queries.yml

---
apiVersion: v1
kind: query
spec:
  automations_enabled: false
  description: ""
  discard_data: false
  interval: 3600
  logging: snapshot
  min_osquery_version: ""
  name: Crowdstrike Falcon - Health Check - Cloud Connected?
  observer_can_run: false
  platform: ""
  query: SELECT lp.address, lp.pid, lp.port, lp.protocol, p.name, p.path, p.cmdline
    FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE p.name LIKE "falcon-sensor";
  team: EDR health check
---
apiVersion: v1
kind: query
spec:
  automations_enabled: false
  description: Check running processes to verify the Falcon sensor is running (linux)
  discard_data: false
  interval: 3600
  logging: snapshot
  min_osquery_version: ""
  name: Crowdstrike Falcon - Health Check - Kernel Module (linux)?
  observer_can_run: false
  platform: "linux"
  query: SELECT * FROM kernel_modules WHERE name LIKE "%falcon%";
  team: EDR health check
---
apiVersion: v1
kind: query
spec:
  automations_enabled: false
  description: Check running processes to verify the Falcon sensor is running
  discard_data: false
  interval: 3600
  logging: snapshot
  min_osquery_version: ""
  name: Crowdstrike Falcon - Health Check - Running Process?
  observer_can_run: false
  platform: ""
  query: SELECT * FROM processes WHERE name like "falcon-sensor";
  team: EDR health check
---
apiVersion: v1
kind: query
spec:
  automations_enabled: false
  description: Check running processes to verify the Falcon sensor is running
  discard_data: false
  interval: 3600
  logging: snapshot
  min_osquery_version: ""
  name: Crowdstrike Falcon - Health Check - Running Process by path (macOS)?
  observer_can_run: false
  platform: "darwin"
  query: SELECT count(*) AS count, path, CASE WHEN path LIKE '/Library/SystemExtensions/%/com.crowdstrike.falcon.Agent.systemextension/Contents/MacOS/com.crowdstrike.falcon.Agent' THEN 'RUNNING' ELSE 'ERROR' END status, 'macOSCrowdStrikeCheckProcess' AS query_type FROM processes WHERE path LIKE '/Library/SystemExtensions/%/com.crowdstrike.falcon.Agent.systemextension/Contents/MacOS/com.crowdstrike.falcon.Agent';
  team: EDR health check
---
apiVersion: v1
kind: query
spec:
  automations_enabled: false
  description: Check running processes to verify the Falcon sensor is running (Windows)
  discard_data: false
  interval: 3600
  logging: snapshot
  min_osquery_version: ""
  name: Crowdstrike Falcon - Health Check - Running Process (Windows)?
  observer_can_run: false
  platform: "windows"
  query: SELECT services.*, 'WindowsCrowdStrikeCheckProcess' AS query_type FROM services WHERE name LIKE 'CSFalconService';
  team: EDR health check