Site Search
Security business menu
Security business
HOME
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
Event/Seminar
video on demand

CrowdStrike

CrowdStrike

CrowdStrike August 2025 Update

CrowdStrike August 2025 Update

We are pleased to present the CrowdStrike update for August 2025.
All of these issues have been posted on our support site, so please check the articles on the support site as well.

Registration is required for our support site.
Please click on "CrowdStrike Falcon 'Support Site Viewing Request'" on the following page to request viewing.
https://www.macnica.co.jp/business/security/manufacturers/crowdstrike/support.html

*You will need your maintenance contract number to apply, and the maintenance contract number will be listed in the notification we sent you with the subject line below.
Subject: [CrowdStrike Notification Delivery Notice]

*We usually receive a response within 1 to 3 business days.

Sensor Release

Falcon Sensor for Windows 7.28.20006 Release Announcement [Released August 6, 2025]

  • Main New Features
    • The machine learning models running in the sensors have been updated to keep up with new threats and evolving malware, and existing models have been retrained with the latest data to improve detection accuracy.
    • Sensors can now silently collect behavioral data that can be used to improve machine learning capabilities that analyze process behaviors and patterns.
    • Detection and protection functions for applications that use PyInstaller have been added, allowing for protection against a wider variety of executable malware.
    • The installation and operation of the sensor no longer requires Windows Power Services, which means that the sensor can be deployed and operated even in environments where the service is stopped.
    • You can now run on-demand or scheduled scans of data on endpoints, using existing and new classification rules to search for user-defined criteria such as credit card numbers, sensitivity labels, or data from specific web apps.
    • The osquery used by Falcon for IT has been updated to version 5.16 and is now FIPS (Federal Information Processing Standards) compliant.
    • The Falcon sensor for Windows now requires a CPU that supports the ARM v8.1 instruction set, which means older ARM64 hardware such as the Snapdragon 835 and Raspberry Pi 4 are no longer supported.
  • Main fixes
    • Overall system responsiveness has been improved, even when low-priority background processes are using many CPU cores. This is especially noticeable in hybrid CPU environments with both performance and efficiency cores. A reboot is required after the upgrade.
    • Fixed a rare performance degradation that occurred in some installers that made use of global assemblies.
    • Fixed an issue where some Real Time Response commands would fail if the LIB environment variable contained an invalid path.
    • Optimizations have been added to pre-fetch data when writing files, improving write performance over SMB.
    • Fixed an issue where the "Browsers without active extension" setting was not properly honoring data upload blocking behavior when Incognito access was enabled in the Falcon browser extension (affecting versions 7.26 and 7.27).
  • For more information, please see our support site article.

Falcon Sensor for Linux 7.28.18108 Release Announcement [Released 2025/08/07] H3

  • Main New Features
    • The machine learning model running in the sensor has been updated, strengthening its ability to respond to evolving malware. Existing models have also been retrained using the latest data to improve detection accuracy. Furthermore, a disassembler function has been added and the model's hyperparameters have been adjusted, making it particularly effective against ransomware and Golang-based malware.
    • We now provide a single installer for all cloud environments, and the sensor can automatically determine the cloud from the CID (Customer ID). You can also specify the cloud using the new "--cloud" option in the falconctl command.
    • A new "Enhance PHP Visibility" policy setting enables visibility of PHP scripts (under the Enhanced Visibility category). More details about this feature will be published in a separate release note in the future.
    • The Linux sensor running in User Mode can now monitor systemd timer creation and deletion events, and get a comprehensive overview of existing timers when the sensor starts, making it easier to manage and monitor systemd timers.
    • The events added are:
    • SystemdTimerCreated (new creation)
    • SystemdTimerDeleted (deleted)
    • SyntheticSystemdTimerCreated (detects existing timer at startup)
    • EKS Auto Mode is now supported in the User Mode Daemonset.
    • Red Hat Universal Base Image (UBI) 9.6-1751366659 Micro has been adopted.
    • Exposure Management's vulnerability detection capabilities have been extended to include detection of vulnerable libraries within running Java processes.
    • The osquery used by Falcon for IT has been updated to version 5.16 and is now FIPS (Federal Information Processing Standards) compliant.
    • We've added support for new kernel versions for various distributions, including Amazon Linux, Oracle Linux, Red Hat, SUSE, and Ubuntu, making the sensor available in even more environments.
  • Main fixes
    • Fixed an issue where OciImageInfo and OciContainerInfo events were not being sent to the CrowdStrike cloud on container instances using ksplice-aware glibc on Oracle Linux 7. This issue affected all previously supported versions.
  • Known Issues
    • For sensors deployed as DaemonSets, if the container engine uses a low-level runtime (specifically runc version 1.2 or higher, or crun version 1.1 or higher), the uninstall and maintenance protection may not prevent the sensor from being stopped. This issue affects all previous sensor versions.
  • For more information, please see our support site article.

