_local_time	agent_version	bios_manufacturer	bios_version	build_number	cid	config_id_base	config_id_build	config_id_platform	cpu_signature	device_id	device_policies.device_control.applied	device_policies.device_control.applied_date	device_policies.device_control.assigned_date	device_policies.device_control.policy_id	device_policies.device_control.policy_type	device_policies.firewall.applied	device_policies.firewall.applied_date	device_policies.firewall.assigned_date	device_policies.firewall.policy_id	device_policies.firewall.policy_type	device_policies.firewall.rule_set_id	device_policies.global_config.applied	device_policies.global_config.applied_date	device_policies.global_config.assigned_date	device_policies.global_config.policy_id	device_policies.global_config.policy_type	device_policies.global_config.settings_hash	device_policies.prevention.applied	device_policies.prevention.applied_date	device_policies.prevention.assigned_date	device_policies.prevention.policy_id	device_policies.prevention.policy_type	device_policies.prevention.settings_hash	device_policies.remote_response.applied	device_policies.remote_response.applied_date	device_policies.remote_response.assigned_date	device_policies.remote_response.policy_id	device_policies.remote_response.policy_type	device_policies.remote_response.settings_hash	device_policies.sensor_update.applied	device_policies.sensor_update.applied_date	device_policies.sensor_update.assigned_date	device_policies.sensor_update.policy_id	device_policies.sensor_update.policy_type	device_policies.sensor_update.settings_hash	device_policies.sensor_update.uninstall_protection	external_ip	first_seen	group_hash	hostname	last_seen	local_ip	mac_address	machine_domain	major_version	meta.version	minor_version	modified_timestamp	os_build	os_version	platform_id	platform_name	pointer_size	policies[0].applied	policies[0].applied_date	policies[0].assigned_date	policies[0].policy_id	policies[0].policy_type	policies[0].settings_hash	product_type	product_type_desc	provision_status	reduced_functionality_mode	serial_number	service_pack_major	service_pack_minor	site_name	slow_changing_modified_timestamp	status	system_manufacturer	system_product_name
2026-01-15T17:47:29	true	auto-dashboard-queries	CrowdStrike_Falcon_Devices	true	Error parsing timestamp. errormsg="Text '2025-03-13:12:50:16 -0300' could not be parsed at index 10" zone=""	Error parsing timestamp. errormsg="Text '2025-03-13:12:50:16 -0300' could not be parsed at index 10" zone=""	false	1sQGV7fQ8QZ5E5UlagdqsmIs_4_125_1768499249	2026-01-15T17:47:29	{ "device_id": "DEV-7a8b9c0d", "cid": "a1b2c3d4e5f6g7h8i9j0", "agent_load_flags": "0", "agent_local_time": "2025-03-13:15:48:44 +0000", "agent_version": "6.42.15610.0", "bios_manufacturer": "Abc", "bios_version": "1.2.Abc", "build_number": "7601", "config_id_base": "65994753", "config_id_build": "12345", "config_id_platform": "0", "cpu_signature": "198372", "external_ip": "192.168.2.143", "mac_address": "00:1A:2B:3C:4D:5E", "hostname": "PROD-WEB01", "first_seen": "2025-03-13:10:15:22 -0500", "last_seen": "2025-03-13:17:30:15 +0200", "local_ip": "192.168.0.87", "machine_domain": "malicious-domain.com", "major_version": "0", "minor_version": "0", "os_version": "Windows", "os_build": "10240", "ou": [], "platform_id": "0", "platform_name": "Windows", "policies": [ { "policy_type": "prevention", "policy_id": "ef7027127a06486aadc1d5ae5f4ce79d", "applied": true, "settings_hash": "ad4dc0bf", "assigned_date": "2025-03-13:07:45:33 -0800", "applied_date": "2025-03-13:20:20:11 +0500", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "tagged\|1;0", "assigned_date": "2025-03-13:23:05:48 +0800", "applied_date": "2025-03-13:16:15:29 +0100", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "b2b79cf7", "assigned_date": "2025-03-13:19:30:17 +0400", "applied_date": "2025-03-13:11:45:55 -0400", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": false, "assigned_date": "2025-03-14:02:10:23 +1100", "applied_date": "2025-03-13:09:25:44 -0600" }, "global_config": { "policy_type": "globalconfig", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "f472bd8e", "assigned_date": "2025-03-13:21:40:12 +0600", "applied_date": "2025-03-13:15:15:38 +0000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "3c5ea1d8", "assigned_date": "2025-03-13:18:30:19 +0300", "applied_date": "2025-03-13:08:45:27 -0700" }, "firewall": { "policy_type": "firewall", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "assigned_date": "2025-03-14:00:20:33 +0900", "applied_date": "2025-03-13:22:35:41 +0700", "rule_set_id": "7234044d31914848a24cf2851078c9bd" } }, "groups": [], "group_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "product_type": "1", "product_type_desc": "Workstation", "provision_status": "Provisioned", "serial_number": "VMware-42 1f 5d 1c 69 cd f9 03-8e 9d b9 6a d9 53 b7 35", "service_pack_major": "0", "service_pack_minor": "0", "pointer_size": "8", "site_name": "none", "status": "normal", "system_manufacturer": "Abc", "system_product_name": "Xyz", "tags": [], "modified_timestamp": "2025-03-13:12:50:16 -0300", "slow_changing_modified_timestamp": "2025-03-13:16:15:28 +0100", "meta": { "version": "16659" } } c87e08c4f61b5d6352363d8a226a89f7	Z	0	2025-03-13:15:48:44 +0000	6.42.15610.0	Abc	1.2.Abc	7601	a1b2c3d4e5f6g7h8i9j0	65994753	12345	0	198372	DEV-7a8b9c0d	false	2025-03-13:09:25:44 -0600	2025-03-14:02:10:23 +1100	5f7d2bbd19f75ghcb0ee18f32ec6b297	device-control	false	2025-03-13:22:35:41 +0700	2025-03-14:00:20:33 +0900	bceb71599f5c4b6ea3c62de722a1194b	firewall	7234044d31914848a24cf2851078c9bd	false	2025-03-13:15:15:38 +0000	2025-03-13:21:40:12 +0600	34c2eda9f67446daa84d28fd239635e8	globalconfig	f472bd8e	false	2025-03-13:16:15:29 +0100	2025-03-13:23:05:48 +0800	34c2eda9f67446daa84d28fd239635e8	prevention	tagged\|1;0	true	2025-03-13:08:45:27 -0700	2025-03-13:18:30:19 +0300	6g8e3cce20g86hidc1ff29g43fd7c308	remote-response	3c5ea1d8	true	2025-03-13:11:45:55 -0400	2025-03-13:19:30:17 +0400	6g8e3cce20g86hidc1ff29g43fd7c308	sensor-update	b2b79cf7	DISABLED	192.168.2.143	2025-03-13:10:15:22 -0500	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	PROD-WEB01	2025-03-13:17:30:15 +0200	192.168.0.87	00:1A:2B:3C:4D:5E	malicious-domain.com	0	16659	0	2025-03-13:12:50:16 -0300	10240	Windows	0	Windows	8	true	2025-03-13:20:20:11 +0500	2025-03-13:07:45:33 -0800	ef7027127a06486aadc1d5ae5f4ce79d	prevention	ad4dc0bf	1	Workstation	Provisioned	no	VMware-42 1f 5d 1c 69 cd f9 03-8e 9d b9 6a d9 53 b7 35	0	0	none	2025-03-13:16:15:28 +0100	normal	Abc	Xyz
