How to Find and Remove Inactive CrowdStrike Falcon Sensors

Cleaning up inactive sensors in CrowdStrike ensures that you aren't paying for resources you are not using. In this guide, we'll show you how to identify and clean up inactive sensors.

Patrick Londa
Author
Mar 19, 2023
 • 
5
 min read
Share this post

If you are using CrowdStrike Falcon for endpoint security, it's a good practice to regularly check for inactive sensors. Paying for inactive sensors on devices that have stopped working or are not connected to your network anymore is an unnecessary waste of your security budget.

In this guide, we'll show you how to check for inactive sensors and remove them.

Finding and Deleting Inactive Sensors

You can find and delete inactive sensors by either using the CrowdStrike Console, the CrowdStrike API, or a security automation platform like Blink.

Using the CrowdStrike Falcon Console:

There are a couple ways to find and delete inactive CrowdStrike sensors using the console. You can either use the Inactive sensors page or the Host Management view.

1.  First, log in to the CrowdStrike Falcon Console.

2.  From the left hand pane, you can select Host setup and management, and then Inactive sensors. On this page, you’ll see a list of all inactive sensors.

Inactive Sensors View in CrowdStrike

You can modify the date range to meet any internal standard of what “inactive” means.

3.  If you want to take action on this list of inactive sensors, you can copy the aid value and paste it into the search bar. This will open these sensors in the Host Management view. Select the checkbox for the sensors you want to delete. A pane on the right-hand side will appear with the option to Delete sensor.

4.  You could also take a different approach and start in the Host Management view, which you can get to using the same left-hand menu. You can then sort or filter by the Last Seen field in the table.

Host Management View in CrowdStrike

Unfortunately, you can’t set an exclusionary filter to remove all sensors that have been seen in the “Last X days”, which is why the Inactive Sensors report is useful.

By just sorting, you can manually read which sensors have a “Last Seen” date before your standard active/inactive threshold, and remove them by selecting them and clicking Delete sensor like in Step 3.

Using the CrowdStrike Falcon API:

The platform also offers an API which allows administrators to easily programmatically manage their sensors. You can use the endpoint that geographically aligns with your specific CrowdStrike account:

  • US-1 “api.crowdstrike.com”
  • US-2 “api.us-2.crowdstrike.com”
  • US-GOV-1 “api.laggar.gcw.crowdstrike.com”
  • EU-1 “api.eu-1.crowdstrike.com”

In the examples we show later, we’ll use “api.us-2.crowdstrike.com”.

CrowdStrike’s API documentation is available after you log in here, and you’ll see information about how to use OAuth2 for authenticating your requests.

Using the CrowdStrike Falcon API, administrators can programmatically manage their sensors. First, you need to make an access token request, including your client ID and client secret. You’ll get an access token in response that will be valid for 30 minutes after that. The API calls you make after that initial call will include that token.

1.  Get All Linux Sensors

With this API, you can query all Linux sensors by making a GET request to this endpoint:

https://api.us-2.crowdstrike.com/devices/queries/devices/v1

This will return a list of all Linux sensors that are currently connected to your network.

When you receive a successful response from the API, you will get the device IDs for the sensors, which you can then use to get more detailed information.

2.  Fetch Sensor Data for Each to See Last Seen Time

To find out which sensors are inactive, you will need "last seen" information about each sensor. You can get this by making a GET request to this endpoint:

https://api.us-2.crowdstrike.com/devices/entities/devices/v2?ids=[device-ID]

This request will return detailed data about the specified sensor, including its last seen time in the resources section:

 "resources": [
    {
      "device_id": "4ae0067ea4984524af0efc0bf94a62f5",
      "cid": "5186434580dr4be010fbcg042a2813b1",
      "agent_load_flags": "0",
      "agent_local_time": "2023-03-04T12:04:04.310Z",
      "agent_version": "6.51.13103.0",
      "config_id_base": "61884763",
      "config_id_build": "12503",
      "config_id_platform": "4",
      "cpu_signature": "3504919291",
      "external_ip": "152.195.62.226",
      "mac_address": "00-9a-77-g2-64-f8",
      "hostname": "Demo-Mac-mini.local",
      "first_seen": "2023-01-05T15:00:58Z",
      "last_seen": "2023-03-01T12:46:56Z",
      "local_ip": "10.3.30.126",
      "major_version": "21",
      "minor_version": "4",
      "os_version": "Monterey (12)",
      "os_build": "21E230",
      "platform_id": "1",
      "platform_name": "Mac",
      "policies": [
        {

The "last_seen" value is what you can use to determine which sensors are no longer active or connected to the network.

3.  Delete Inactive Sensors

Now that you've identified all inactive sensors, you can delete them by making a POST request to this endpoint:

https://api.us-2.crowdstrike.com/devices/entities/devices-actions/v2?action_name=hide_host&[device-ID]

This will delete the sensor with the specified ID and remove it from your network. Once the request is sent, the inactive sensor will no longer be connected to or monitored by CrowdStrike Falcon.

Automatically Detect and Remove Inactive Sensors with Blink Copilot

While checking for and removing inactive sensors is a best practice, it might not be something you do routinely because it requires context-switching and manual steps.

With Blink Copilot, you can generate an automated workflow to detect and remove inactive sensors just by typing a prompt.

 

When this automation runs, it does the following steps:

  1. Checks the Last Seen time of all CrowdStrike sensors.
  2. When a sensor is found to have been inactive for at least 12 hours, it is deleted.
  3. Prints a list of all deleted sensors.

If you want to add an approval step before deletion or change how you are notified, just change the prompt. Automation has never been easier. You can try typing your own prompts here.

For this task, we also have a pre-built automated workflow ready to import from our automation library.

Get started with Blink today to see how easy automation can be.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native. 
Get modern cloud and security operations today.

Get a Demo