empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add 'Get Crowdstrike Falcon network content filter status' to query library (#9931)

Browse Source
This commit is contained in:
Zach Wasserman 2023-02-17 22:16:28 -06:00 committed by GitHub
parent 13e821d059
commit 7fa739889d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
View File

@ -1034,3 +1034,14 @@ spec:
purpose: inventory
tags: inventory
contributors: zwass
---
apiVersion: v1
kind: query
spec:
name: Get Crowdstrike Falcon network content filter status
platform: darwin
description: Get the status of the Crowdstrike Falcon network content filter (as in "System Settings" > "Network > "Filters").
query: /* Load up the plist */ WITH extensions_plist AS (SELECT *, rowid FROM plist WHERE path = '/Library/Preferences/com.apple.networkextension.plist') /* Find the first "Enabled" key after the key indicating the crowdstrike app */ SELECT value AS enabled FROM extensions_plist WHERE subkey = 'Enabled' AND rowid > (SELECT rowid FROM extensions_plist WHERE value = 'com.crowdstrike.falcon.App') LIMIT 1;
purpose: Informational
tags: crowdstrike, plist, network, content filter
contributors: zwass