Important Announcement

To access ThreatGraph Data, you must update the permissions for your custom user role (by October 27, 2025).

  • Overview
    • CrowdStrike is notifying users that custom user roles that include the "Access ThreatGraph Data" permission will require additional permission configuration by October 27, 2025. This means that users will need to add four new ThreatGraph permissions to continue using Process Views on the Detection Details and CrowdScore Incident pages.
  • Action required
    • Review all custom roles that have the "Access ThreatGraph Data" permission and add the following four permissions to each custom role:
      ・Access ThreatGraph Edge API Data
      ・Access ThreatGraph Edge Type API Data
      ・Access ThreatGraph Ran On API Data
      ・Access ThreatGraph Vertex API Data
    • If you do not add these permissions, users in the corresponding roles will not be able to view Process Views after the implementation date.
    • Please note that the new permissions will be applied automatically to default roles, so no manual action is required.
  • For more information, please see our support site article.

Falcon Exposure Management | Active Discovery Scan Migration [Migration scheduled for October 18, 2025]

  • Overview
    • Starting October 18, 2025, Active Discovery Scan configuration will be migrated to the same format as Network Vulnerability Scans. This will unify the configuration and management screens under "Exposure management > Setup > Network scanning," and the "Active discovery" page will be deprecated.
  • Main changes
    • All existing active discovery rules will be automatically migrated to the new scan templates and scan settings.
    • After the migration, only networks with "Confirmed" network ownership will be eligible for active discovery scanning. "Unknown" networks will not be scanned.
    • Active discovery no longer requires configuration; simply assign a scan to any network whose ownership has been verified.
  • Action required
    • Please verify ownership of any networks with "Unknown" ownership by October 18, 2025. If you leave your networks unverified, you will not be able to perform active discovery scans after the migration.
  • For more information, please see our support site article.

End of Support for Falcon IVAN and Migration to Falcon Cloud Security CLI

  • Overview
    • Falcon Image Vulnerability Analysis (IVAN) will reach end of life on December 4, 2025. If you are using IVAN, we recommend migrating to its successor, Falcon Cloud Security CLI (FCS CLI) version 2.0.2 or later. FCS CLI provides local image scanning capabilities equivalent to or better than IVAN and is available at no additional cost. [Tech Alert...(FCS CLI)]
  • Key Points
    • FCS CLI runs on Linux, macOS, and Windows, and like IVAN, it can scan local images for vulnerabilities.
    • The FCS CLI offers additional features, including a more modern reporting format, enhanced security insights, optional visibility into CrowdStrike Falcon Console, and support for a wider range of container runtimes and base images.
    • Commands and scripts used with IVAN will need to be rewritten for FCS CLI (a command compatibility table is available).
    • The official documentation provides instructions on how to install the FCS CLI and migrate scripts.
  • Action required
    • Please migrate to the FCS CLI by December 4, 2025. Failure to do so may impact image assessment and the protection of your cloud environment.
    • If you use IVAN in scripts or automated processes, please modify the commands and reports to use the FCS CLI.
  • For more information, please see our support site article.