2026-01-15T17:47:30	true	auto-dashboard-queries	CrowdStrike_Falcon_Devices	true	Error parsing timestamp. errormsg="Text '2025-03-14:01:15:39 +1000' could not be parsed at index 10" zone=""	Error parsing timestamp. errormsg="Text '2025-03-14:01:15:39 +1000' could not be parsed at index 10" zone=""	false	1sQGV7fQ8QZ5E5UlagdqsmIs_4_126_1768499250	2026-01-15T17:47:30	{ "device_id": "DEV-e1f2a3b4", "cid": "b2c3d4e5f6g7h8i9j0k1", "agent_load_flags": "1", "agent_local_time": "2025-03-14:01:30:45 +1000", "agent_version": "6.43.15620.0", "bios_manufacturer": "Dell Inc.", "bios_version": "A01", "build_number": "14393", "config_id_base": "65994754", "config_id_build": "12346", "config_id_platform": "1", "cpu_signature": "198373", "external_ip": "192.168.3.211", "mac_address": "F8:2D:7C:91:A3:B4", "hostname": "PROD-APP02", "first_seen": "2025-03-13:10:45:22 -0500", "last_seen": "2025-03-13:19:20:37 +0400", "local_ip": "192.168.1.54", "machine_domain": "evil-site.net", "major_version": "1", "minor_version": "1", "os_version": "Windows 10", "os_build": "16299", "ou": [], "platform_id": "1", "platform_name": "Mac", "policies": [ { "policy_type": "sensor-update", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "settings_hash": "4d6fb2e9", "assigned_date": "2025-03-13:07:35:49 -0800", "applied_date": "2025-03-13:20:50:14 +0500", "rule_groups": [] } ], "reduced_functionality_mode": "yes", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": true, "settings_hash": "5e7gc3fa", "assigned_date": "2025-03-14:00:15:26 +0900", "applied_date": "2025-03-13:17:30:38 +0200", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "6f8hd4gb", "assigned_date": "2025-03-13:11:45:52 -0400", "applied_date": "2025-03-13:22:20:17 +0700", "uninstall_protection": "ENABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "assigned_date": "2025-03-13:15:35:29 +0000", "applied_date": "2025-03-13:18:50:43 +0300" }, "global_config": { "policy_type": "globalconfig", "policy_id": "a03aa7587d10408ca79417beda3a1265", "applied": false, "settings_hash": "7g9ie5hc", "assigned_date": "2025-03-13:09:15:18 -0600", "applied_date": "2025-03-13:21:30:25 +0600" }, "remote_response": { "policy_type": "remote-response", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "8haif6id", "assigned_date": "2025-03-14:02:45:37 +1100", "applied_date": "2025-03-13:16:20:49 +0100" }, "firewall": { "policy_type": "firewall", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "assigned_date": "2025-03-13:19:35:12 +0400", "applied_date": "2025-03-13:08:50:28 -0700", "rule_set_id": "4e6c1aac08e64fba9dda17021db5a186" } }, "groups": [], "group_hash": "f4c1d55309gd2d250bggf5d907gfc03538bf52f5750c045db506002c8963c966", "product_type": "2", "product_type_desc": "Domain Controller", "provision_status": "NotProvisioned", "serial_number": "HP-ZX98YW76VU54", "service_pack_major": "1", "service_pack_minor": "1", "pointer_size": "4", "site_name": "Default-First-Site-Name", "status": "containment_pending", "system_manufacturer": "Dell Inc.", "system_product_name": "OptiPlex 7090", "tags": [], "modified_timestamp": "2025-03-14:01:15:39 +1000", "slow_changing_modified_timestamp": "2025-03-13:22:30:47 +0700", "meta": { "version": "16660" } } c87e08c4f61b5d6352363d8a226a89f7	Z	1	2025-03-14:01:30:45 +1000	6.43.15620.0	Dell Inc.	