Skip to main content Link Menu Expand (external link) Document Search Copy Copied

ResourceName - falconAgent

Table of contents
  1. Resource Data
  2. Example
    1. FPL Code
    2. Table Results

The falconAgent resource loads …

Resource Data

An example of what this resource includes:

"@customer": "ABCCorp",
  "@dayIndex": "20220830-22",
  "@falconAgent": {
    "agent_local_time": "2022-07-18T09:18:01.231Z",
    "agent_version": "6.39.15316.0",
    "bios_manufacturer": "LENOVO",
    "bios_version": "M16KT34A",
    "cid": "82f324e8c65b4d9db07ab868f8c87d43",
    "customer": "ABCCorp",
    "device_id": "761d427544f749b894156956b52d13a3",
    "device_policies": {
      "device_control": {
        "Applied": true,
        "applied_date": "2022-06-30T06:34:29.014648897Z",
        "assigned_date": "2022-06-30T06:33:03.609750237Z",
        "policy_id": "dacd15b0872c456c84850fa2c420a629",
        "policy_type": "device-control"
      },
      "firewall": {
        "Applied": true,
        "applied_date": "2022-06-07T20:11:43.467216363Z",
        "assigned_date": "2022-06-07T20:07:48.585479857Z",
        "policy_id": "bf7ae175d1ad41ff9644d8678370b4ac",
        "policy_type": "firewall"
      },
      "global_config": {
        "Applied": true,
        "applied_date": "2022-07-18T08:22:36.987500391Z",
        "assigned_date": "2022-07-18T08:20:36.651993951Z",
        "policy_id": "c0650febe7384458b3a1f6979027a826",
        "policy_type": "globalconfig"
      },
      "prevention": {
        "Applied": true,
        "applied_date": "2022-05-13T14:14:22.949196259Z",
        "assigned_date": "2022-05-13T14:13:16.877107986Z",
        "policy_id": "450d551912e841938a879c163b6e3090",
        "policy_type": "prevention"
      },
      "remote_response": {
        "Applied": true,
        "applied_date": "2022-06-23T22:52:22.099403682Z",
        "assigned_date": "2022-06-23T22:51:19.395947334Z",
        "policy_id": "37f72b1772b24bedaa0aa88a504042d7",
        "policy_type": "remote-response"
      },
      "sensor_update": {
        "Applied": true,
        "applied_date": "2022-07-18T08:19:40.964334639Z",
        "assigned_date": "2022-07-18T08:15:14.637513251Z",
        "policy_id": "d2887957cc7e4bf7925c0615a46c217a",
        "policy_type": "sensor-update"
      }
    },
    "external_ip": "12.344.45.98",
    "hostname": "AC16",
    "local_ip": "10.20.50.85",
    "mac_address": "ab-bb-91-1c-9e-87",
    "modified_timestamp": "2022-07-18T12:59:45Z",
    "os_version": "Windows 10",
    "platform_name": "Windows",
    "pluginName": "",
    "policies": [
      {
        "Applied": true,
        "applied_date": "2022-05-13T14:14:22.949196259Z",
        "assigned_date": "2022-05-13T14:13:16.877107986Z",
        "policy_id": "450d551912e841234a879c163b6e3090",
        "policy_type": "prevention"
      }
    ],
    "product_type_desc": "Workstation",
    "provision_status": "Provisioned",
    "reduced_functionality_mode": "no",
    "serial_number": "BB0NDLJS",
    "status": "normal",
    "system_manufacturer": "LENOVO",
    "system_product_name": "10NM0011US",
    "translation": {
      "agentID": "761d427a123451156956b52d13a3",
      "asset": "AC16",
      "ip": "",
      "source": "ABCCorp",
      "username": ""
    }
  },
  "@key": "761d427a123451156956b52d13a3",
  "@resource_type": "falconAgent",
  "@source": "falcon",
  "@timestamp": 1661898124193,
  "@type": "resource"

Example

FPL Code

An example for showing the number of provisioned Falcon agents and the number of unique mac address, hostname and serial number:

function totalFalconAgents()
    load resource falconAgent
    let {provision_status} = f("@falconAgent")
    where provision_status == "Provisioned"
    aggregate totalDeviceCount=count()
end

function loadUniqueFalconByMAC()
  load resource falconAgent
  let {hostname, device_id, mac_address, serial_number, agent_version, modified_timestamp, provision_status} = f("@falconAgent")
  where provision_status == "Provisioned"
  aggregate modified_timestamp=max(modified_timestamp) by mac_address
  aggregate totalCount=count()
end

function loadUniqueFalconByHostname()
  load resource falconAgent
  let {hostname, device_id, mac_address, serial_number, agent_version, modified_timestamp, provision_status} = f("@falconAgent")
  where provision_status == "Provisioned"
  aggregate agent_version=max(agent_version) by hostname
  aggregate totalCount=count()
end

function loadUniqueFalconBySerial()
  load resource falconAgent
  let {hostname, device_id, mac_address, serial_number, agent_version, modified_timestamp, provision_status} = f("@falconAgent")
  where provision_status == "Provisioned"
  aggregate modified_timestamp=max(modified_timestamp) by serial_number
  aggregate totalCount=count()
end

stream totalFalconAgents = totalFalconAgents()
stream loadUniqueFalconByMAC = loadUniqueFalconByMAC()
stream loadUniqueFalconByHostname = loadUniqueFalconByHostname()
stream loadUniqueFalconBySerial = loadUniqueFalconBySerial()

Table Results

Results of the above FPL code:

Page last updated: 2022 Oct 27