MacOS/LinuxOS | Supply Chain Activity Affecting the Node.js Package "NX"

  • Overview
    • On August 27, 2025, a supply chain attack temporarily compromised the popular Node package "NX" and discovered that it contained malicious code. This compromised package was available for approximately five hours and was used to steal and transmit sensitive information, such as passwords, cryptocurrency wallets, and GitHub tokens, from victim devices. The exploit code exploited AI tools (Claude, Gemini, and Q) to attempt to access the local file system. [Tech Alert...package "NX"]
  • Scope of impact
    • All supported macOS and Linux environments
    • CrowdStrike Cloud All Regions
  • Countermeasures and recommended actions
    • Enabling SIEM rules
      Enable the "CrowdStrike - Endpoint - Shell Configuration Files Modified by Node.js" rule to help identify affected devices.
    • Running LogScale Queries
      Run a LogScale query to detect traces of the execution of the "telemetry.js" script.
      ・For LogScale queries, please check our support site.
    • Damage assessment and restoration
      ・For devices that may have been affected, please follow the official advisory (GitHub Advisory) to take action, such as changing passwords and keys, checking for data leaks, and repairing .zshrc and .bashrc files.
  • Additional Information
    • The CrowdStrike OverWatch team is actively hunting for indicators of this attack and contacting potentially affected customers via UI notifications.
  • For more information, please see our support site article.

Product Update Information

Endpoint Security & Falcon UI

  • New features in Falcon Flight Control for third-party data connections
    • Falcon Flight Control now allows you to centrally manage data ingestion and alert status for third-party data connections. This allows you to configure and manage data volumes and alert notifications for each child CID from the parent CID, improving operational efficiency.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/50137853979033
  • Improved advanced data transformation and variable manipulation in Fusion SOAR
    • In Fusion SOAR, data conversion functions can now be used in a variety of situations, including actions and loops, in addition to conditions. The variable operation screen has also been redesigned to a panel format, making it easier to visualize, copy, and paste variables. Furthermore, the names of workflow items have been improved for easier understanding.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/49298110932633
  • SIEM Connector 2.29.0 Released
    • SIEM Connector 2.29.0 includes support for the new Auto Read Summary Event and updated configuration files to support multiple tactics and techniques in a single detection summary event. If you want to use the new format, you will need to manually update your configuration file.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/49909686367641
  • Linux Prevention Policy | Enhance PHP Visibility Release
    • The Falcon Sensor for Linux now includes an "Enhance PHP Visibility" setting, which provides detailed monitoring of PHP script execution, use of the eval and base64_decode functions, and child process spawning, improving detection of malicious web shell attacks with minimal performance impact.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/49912434467225
  • APEX Cloud-based ML feature release for abnormal process execution on Windows

Mobile

  • There were no major updates.

Next-Gen SIEM & LogScale

  • Automate suspicious activity investigation and response with NG-SIEM cases
    • Next-gen SIEM cases streamline investigation of suspicious activity, collection, visualization, and collaboration of related events and files, and include case templates, SLAs, and notification settings. Integration with Falcon Fusion SOAR enables automated response.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/50137853979033
  • Falcon Next-Gen SIEM Recently Released Features, Fixes, and Known Issues [August 2025 Update]
    • Main new features
      - IOC (Indicator of Compromise) information is now displayed for detections generated by third-party integrations and correlation rules.
      Enhanced visualization and investigation capabilities include mapping to multiple MITRE ATT&CK tactics and techniques, node grouping in Workbench, display of AWS cloud assets, and automated resolution of third-party data.
      - The addition of badge display and risk scores for Falcon Complete detections, as well as the creation of a dedicated dashboard, improves the identification of managed detections and operational efficiency.
      - Operational and analytical functions have been expanded, including a new dashboard and API, parser management functions, and visualization of AI service usage and email security.
      - The range of data conversion functions available in Fusion SOAR has been expanded, and numerous new app integrations have been added.
      New data connectors and correlation rule templates have also been added.
    • Major fixes
      In Log management, the correlate() function has been fixed so that link operators that reference modified fields can now correctly correlate events.
    • Deprecated Features
      - In LogScale, free text search after aggregation and some event functions (eventIntenals(), eventFieldCount(), eventSize()) will be deprecated and will no longer be available in the affected versions and later.
      The rdns() function is deprecated and it is recommended to use the reverseDns() function instead.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/50124644121753

Falcon Shield

  • There were no major updates.

