Site Search
Security business menu
Security business
HOME
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
Event/Seminar
video on demand

CrowdStrike

CrowdStrike

September 2025 CrowdStrike Update

September 2025 CrowdStrike Update

We are pleased to present the CrowdStrike update for September 2025.
All of these issues have been posted on our support site, so please check the articles on the support site as well.

Registration is required for our support site.
Please click on "CrowdStrike Falcon 'Support Site Viewing Request'" on the following page to request viewing.
https://www.macnica.co.jp/business/security/manufacturers/crowdstrike/support.html

*You will need your maintenance contract number to apply, and the maintenance contract number will be listed in the notification we sent you with the subject line below.
Subject: [CrowdStrike Notification Delivery Notice]

*We usually receive a response within 1 to 3 business days.

Sensor Release

Falcon Sensor for Mac 7.29.20103 Release Announcement [Released September 8, 2025]

  • Main New Features
    • Support for the GA (General Availability) release of macOS Tahoe 26.
    • Falcon Data Protection for Mac now offers increased visibility and control over the classification process with content pattern matching based on confidence levels. This allows users to view confidence levels and set minimum default thresholds at the policy level, potentially increasing coverage and reducing false positives. It also now monitors clipboard data exfiltration to the web.
    • Falcon Device Control for macOS now provides visibility and control of internal SD card readers and external Thunderbolt mass storage devices (separate release notes will be published when this feature is generally available). Note that beta support was available in version 7.27, but the generally available release requires 7.29 or later.
    • The "add" subcommand has been added to the "grouping-tags" command in the falconctl command, allowing you to add new tags to existing tags. Network containment now uses Falcon's proprietary network content filter, and automatic sensor updates are paused during containment. Specific policy settings and MDM templates are recommended to prevent tampering.
    • Falcon Firewall advanced protocol rules are now available without enabling the Packet Provider via falconctl. Packet Provider is automatically disabled in versions 7.29 and later.
    • The installer and UI are now available in six new languages: Spanish, Italian, German, Portuguese, Korean, and Chinese.
  • Main fixes
    • Fixed an issue that caused the AverageCpuUsage field in the ResourceUtilization event to record inaccurate values. This issue affected all previous versions.
    • Fixed an issue where the installer would proceed with a sensor update before the sensor had finished shutting down, also affecting all previous versions.
  • For more information, please see our support site article.

Falcon Sensor for Linux 7.29.18202 Release [Released September 9, 2025]

  • Main New Features
    • Added user mode support for kernel series 6.15 to 6.16, allowing the Falcon Sensor to be used in user mode even in the latest Linux kernel environments.
    • User-mode support has been added to the s390x architecture running Red Hat Enterprise Linux (RHEL) 9 and 10, SUSE Linux Enterprise Server (SLES) 15 SP4 and later, and Ubuntu 22 and 24, enabling deployment in a wider variety of environments.
    • The Linux sensor running in user mode now provides enhanced visibility into crontab changes. In addition to cron file creation, rename, deletion and modification events, the new "FileContentsChanged" event allows monitoring file content changes as well.
    • User-mode support has been added for SUSE Linux Enterprise Server (SLES) 15 SP7 (x86_64) and Oracle Linux 9/10 UEK 8 (x86_64), with some support backported to older versions.
    • Falcon Firewall now supports IPv6 for sensors running in user mode, allowing you to use the firewall in an IPv6 environment.
    • Enhanced visibility into Linux scripts to detect scripts containing invalid or non-UTF8 characters. This has been integrated into the "Script-Based Execution Visibility" policy setting and includes a new "ScriptControlDetectInvalidInfo" event.
  • Main fixes
    • Fixed an issue where the AverageCpuUsage field in the ResourceUtilization event was recording inaccurate values. This issue existed in all previous supported versions.
    • This fixes an issue where OciContainerInfo events were not generated for containers created when the sensor was started or restarted in a rundown pod, which also affected all previous supported versions.
    • Known Issues
    • When running in user mode, Linux sensors can generate duplicate TCP entries in the host-based firewall's local log. A fix is currently under consideration for this issue.
  • For more information, please see our support site article.

