How to Find and Remove Inactive CrowdStrike Falcon Sensors

If you are using CrowdStrike Falcon for endpoint security, it's a good practice to regularly check for inactive sensors. Paying for inactive sensors on devices that have stopped working or are not connected to your network anymore is an unnecessary waste of your security budget.

In this guide, we'll show you how to check for inactive sensors and remove them.

Finding and Deleting Inactive Sensors

You can find and delete inactive sensors by either using the CrowdStrike Console, the CrowdStrike API, or a security automation platform like Blink.

Using the CrowdStrike Falcon Console:

There are a couple ways to find and delete inactive CrowdStrike sensors using the console. You can either use the Inactive sensors page or the Host Management view.

1.  First, log in to the CrowdStrike Falcon Console.

2.  From the left hand pane, you can select Host setup and management, and then Inactive sensors. On this page, you’ll see a list of all inactive sensors.

You can modify the date range to meet any internal standard of what “inactive” means.

3.  If you want to take action on this list of inactive sensors, you can copy the aid value and paste it into the search bar. This will open these sensors in the Host Management view. Select the checkbox for the sensors you want to delete. A pane on the right-hand side will appear with the option to Delete sensor.

4.  You could also take a different approach and start in the Host Management view, which you can get to using the same left-hand menu. You can then sort or filter by the Last Seen field in the table.

Unfortunately, you can’t set an exclusionary filter to remove all sensors that have been seen in the “Last X days”, which is why the Inactive Sensors report is useful.

By just sorting, you can manually read which sensors have a “Last Seen” date before your standard active/inactive threshold, and remove them by selecting them and clicking Delete sensor like in Step 3.

Using the CrowdStrike Falcon API:

The platform also offers an API which allows administrators to easily programmatically manage their sensors. You can use the endpoint that geographically aligns with your specific CrowdStrike account:

• US-1 “api.crowdstrike.com”
• US-2 “api.us-2.crowdstrike.com”
• US-GOV-1 “api.laggar.gcw.crowdstrike.com”
• EU-1 “api.eu-1.crowdstrike.com”

In the examples we show later, we’ll use “api.us-2.crowdstrike.com”.

CrowdStrike’s API documentation is available after you log in here, and you’ll see information about how to use OAuth2 for authenticating your requests.

Using the CrowdStrike Falcon API, administrators can programmatically manage their sensors. First, you need to make an access token request, including your client ID and client secret. You’ll get an access token in response that will be valid for 30 minutes after that. The API calls you make after that initial call will include that token.

1.  Get All Linux Sensors

With this API, you can query all Linux sensors by making a GET request to this endpoint:

https://api.us-2.crowdstrike.com/devices/queries/devices/v1

This will return a list of all Linux sensors that are currently connected to your network.

When you receive a successful response from the API, you will get the device IDs for the sensors, which you can then use to get more detailed information.

2.  Fetch Sensor Data for Each to See Last Seen Time

To find out which sensors are inactive, you will need "last seen" information about each sensor. You can get this by making a GET request to this endpoint:

https://api.us-2.crowdstrike.com/devices/entities/devices/v2?ids=[device-ID]

This request will return detailed data about the specified sensor, including its last seen time in the resources section:

 "resources": [
    {
      "device_id": "4ae0067ea4984524af0efc0bf94a62f5",
      "cid": "5186434580dr4be010fbcg042a2813b1",
      "agent_load_flags": "0",
      "agent_local_time": "2023-03-04T12:04:04.310Z",
      "agent_version": "6.51.13103.0",
      "config_id_base": "61884763",
      "config_id_build": "12503",
      "config_id_platform": "4",
      "cpu_signature": "3504919291",
      "external_ip": "152.195.62.226",
      "mac_address": "00-9a-77-g2-64-f8",
      "hostname": "Demo-Mac-mini.local",
      "first_seen": "2023-01-05T15:00:58Z",
      "last_seen": "2023-03-01T12:46:56Z",
      "local_ip": "10.3.30.126",
      "major_version": "21",
      "minor_version": "4",
      "os_version": "Monterey (12)",
      "os_build": "21E230",
      "platform_id": "1",
      "platform_name": "Mac",
      "policies": [
        {

The "last_seen" value is what you can use to determine which sensors are no longer active or connected to the network.

3.  Delete Inactive Sensors

Now that you've identified all inactive sensors, you can delete them by making a POST request to this endpoint:

https://api.us-2.crowdstrike.com/devices/entities/devices-actions/v2?action_name=hide_host&[device-ID]

This will delete the sensor with the specified ID and remove it from your network. Once the request is sent, the inactive sensor will no longer be connected to or monitored by CrowdStrike Falcon.

Automatically Check for Inactive Sensors with Blink

While checking for and removing inactive sensors is a best practice, it might not be something you do routinely because it requires context-switching and manual steps.

With this automation in the Blink library, you could get a list of inactive sensors delivered to you automatically and take action via Slack.

When this automation runs, it does the following steps:

1. Checks the Last Seen time of all CrowdStrike sensors.
2. When an inactive sensor is found, it sends a question via Slack about next steps.
3. If the answer is Delete, it will delete the sensor via CrowdStrike. If the answer is No, it will not take further action.

Having an approval step where you have a human in the loop is a useful way to ensure that you have full control over your automated processes, and can navigate uncommon scenarios.

You can either use this pre-built automation directly from our automation library, or customize it to fit your ideal workflow.

Start your free trial of Blink and see how easy automation can be.