A01	14393	b2c3d4e5f6g7h8i9j0k1	65994754	12346	1	198373	DEV-e1f2a3b4	true	2025-03-13:18:50:43 +0300	2025-03-13:15:35:29 +0000	6g8e3cce20g86hidc1ff29g43fd7c308	device-control	false	2025-03-13:08:50:28 -0700	2025-03-13:19:35:12 +0400	6g8e3cce20g86hidc1ff29g43fd7c308	firewall	4e6c1aac08e64fba9dda17021db5a186	false	2025-03-13:21:30:25 +0600	2025-03-13:09:15:18 -0600	a03aa7587d10408ca79417beda3a1265	globalconfig	7g9ie5hc	true	2025-03-13:17:30:38 +0200	2025-03-14:00:15:26 +0900	7h9f4ddf31h97ijed2gg30h54ge8d419	prevention	5e7gc3fa	true	2025-03-13:16:20:49 +0100	2025-03-14:02:45:37 +1100	5f7d2bbd19f75ghcb0ee18f32ec6b297	remote-response	8haif6id	false	2025-03-13:22:20:17 +0700	2025-03-13:11:45:52 -0400	34c2eda9f67446daa84d28fd239635e8	sensor-update	6f8hd4gb	ENABLED	192.168.3.211	2025-03-13:10:45:22 -0500	f4c1d55309gd2d250bggf5d907gfc03538bf52f5750c045db506002c8963c966	PROD-APP02	2025-03-13:19:20:37 +0400	192.168.1.54	F8:2D:7C:91:A3:B4	evil-site.net	1	16660	1	2025-03-14:01:15:39 +1000	16299	Windows 10	1	Mac	4	false	2025-03-13:20:50:14 +0500	2025-03-13:07:35:49 -0800	bceb71599f5c4b6ea3c62de722a1194b	sensor-update	4d6fb2e9	2	Domain Controller	NotProvisioned	yes	HP-ZX98YW76VU54	1	1	Default-First-Site-Name	2025-03-13:22:30:47 +0700	containment_pending	Dell Inc.	OptiPlex 7090
2026-01-15T17:47:30	true	auto-dashboard-queries	CrowdStrike_Falcon_Devices	true	Error parsing timestamp. errormsg="Text '2025-03-13:23:05:48 +0800' could not be parsed at index 10" zone=""	Error parsing timestamp. errormsg="Text '2025-03-13:23:05:48 +0800' could not be parsed at index 10" zone=""	false	1sQGV7fQ8QZ5E5UlagdqsmIs_4_127_1768499250	2026-01-15T17:47:30	{ "device_id": "DEV-c5d6e7f8", "cid": "c3d4e5f6g7h8i9j0k1l2", "agent_load_flags": "2", "agent_local_time": "2025-03-13:12:45:56 -0300", "agent_version": "6.44.15630.0", "bios_manufacturer": "HP", "bios_version": "F.20", "build_number": "17134", "config_id_base": "65994755", "config_id_build": "12347", "config_id_platform": "2", "cpu_signature": "198374", "external_ip": "192.168.4.198", "mac_address": "84:3A:4B:23:CB:45", "hostname": "PROD-DB01", "first_seen": "2025-03-13:17:20:14 +0200", "last_seen": "2025-03-13:10:35:23 -0500", "local_ip": "192.168.2.16", "machine_domain": "phishing-portal.org", "major_version": "2", "minor_version": "2", "os_version": "Windows 11", "os_build": "17763", "ou": [], "platform_id": "2", "platform_name": "Linux", "policies": [ { "policy_type": "identity-protection", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": false, "settings_hash": "9ibjg7je", "assigned_date": "2025-03-13:20:50:35 +0500", "applied_date": "2025-03-13:07:15:48 -0800", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "0jckh8kf", "assigned_date": "2025-03-14:00:30:57 +0900", "applied_date": "2025-03-13:15:45:16 +0000", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "settings_hash": "1kdli9lg", "assigned_date": "2025-03-13:18:20:28 +0300", "applied_date": "2025-03-13:09:35:39 -0600", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "4e6c1aac08e64fba9dda17021db5a186", "applied": false, "assigned_date": "2025-03-13:21:50:45 +0600", "applied_date": "2025-03-14:03:15:52 +1100" }, "global_config": { "policy_type": "globalconfig", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "2lemj0mh", "assigned_date": "2025-03-13:16:30:19 +0100", "applied_date": "2025-03-13:15:48:44 +0000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": false, "settings_hash": "3mfnk1ni", "assigned_date": "2025-03-13:10:15:22 -0500", "applied_date": "2025-03-13:17:30:15 +0200" }, "firewall": { "policy_type": "firewall", "policy_id": "8iag5eeg42ia8jkfe3hh41i65hf9e520", "applied": true, "assigned_date": "2025-03-13:07:45:33 -0800", "applied_date": "2025-03-13:20:20:11 +0500", "rule_set_id": "ef7027127a06486aadc1d5ae5f4ce79d" } }, "groups": [], "group_hash": "g5d2e66410he3e361chgh6e018hgd14649cg63g6861d156ec617113d9074d077", "product_type": "3", "product_type_desc": "Server", "provision_status": "Provisioned", "serial_number": "1234567890ABCDEF", "service_pack_major": "2", "service_pack_minor": "2", "pointer_size": "8", "site_name": "HeadOffice", "status": "contained", "system_manufacturer": "HP", "system_product_name": "EliteBook 840 G8", "tags": [], "modified_timestamp": "2025-03-13:23:05:48 +0800", "slow_changing_modified_timestamp": "2025-03-13:16:15:29 +0100", "meta": { "version": "16661" } } c87e08c4f61b5d6352363d8a226a89f7	Z	2	2025-03-13:12:45:56 -0300	6.44.15630.0	HP	F.20	17134	c3d4e5f6g7h8i9j0k1l2	65994755	12347	2	198374	DEV-c5d6e7f8	false	2025-03-14:03:15:52 +1100	2025-03-13:21:50:45 +0600	4e6c1aac08e64fba9dda17021db5a186	device-control	true	2025-03-13:20:20:11 +0500	2025-03-13:07:45:33 -0800	8iag5eeg42ia8jkfe3hh41i65hf9e520	firewall	ef7027127a06486aadc1d5ae5f4ce79d	true	2025-03-13:15:48:44 +0000	2025-03-13:16:30:19 +0100	6g8e3cce20g86hidc1ff29g43fd7c308	globalconfig	2lemj0mh	true	2025-03-13:15:45:16 +0000	2025-03-14:00:30:57 +0900	5f7d2bbd19f75ghcb0ee18f32ec6b297	prevention	0jckh8kf	false	2025-03-13:17:30:15 +0200	2025-03-13:10:15:22 -0500	7h9f4ddf31h97ijed2gg30h54ge8d419	remote-response	3mfnk1ni	false	2025-03-13:09:35:39 -0600	2025-03-13:18:20:28 +0300	6g8e3cce20g86hidc1ff29g43fd7c308	sensor-update	1kdli9lg	DISABLED	192.168.4.198	2025-03-13:17:20:14 +0200	g5d2e66410he3e361chgh6e018hgd14649cg63g6861d156ec617113d9074d077	PROD-DB01	2025-03-13:10:35:23 -0500	192.168.2.16	84:3A:4B:23:CB:45	phishing-portal.org	2	16661	2	2025-03-13:23:05:48 +0800	17763	Windows 11	2	Linux	8	false	2025-03-13:07:15:48 -0800	2025-03-13:20:50:35 +0500	7h9f4ddf31h97ijed2gg30h54ge8d419	identity-protection	9ibjg7je	3	Server	Provisioned	no	1234567890ABCDEF	2	2	HeadOffice	2025-03-13:16:15:29 +0100	contained	HP	EliteBook 840 G8
2026-01-15T17:47:31	true	auto-dashboard-queries	CrowdStrike_Falcon_Devices	true	Error parsing timestamp. errormsg="Text '2025-03-14:00:15:26 +0900' could not be parsed at index 10" zone=""	Error parsing timestamp. errormsg="Text '2025-03-14:00:15:26 +0900' could not be parsed at index 10" zone=""	false	1sQGV7fQ8QZ5E5UlagdqsmIs_4_128_1768499251	2026-01-15T17:47:31	{ "device_id": "DEV-9a0b1c2d", "cid": "d4e5f6g7h8i9j0k1l2m3", "agent_load_flags": "4", "agent_local_time": "2025-03-13:19:30:17 +0400", "agent_version": "6.45.15640.0", "bios_manufacturer": "Lenovo", "bios_version": "N1EET85W", "build_number": "18362", "config_id_base": "65994756", "config_id_build": "12348", "config_id_platform": "3", "cpu_signature": "263987", "external_ip": "192.168.0.234", "mac_address": "00:25:96:12:34:56", "hostname": "PROD-FILE01", "first_seen": "2025-03-13:11:45:55 -0400", "last_seen": "2025-03-14:02:10:23 +1100", "local_ip": "192.168.3.45", "machine_domain": "command-control.xyz", "major_version": "3", "minor_version": "3", "os_version": "Windows