Important Announcement

NPM supply chain attacks

  • Overview
    • On September 8, 2025, a supply chain attack targeting npm libraries was reported. At least 18 highly popular npm packages (collectively downloaded over 2 billion times per week) were found to have been tampered with with malicious code.
    • Attackers have been specifically targeting cryptocurrency and Web3 applications by injecting client-side JavaScript that runs silently within the web browser.
  • For more information, please see our support site article.

Falcon for Mobile Supports iOS 26

  • Overview
    • CrowdStrike announced that the iOS sensor for Falcon for Mobile (version 2025.07.1 and later) is now compatible with iOS and iPadOS 26. This means that Falcon for Mobile can now be used in the latest iOS/iPadOS environments.
    • We are currently aware of a minor issue where links within the CrowdStrike Falcon app may result in the incorrect Settings page being displayed. This issue will be fixed in an upcoming release.
  • Action required
    • If you are already using Sensor version 2025.07.1 on your iOS/iPadOS device, no additional action is required.
    • If you are using a sensor version earlier than 2025.05.1 and want to upgrade to iOS/iPadOS 26, you will need to upgrade your sensor to 2025.07.1.
  • For more information, please see our support site article.

Falcon Sensor for Mac now supports macOS Tahoe 26

  • Overview
    • CrowdStrike has announced that version 7.29 and later of the CrowdStrike Falcon Sensor for Mac will be compatible with Apple's macOS Tahoe 26 general availability release.
    • The general availability release of macOS Tahoe 26 is scheduled for Monday, September 15, 2025.
  • Action required
    • If you are already using Falcon Sensor version 7.29 on your Mac, no additional steps are required.
    • If you are using a sensor version earlier than 7.28 and would like to upgrade to macOS Tahoe 26, you must first upgrade your sensor to 7.29.
  • For more information, please see our support site article.

About NPM packages on public registries

  • Overview
    • In September 2025, CrowdStrike discovered multiple malicious NPM packages in the public NPM registry and quickly removed them and rotated their public keys.
    • These packages are not used by or impact any Falcon sensors or platforms, and the source of the problem has been identified and isolated, ensuring the safety of our customers.
    • Many Falcon customers and developers are not at risk from this issue. Our public repositories are primarily used for internal purposes and limited open source contributions, and we have confirmed that the affected packages are not in use. We are also working with our OEM partners to ensure that they are not affected. We have also investigated all Foundry applications and found that the affected packages are not in use.
    • If you are using these packages, we recommend updating to the latest version and checking the related guidance.
  • For more information, please see our support site article.

Alert regarding Shai-Hulud supply chain attacks

  • Overview
    • On September 15, 2025, a popular package in the NPM ecosystem, "@ctrl/tinycolor," was hit by a supply chain attack, spreading a new malware called "ShaiHulud." This package is downloaded approximately 2.2 million times per week and has self-propagating capabilities, allowing it to infect other NPM packages.
    • The malicious code automatically downloads a tool called TruffleHog to collect and send credentials and cloud secrets on the infected system, and creates a persistent GitHub Actions workflow to ensure continuous access to the CI/CD environment.
    • CrowdStrike has added detection rules and indicators of attack (IOAs) to its Falcon platform to address this attack, which will be automatically updated on Windows, Mac, and Linux platforms. CrowdStrike recommends enabling the Script-Based Execution Visibility (all OSes), On Write Script visibility (Windows and Linux), and File system visibility (Linux) settings in the Prevention Policy.
  • For more information, please see our support site article.

Falcon Surface | Changes to detection logic for SPF configuration errors (scheduled for September 29, 2025)

  • Overview
    • In Falcon EASM, the evaluation logic (CS-C24-J277814) for domains without SPF (Sender Policy Framework) records was causing some false positives, so the evaluation logic was changed on September 29, 2025. This has reduced the number of false positives (false positives and false negatives), and a new evaluation (CS-C25-B381583) for non-email uses (parked domains) has also been added.
  • For more information, please see our support site article.

