How to Identify Hosts Possibly Impacted by Windows Crashes
Published Date: July 19, 2024
Objective
- Identify Microsoft Windows hosts potentially impacted by crashes.
- Scope impact related to Tech Alert | Windows crashes related to Falcon Sensor | 2024-07-19.
Applies To
- Supported versions of the Falcons sensor for Windows.
- Supported versions of Microsoft Windows.
- May be related to Tech Alert | Windows crashes related to Falcon Sensor | 2024-07-19.
Procedure
Step 1: Determine Impacted Channel File
Run the following query in Advanced Event Search with the search window set to seven days:
#event_simpleName=ConfigStateUpdate event_platform=Win
| regex("\|1123(?<CFVersion>.*?)\|" field=ConfigStateData strict=false) | parseInt(CFVersion radix=16)
| groupBy([cid] function=([max(CFVersion as=GoodChannel)]))
| ImpactedChannel:=GoodChannel-1
| join(query={#data_source_name=cid_name | groupBy([cid] function=selectLast(name) limit=max)} field=[cid] include=name mode=left)
Note the value in the column ImpactedChannel. This number varies slightly between Falcon tenants but is typically around 30.
Step 2: Execute Query
Run the following query with the search window set to seven days to identify:
- Systems online between 04:00 – 06:00 UTC on July 19, 2024.
- Systems processing an update for Channel File 291 in this window.
- Systems that last reported loading the impacted channel file.
- Systems not seen in the past hour.
You can set this query as a Scheduled Search (US-1 | US-2 | EU-1 | US-GOV-1) to run hourly or at another interval of your choice.
IMPORTANT: Edit Line 26 with the value derived from Step 1. For example, if the value is 31, the line will read:
[...] | in(field="CFVersion" values=[031]) [...]
Here’s the full query:
// Get ConfigStateUpdate and SensorHeartbeat events
#event_simpleName=/^(ConfigStateUpdate|SensorHeartbeat)$/ event_platform=Win
| cid=?cid
// Narrow search to Channel File 291 and extract version number; accept all SensorHeartbeat events
| case{ #event_simpleName=ConfigStateUpdate |
regex("\|1123(?<CFVersion>.*?)\|" field=ConfigStateData strict=false) | parseInt(CFVersion radix=16); #event_simpleName=SensorHeartbeat | rename([[@timestamp LastSeen]]);
}
// Make sure both ConfigState update and SensorHeartbeat have happened
| selfJoinFilter(field=[cid aid ComputerName] where=[{ConfigStateUpdate} {SensorHeartbeat}])
// Aggregate results
| groupBy([cid] function=[groupby(aid function=([
{selectFromMax(field="@timestamp" include=[CFVersion])}
{selectFromMax(field="@timestamp" include=[@timestamp]) | rename(field="@timestamp" as="LastSeen")}
]) limit=max)
max(CFVersion as=MaxCFVersion)
] limit=max)
// Perform check on selfJoinFilter
| CFVersion=* LastSeen=*
// Calculate time between last seen and now
| LastSeenDelta:=now()-LastSeen
// Only show the impacted channel
| in(field="CFVersion" values=[?Channel])
// Calculate duration between last seen and now
| LastSeenDelta:=formatDuration("LastSeenDelta" precision=2)
// Enrich aggregation with aid_master details
| aid=~match(file="aid_master_main.csv" column=[aid] strict=false)
| aid=~match(file="aid_master_details.csv" column=[aid] include=[FalconGroupingTags SensorGroupingTags] strict=false)
// Convert FirstSeen time to human-readable format
| FirstSeen:=formatTime(format="%F %T" field="FirstSeen")
// Move ProductType to human-readable format and add formatting
| $falcon/helper:enrich(field=ProductType)
| drop([Time])
| default(value="-" field=[MachineDomain OU SiteName FalconGroupingTags SensorGroupingTags] replaceEmpty=true)
// Create conditions to check for impact
| case{
CFVersion=0 | Status:="VERIFY" | Details:="Endpoint channel file version 0."; test(CFVersion==(MaxCFVersion-1)) | Status := "CHECK" | Details:="Endpoint has impacted channel file"; test(CFVersion==MaxCFVersion) | Status:="OK" | Details:="Endpoint has latest channel file and is operational.";
test(CFVersion<(MaxCFVersion-1)) | Status:="OK" | Details:="Endpoint has earlier channel file and is operational.";
* | Status:="UNKNOWN" | Details:="Cannot determine status.";
}
// Convert FirstSeen time to human-readable format
| FirstSeen:=formatTime(format="%F %T" field="FirstSeen")
// Convert LastSeen time to human-readable format
| LastSeen:=formatTime(format="%F %T" field="LastSeen")
// Filter on status.
| Status=?Status
| wildcard(field=ComputerName pattern=?ComputerName ignoreCase=true)
// Create one final groupBy for easier export to CSV
| groupby([cid aid ComputerName Status FirstSeen LastSeen CFVersion MaxCFVersion LastSeenDelta Details AgentVersion aip event_platform FalconGroupingTags LocalAddressIP4 MAC MachineDomain OU ProductType SensorGroupingTags SiteName SystemManufacturerSystemProductName Version] limit=max function=[])
The output shows systems that last reported an impacted version of Channel File 291 and haven’t been seen in the past hour. Adjust the one-hour threshold as needed on Line 26:
// Optional threshold; 3600000 is one hour
| LastSeenDelta>3600000
This query highlights systems that may need evaluation to confirm they aren’t affected. For more details, refer to Tech Alert | Windows crashes related to Falcon Sensor | 2024-07-19.