Server 2019", "os_build": "18363", "ou": [], "platform_id": "3", "platform_name": "Windows", "policies": [ { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "ad4dc0bf", "assigned_date": "2025-03-13:09:25:44 -0600", "applied_date": "2025-03-13:21:40:12 +0600", "rule_groups": [] } ], "reduced_functionality_mode": "no", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "tagged\|1;0", "assigned_date": "2025-03-13:15:15:38 +0000", "applied_date": "2025-03-13:18:30:19 +0300", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": false, "settings_hash": "b2b79cf7", "assigned_date": "2025-03-13:08:45:27 -0700", "applied_date": "2025-03-14:00:20:33 +0900", "uninstall_protection": "ENABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "assigned_date": "2025-03-13:22:35:41 +0700", "applied_date": "2025-03-13:12:50:16 -0300" }, "global_config": { "policy_type": "globalconfig", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "f472bd8e", "assigned_date": "2025-03-13:16:15:28 +0100", "applied_date": "2025-03-14:01:30:45 +1000" }, "remote_response": { "policy_type": "remote-response", "policy_id": "bceb71599f5c4b6ea3c62de722a1194b", "applied": false, "settings_hash": "3c5ea1d8", "assigned_date": "2025-03-13:10:45:22 -0500", "applied_date": "2025-03-13:19:20:37 +0400" }, "firewall": { "policy_type": "firewall", "policy_id": "7234044d31914848a24cf2851078c9bd", "applied": false, "assigned_date": "2025-03-13:07:35:49 -0800", "applied_date": "2025-03-13:20:50:14 +0500", "rule_set_id": "bceb71599f5c4b6ea3c62de722a1194b" } }, "groups": [], "group_hash": "h6e3f77521if4f472dihi7f129ihe25750dh74h7972e267fd728224e0185e188", "product_type": "1", "product_type_desc": "Workstation", "provision_status": "Provisioned", "serial_number": "VMware-43 2g 6e 2d 70 de g0 14-9f 0e c0 7b e0 64 c8 46", "service_pack_major": "0", "service_pack_minor": "3", "pointer_size": "8", "site_name": "Branch01", "status": "lift_containment_pending", "system_manufacturer": "Lenovo", "system_product_name": "ThinkPad X1 Carbon", "tags": [], "modified_timestamp": "2025-03-14:00:15:26 +0900", "slow_changing_modified_timestamp": "2025-03-13:17:30:38 +0200", "meta": { "version": "16662" } } c87e08c4f61b5d6352363d8a226a89f7	Z	4	2025-03-13:19:30:17 +0400	6.45.15640.0	Lenovo	N1EET85W	18362	d4e5f6g7h8i9j0k1l2m3	65994756	12348	3	263987	DEV-9a0b1c2d	false	2025-03-13:12:50:16 -0300	2025-03-13:22:35:41 +0700	34c2eda9f67446daa84d28fd239635e8	device-control	false	2025-03-13:20:50:14 +0500	2025-03-13:07:35:49 -0800	7234044d31914848a24cf2851078c9bd	firewall	bceb71599f5c4b6ea3c62de722a1194b	true	2025-03-14:01:30:45 +1000	2025-03-13:16:15:28 +0100	6g8e3cce20g86hidc1ff29g43fd7c308	globalconfig	f472bd8e	true	2025-03-13:18:30:19 +0300	2025-03-13:15:15:38 +0000	6g8e3cce20g86hidc1ff29g43fd7c308	prevention	tagged\|1;0	false	2025-03-13:19:20:37 +0400	2025-03-13:10:45:22 -0500	bceb71599f5c4b6ea3c62de722a1194b	remote-response	3c5ea1d8	false	2025-03-14:00:20:33 +0900	2025-03-13:08:45:27 -0700	5f7d2bbd19f75ghcb0ee18f32ec6b297	sensor-update	b2b79cf7	ENABLED	192.168.0.234	2025-03-13:11:45:55 -0400	h6e3f77521if4f472dihi7f129ihe25750dh74h7972e267fd728224e0185e188	PROD-FILE01	2025-03-14:02:10:23 +1100	192.168.3.45	00:25:96:12:34:56	command-control.xyz	3	16662	3	2025-03-14:00:15:26 +0900	18363	Windows Server 2019	3	Windows	8	false	2025-03-13:21:40:12 +0600	2025-03-13:09:25:44 -0600	34c2eda9f67446daa84d28fd239635e8	prevention	ad4dc0bf	1	Workstation	Provisioned	no	VMware-43 2g 6e 2d 70 de g0 14-9f 0e c0 7b e0 64 c8 46	0	3	Branch01	2025-03-13:17:30:38 +0200	lift_containment_pending	Lenovo	ThinkPad X1 Carbon