Fixed | All Clouds | Image Assessment: NPMPackageFoundInImage false positive detection [September 19, 2025]

  • Overview
    • Between September 12 and September 16, 2025, CrowdStrike's image assessment feature experienced an issue with the "NPMPackageFoundInImage" detection logic, resulting in all versions of multiple NPM packages (e.g., chalk, debug, ansi-styles) being incorrectly detected as threats. Instead of detecting only malicious versions, all versions were being detected.
  • For more information, please see our support site article.

Falcon Data Replicator | All fields in FDR will now be sent as Strings. (This change is scheduled for December 22, 2025.)

  • Overview
    • For customers using Falcon Data Replicator (FDR), a specification change will be implemented starting December 22, 2025, whereby all field types sent by FDR will be standardized to "String."
    • Previously, fields such as "Nonce" and "UTCTimestamp" in platform events were sent as primitive types such as long or int, while the same fields in sensor events were sent as strings.
    • This change unifies the field type to String across all event types, eliminating data type mismatches.
  • Action required
    • If you use FDR, the field type change may affect your existing data processing pipelines. Please adjust your pipelines and data processing logic as needed by December 22, 2025.
  • For more information, please see our support site article.

CrowdScore Incidents and incidents API discontinuation [Scheduled for discontinuation on March 9, 2026]

  • Overview
    • CrowdStrike has announced a deprecation date of March 9, 2026 for the CrowdScore Incidents feature, the /incidents API endpoint, and the CrowdScore homepage/dashboard.
    • CrowdScore Incidents is a data aggregation and analysis feature on the Falcon Platform. After January 1, 2026, new incidents will no longer be created in CrowdScore Incidents, and the /incidents API will no longer be available on March 9, 2026.
    • As a result, any processes or workflows that utilize CrowdScore Incidents, the associated IncidentSummaryEvent (via the Event Streams API), or the /incidents API are being deprecated and will no longer work after the deprecation date.
  • Action required
    • If you have processes or workflows that utilize the /incidents API, please discontinue these integrations by March 9, 2026. These features will no longer be available after the deprecation date.
  • For more information, please see our support site article.

Product Update Information

Endpoint Security & Falcon UI

  • The "Third Party" Scheduled Search view is now limited to third-party sources
  • CrowdStrike Documentation Portal Beta Release
  • Announcing the release of Next-Gen SIEM Cases

Mobile

  • There were no major updates.

Next-Gen SIEM & LogScale

  • Falcon Next-Gen SIEM Recently Released Features, Fixes, and Known Issues [September 2025 Update]
    • Main new features
      - Automatic correlation of entity information and enrichment of host information have been added, improving the efficiency of threat investigation.
      - Enhanced dashboards utilizing user ID metadata and risk analysis, and improved detection accuracy through dynamic risk scores have been implemented.
      - The management UI has been enhanced with features such as dashboard labeling, favorite registration, search and sorting.
      - Many new SOAR apps, data connectors, and correlation rule templates have been added.
      - New operational and management features have also been added, including data access scope functionality, Next-Gen SIEM case functionality, and Flight Control for Data Connectors.
    • Major fixes
      - Fixed bugs in the UI and search function, such as export failures due to incomplete parameters when saving a dashboard, and improved accuracy in query parameter detection.
      -Fixed bugs regarding conditional branching and search intervals in the correlate(), defineTable(), and join() functions.
      - Improved table display and row selection behavior for better data consistency.
    • Deprecated Features
      - Free text search after aggregation functions in LogScale, as well as the use of eventIntents(), eventFieldCount(), and eventSize(), have been deprecated and will no longer be available.
      - The rdns() function is deprecated and it is recommended to use the reverseDns() function.
      - Some legacy data connectors have been deprecated, and it is recommended to use alternative connectors.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/51167106173977

Falcon Shield

  • There were no major updates.

