Skip to content

Update Cleanup

The saved search Crowdstrike Devices Lookup - Cleanup runs every hour 29 minutes after the hour to remove old/stale device data from the kvstore. By default, it will remove any device that has not reported in longer than 2 days.

Note

Even though a device may be removed, it will be re-added by the saved search Crowdstrike Devices Lookup - Gen if it begins to send data again.

Update Search Macro

To change the retention period from the default 2 days, there is a search macro that will need to be updated.

  1. Navigate to Settings > Advanced Search > Search Macros.
  2. Set the "App" to SA-CrowdstrikeDeviecs.
  3. Set the "Owner" to Any.
  4. Click on sa_crowdstrike_retention to modify the definition.
  5. Set the definition to a valid time modifier.
Important

Make sure to keep the quotes around the definition.

i.e.

"-7d@d"

Update Search Schedule

It may also be necessary to update how often the cleanup search runs (default: hourly).

To update the default schedule perform the following steps:

  1. Navigate to Settings > Searches, reports, and alerts.
  2. Set the "App" dropdown to SA-CrowdstrikeDevices.
  3. Set the "Owner" dropdown to All.
  4. Click "Edit" under actions for the search Crowdstrike Devices Lookup - Cleanup
  5. Click "Edit Schedule" and update the schedule and necessary.
Last update: February 18, 2023