2026-01-15T17:47:31	true	auto-dashboard-queries	CrowdStrike_Falcon_Devices	true	Error parsing timestamp. errormsg="Text '2025-03-14:00:30:57 +0900' could not be parsed at index 10" zone=""	Error parsing timestamp. errormsg="Text '2025-03-14:00:30:57 +0900' could not be parsed at index 10" zone=""	false	1sQGV7fQ8QZ5E5UlagdqsmIs_4_129_1768499251	2026-01-15T17:47:31	{ "device_id": "DEV-3e4f5a6b", "cid": "e5f6g7h8i9j0k1l2m3n4", "agent_load_flags": "8", "agent_local_time": "2025-03-13:11:45:52 -0400", "agent_version": "6.43.15620.0", "bios_manufacturer": "American Megatrends", "bios_version": "Version 1.0", "build_number": "19041", "config_id_base": "65994757", "config_id_build": "12349", "config_id_platform": "4", "cpu_signature": "263988", "external_ip": "192.168.1.178", "mac_address": "AC:DE:48:23:45:67", "hostname": "PROD-SQL01", "first_seen": "2025-03-13:22:20:17 +0700", "last_seen": "2025-03-13:15:35:29 +0000", "local_ip": "192.168.4.92", "machine_domain": "bad-actor-infra.io", "major_version": "4", "minor_version": "4", "os_version": "Windows Server 2022", "os_build": "19042", "ou": [], "platform_id": "4", "platform_name": "Mac", "policies": [ { "policy_type": "sensor-update", "policy_id": "7h9f4ddf31h97ijed2gg30h54ge8d419", "applied": true, "settings_hash": "4d6fb2e9", "assigned_date": "2025-03-13:18:50:43 +0300", "applied_date": "2025-03-13:09:15:18 -0600", "rule_groups": [] } ], "reduced_functionality_mode": "yes", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "34c2eda9f67446daa84d28fd239635e8", "applied": false, "settings_hash": "5e7gc3fa", "assigned_date": "2025-03-13:21:30:25 +0600", "applied_date": "2025-03-14:02:45:37 +1100", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": true, "settings_hash": "6f8hd4gb", "assigned_date": "2025-03-13:16:20:49 +0100", "applied_date": "2025-03-13:19:35:12 +0400", "uninstall_protection": "DISABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "a03aa7587d10408ca79417beda3a1265", "applied": false, "assigned_date": "2025-03-13:08:50:28 -0700", "applied_date": "2025-03-14:01:15:39 +1000" }, "global_config": { "policy_type": "globalconfig", "policy_id": "5f7d2bbd19f75ghcb0ee18f32ec6b297", "applied": true, "settings_hash": "7g9ie5hc", "assigned_date": "2025-03-13:22:30:47 +0700", "applied_date": "2025-03-13:12:45:56 -0300" }, "remote_response": { "policy_type": "remote-response", "policy_id": "6g8e3cce20g86hidc1ff29g43fd7c308", "applied": false, "settings_hash": "8haif6id", "assigned_date": "2025-03-13:17:20:14 +0200", "applied_date": "2025-03-13:10:35:23 -0500" }, "firewall": { "policy_type": "firewall", "policy_id": "4e6c1aac08e64fba9dda17021db5a186", "applied": false, "assigned_date": "2025-03-13:20:50:35 +0500", "applied_date": "2025-03-13:07:15:48 -0800", "rule_set_id": "7h9f4ddf31h97ijed2gg30h54ge8d419" } }, "groups": [], "group_hash": "i7f4g88632jg5g583ejij8g230jif36861ei85i0083f378ge839335f1296f299", "product_type": "2", "product_type_desc": "Server", "provision_status": "NotProvisioned", "serial_number": "HP-ZX98YW76VU54", "service_pack_major": "1", "service_pack_minor": "4", "pointer_size": "4", "site_name": "DataCenter", "status": "normal", "system_manufacturer": "Microsoft