r/crowdstrike

Hi all,

Is there any CQL query to find endpoints that are not on a specific sensor version (for example, our recommended n-1 version is 7.35.20709.0 for windows)?

We want to identify all devices across Windows, macOS, and Linux that are not running this sensor version, ideally also scoped by host group if possible.

Basically, we need a list of all devices that are not on the approved version.

Thanks in advance!

Hi everyone,

I’m trying to figure out how you’re handling password resets for users in a hybrid environment using Fusion SOAR. I’ve set up the Microsoft Entra ID SOAR actions, but I noticed the “force password reset” action only works for cloud-only users.

We do have the Identity Protection module, so I’m wondering if that could be used for this instead.

I am trying to create a stacked bar chart with bars representing day of the month and the stacks to represent values of a specific field.

I've gotten as far as this query

| time:dayOfMonth(@timestamp, as=DayOfMonth)

| groupBy([DayOfMonth], function=count(), limit=10)

This will show me the event count on a daily basis on a bar chart.

How do I convert this into stacked bars with values of a specific field, grouped daily?

Retrospective Detection Prevention Policy Configuration

Happy Wednesday. Here's a cool new feature I recommend enabling...

Retrospective detections is a cloud-based feature that automatically scans the previous 48 hours of host telemetry in your environment for behaviors that CrowdStrike has newly identified as malicious, generating a detection for the new threat if historically present.

Retrospective detections supports Windows, Mac, and Linux hosts, and can be enabled through the "Retrospective detections" policy setting under Endpoint Security > Configure > Prevention Policies (seen above).

Supported TTPs include command and scripting interpreters, Office file macros, PowerShell, post-exploitation payloads, SHA-256 hashes, etc.

Retrospective detection findings can be viewed under Endpoint Security > Monitor > Endpoint detections.

Fun fact: when you upload an IOC via IOC management, these already generate retrospective detections. This gives you the option to allow CrowdStrike to do the same on your behalf.

For more details and the complete release notes, click here.

I have a client with a fleet of MS Surfaces. I've received two of these today, it's quarantining what seems to be a touchscreen calibration utility.

I really hope it's not some supply chain attack.

Anyone else?

• Machine Learning via Sensor-based ML
• Severity High
• C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc
• \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.SurfaceDiagnostics_2.242.139.0_x64__8wekyb3d8bbwe\Diagnostics.App.Wpf.DesktopBridge\Scripts\GetTDMCalibrationData\arch_x64\GetTDMCalibrationData_x64.exe
• Writes: \Device\HarddiskVolume3\Users\xxxxxxx\AppData\Local\Microsoft\WindowsApps\SDT.exe
• \Device\HarddiskVolume3\Users\xxxxxxx\AppData\Local\Microsoft\WindowsApps\Microsoft.SurfaceDiagnostics_8wekyb3d8bbwe\SDT.exe

CrowdStrike and CSC are collaborating on a Falcon capability focused on domain and brand-based threats.

It combines CrowdStrike’s threat intelligence with CSC’s domain security and brand protection expertise to identify, block, and take down malicious domains and brand impersonation activity.

Learn more: https://marketplace.crowdstrike.com/listings/csc-global-enforcement-and-takedowns/

Solution brief: https://marketplace.crowdstrike.com/content/dam/crowdstrike/marketplace/en-us/documents/CrowdStrike%20CSC%20Joint%20Solution%20Brief%20Final%20121225.pdf

What Happened?

On April 7, 2026, during continuous and ongoing product testing, CrowdStrike’s Internal Red Team discovered a directory traversal vulnerability impacting LogScale SaaS and LogScale self-hosted instances. The vulnerability was introduced in LogScale version 1.224 on January 19, 2026, and LogScale Self-Hosted version 1.228.1 LTS, which was released on March 11, 2026.

Customers that only leverage Next-Gen SIEM (NG SIEM) are not impacted. Only LogScale SaaS customers (CrowdStrike mitigated) and LogScale self-hosted customers (customer action required) running impacted versions are in scope. More details below.

Once the vulnerability was discovered, CrowdStrike deployed a mitigation for all LogScale SaaS customers on April 7, 2026. As CrowdStrike has all logs associated with LogScale SaaS, we can confirm that this technique was never attempted or leveraged against LogScale SaaS. 

LogScale self-hosted customers will need to update LogScale to a patched build.

CVE Details

The vulnerability has been designated CVE-2026-40050 and carries a Critical CVSS v3.1 score of 9.8.

Impacted Versions

• LogScale Self-Hosted: GA versions 1.224.0 through 1.234.0 (inclusive)
• LogScale Self-Hosted LTS: Version 1.228.0, 1.228.1

Required Actions

• NG SIEM Customers: No Action Required; Not Impacted
• LogScale SaaS Customers: No Action Required; CrowdStrike Mitigated
• LogScale On-Prem Customers: Update to LogScale version 1.235.1 GA or later, 1.234.1 GA or later, 1.233.1 GA or later, or 1.228.2 LTS or later; Customer Action Required

On-Prem LogScale customers can apply a temporary technical mitigation in their proxy layer, however, updating LogScale is strongly recommended. CrowdStrike can not see, validate, or verify the configuration of on-prem instances of LogScale. 

Additional Details

• Tech Alert
• Security Advisory

If you have additional questions, please contact CrowdStrike Support.