Identity Protection (ITD/ITP, FPA)

  • Falcon Identity Protection 5.97.79200 Release [Released August 19, 2025]
    • Main new features
      - A dedicated view has been added that displays important information for each user, and can be filtered and customized.
      - Added support for the new event "EAMBypassEvent" that monitors direct logins to the Entra app.
      - A "User Context Reference Table" has been added, which allows you to use user ID metadata and risk analysis in dashboards, etc.
      The scope of machine learning-based "Suspicious LDAP Search (ML)" detection has been expanded to detect more suspicious LDAP queries at a lower severity level.
      - GraphQL API now supports searching for users by Active Directory UPN.
    • Major fixes
      -Improved accuracy of analysis of duplicate machines that are not domain-joined.
      - Fixed an issue where the on-premise MFA connector disappeared and the Entra service principal application ID was not displayed.
      - Fixed the "Last edited" time and "Discard all changes" button behavior issues when editing policy rules.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/50320262597529

Cloud Security

  • Assets Explorer page update
    • The new Asset Explorer page provides a centralized view of your cloud assets. Grouping and advanced filtering capabilities allow you to efficiently understand your assets and risks. The details panel provides a consolidated view of related information and threat indicators for easier management.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/49307791258009

Exposure Management & IT Automation

  • Integration and Update of Network Vulnerability Scans and Active Discovery Features
    • Active discovery and network vulnerability scanning management have been integrated, allowing you to configure and check from a single screen. Enhancements such as cross-subnet scanning, common settings, and exclusion management have been made, making operations more efficient and simple.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/49994681054745

Falcon Data Protection

  • Synchronizing Sensitivity Label Detection for Enhanced Data Protection in Collaborative Workflows
    • Falcon Data Protection now enhances data protection for collaborative files by syncing sensitivity labels from Google Workspace and Microsoft 365. This automates the discovery and reporting of labeled data, making information management in Windows environments safer and more efficient.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/50137853979033
  • Falcon Data Protection identifies sensitive data stored locally on the host

Others (Charlotte AI, Falcon Intelligence, Falcon Complete)

  • Counter Adversary Operations Organization Profile experience update
    • Counter Adversary Operations' "Organization Profile" feature has been revamped, and now automatically creates and updates internal profiles based on external scan results, making it easier to manage your organization's domains and IP addresses and automate monitoring rules.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/49927132621465

CrowdStrike Falcon Console Regular Updates [As of the week of August 11, 2025]

  • Fusion SOAR has changed the term "alert" to "detection," which will be reflected in trigger names, etc. Existing workflows will be automatically updated going forward.
    • The new Webhook Ingest Errors dashboard allows you to monitor and troubleshoot errors and failures across your webhook-powered workflows in real time.
    • Falcon for Mobile has changed the behavior of the "PlayIntegrityPartialSecureDevice" detection in response to the introduction of Google hardware attestation on devices running Android 13 and later. This detection will no longer be generated on affected devices, but individual attestation results will still be logged as events.
    • If you are using only a limited number of subscriptions, such as Falcon Adversary Intelligence, the initial page displayed in CrowdStrike Falcon Console has been changed to the "Counter Adversary Operations Overview" dashboard. If you are using other products, the page for those products will continue to be displayed as usual.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/49923606317721
  • CrowdStrike Falcon Console Regular Updates [As of the week of August 18, 2025]
    • The Host Group Management screen now has a "Host Group ID" column, making it easier to search and filter.
    • Falcon for IT now has a new "Execution Status" column for task execution results, which displays "Failed" if the task fails.
    • Fusion SOAR action and trigger names have been simplified and no longer display internal IDs or categories.
    • On August 20, 2025, there was a one-day delay in reflecting vulnerability intelligence data, but this has now been resolved.
    • In Falcon Data Protection, the event type fields "File egress" has been renamed to "File" and "Clipboard egress" has been renamed to "Clipboard" (this does not affect functionality or data collection).
    • https://support.mnc.macnica.co.jp/hc/ja/articles/50137853979033
  • CrowdStrike Falcon Console Regular Updates [As of the week of August 25, 2025]
    • Falcon Query Language (FQL) now includes case-insensitive wildcard search operators (~, ~!) for more flexible searches.
    • Falcon Data Protection's Endpoint Data Discovery feature is now available for US-GOV-1 and US-GOV-2, enabling automated scanning and classification of files on hosts.
    • Identity Protection incidents are now managed and updated as cases on the Next-Gen SIEM "Cases" page.
    • Falcon Forensics has added a new binary file that resolves an issue with the File Operations option.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/50351072618777

Maintenance and fault information

Please check our support site as necessary for maintenance and failure information.

Inquiry/Document request

In charge of Macnica CrowdStrike Co., Ltd.

inquiry Document request

Weekdays: 9:00-17:00