Corporation", "system_product_name": "Virtual Machine", "tags": [], "modified_timestamp": "2025-03-14:00:30:57 +0900", "slow_changing_modified_timestamp": "2025-03-13:15:45:16 +0000", "meta": { "version": "16663" } } c87e08c4f61b5d6352363d8a226a89f7	Z	8	2025-03-13:11:45:52 -0400	6.43.15620.0	American Megatrends	Version 1.0	19041	e5f6g7h8i9j0k1l2m3n4	65994757	12349	4	263988	DEV-3e4f5a6b	false	2025-03-14:01:15:39 +1000	2025-03-13:08:50:28 -0700	a03aa7587d10408ca79417beda3a1265	device-control	false	2025-03-13:07:15:48 -0800	2025-03-13:20:50:35 +0500	4e6c1aac08e64fba9dda17021db5a186	firewall	7h9f4ddf31h97ijed2gg30h54ge8d419	true	2025-03-13:12:45:56 -0300	2025-03-13:22:30:47 +0700	5f7d2bbd19f75ghcb0ee18f32ec6b297	globalconfig	7g9ie5hc	false	2025-03-14:02:45:37 +1100	2025-03-13:21:30:25 +0600	34c2eda9f67446daa84d28fd239635e8	prevention	5e7gc3fa	false	2025-03-13:10:35:23 -0500	2025-03-13:17:20:14 +0200	6g8e3cce20g86hidc1ff29g43fd7c308	remote-response	8haif6id	true	2025-03-13:19:35:12 +0400	2025-03-13:16:20:49 +0100	6g8e3cce20g86hidc1ff29g43fd7c308	sensor-update	6f8hd4gb	DISABLED	192.168.1.178	2025-03-13:22:20:17 +0700	i7f4g88632jg5g583ejij8g230jif36861ei85i0083f378ge839335f1296f299	PROD-SQL01	2025-03-13:15:35:29 +0000	192.168.4.92	AC:DE:48:23:45:67	bad-actor-infra.io	4	16663	4	2025-03-14:00:30:57 +0900	19042	Windows Server 2022	4	Mac	4	true	2025-03-13:09:15:18 -0600	2025-03-13:18:50:43 +0300	7h9f4ddf31h97ijed2gg30h54ge8d419	sensor-update	4d6fb2e9	2	Server	NotProvisioned	yes	HP-ZX98YW76VU54	1	4	DataCenter	2025-03-13:15:45:16 +0000	normal	Microsoft Corporation	Virtual Machine

Step-by-Step

Starting with the source repository events.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} 3["Expression"] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
* platform_name="Windows"
```
Filters events to include only those where platform_name equals Windows.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} 3["Expression"] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| count(field=device_id, distinct=True)
```
Counts the number of unique values in the device_id field, and returns the results in a _count field. The distinct parameter set to true ensures each device is counted only once.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} 3["Expression"] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| count:= rename(_count)
```
Renames the output field from the default _count to count for better readability in the results.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} 3["Expression"] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| sort(count)
```
Sorts the results based on the count field. When no parameters are specified, sort() defaults to descending order.
Event Result set.

Summary and Results

The widget is used to monitor the number of Windows devices in the environment.

This widget is useful to maintain an accurate inventory of Windows devices and track changes in the Windows device population.

Sample output from the incoming example data:

count
10

The output shows the total count of unique Windows devices found in the analyzed data set.

Versions of this Page

Examples Library