Identity Protection (ITD/ITP, FPA)

  • Falcon Identity Protection 5.98.79239 Release [Released September 4, 2025]
    • Main new features
      - A GPO (Group Policy Object) auditing function has been added, allowing you to monitor events such as creation, deletion, and modification (supported in Windows Sensor 7.23 and later).
      - You can now access the Access Activity Dashboard directly from a user or service account and view related activity. [Release No...5.98.79239]
    • Major fixes
      Fixed an issue where hybrid accounts were not updated due to missing AWS Identity Store information.
      - Improved accuracy of group membership calculations (may cause temporary privilege fluctuations in certain cases).
      -Several minor fixes have been made, including fixing a typographical error in the Insights Summary report, correcting a bug in the detailed display of duplicate password risk, improving usability of the search field, adding application search to the Threat Hunter Destination filter, correcting a bug in using subnet labels, improving usability of the display panel, and correcting a bug in the display of the domain security overview.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/50495232186905
  • Falcon Identity Protection 5.98.80891 Release [Released September 29, 2025]
    • Main new features
      - A Group Policy Object (GPO) auditing function has been added, allowing you to monitor events such as creating, deleting, and modifying GPOs (compatible with Windows Sensor 7.23 and later).
      You can now access the Access Activity Dashboard directly from a user or service account to view related activity.
    • Major fixes
      Fixed an issue where hybrid accounts were not updated due to missing AWS Identity Store information.
      - Improved accuracy of group membership calculations (may cause temporary privilege fluctuations in certain cases).
      -Several minor fixes have been made, including fixing a typographical error in the Insights Summary report, correcting a bug in the detailed display of duplicate password risks, improving the usability of the search field, adding application search to the Threat Hunter Destination filter, correcting a bug in using subnet labels, improving the usability of the display panel, correcting a bug in the display of domain security summaries, and correcting a bug in updating GPO-related risks.
  • https://support.mnc.macnica.co.jp/hc/ja/articles/51294276494873

Cloud Security

  • There were no major updates.

Exposure Management & IT Automation

  • There were no major updates.

Falcon Data Protection

  • There were no major updates.

Others (Charlotte AI, Falcon Intelligence, Falcon Complete)

  • Falcon Flex Dashboard Simulator Tool Released
  • Enhanced Security and Collaboration with Falcon Complete Hub
  • Threat Intelligence Browser Extension now available to scan web pages for threat intelligence
    • The Threat Intelligence Browser Extension now allows you to view threat intelligence information directly in an HTML web page outside of CrowdStrike Falcon Console.
    • It highlights indicators, malware, vulnerabilities, and more on the page, and even connects you to CrowdStrike Falcon Console from the details panel.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/50737892852121

Regular CrowdStrike Falcon Console Updates

  • CrowdStrike Falcon Console Regular Updates [As of the week of September 1, 2025]
    • Customizing Falcon Fusion SOAR playbooks now has the same experience as creating new workflows, eliminating the need to manually configure each field. Workflow validation now makes it easier to identify issues.
    • The event_simpleName field has been added to the MobileDetectionJsonData event, allowing more detailed information to be recorded when a malicious hash is detected.
    • When creating script-based query tasks in Falcon for IT, you can now view the output results as a structured data table, broken down by rows, for easier analysis and sharing.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/50555061859097
  • CrowdStrike Falcon Console Regular Updates [As of the week of September 8, 2025]
    • Charlotte AI's unit of usage is now called "Credits," replacing the previous "Quotas" and "Prompts." There are no changes to usage or the number of credits per month.
    • Clicking on a detection in Intelligence Explorer now takes you to the "Monitor and investigate > Detections" page in Next-Gen SIEM, instead of the "Endpoint security > Monitor > Endpoint detections" page.
    • https://support.mnc.macnica.co.jp/hc/ja/articles/51028589386265

Maintenance and fault information

Please check our support site as necessary for maintenance and failure information.

Inquiry/Document request

In charge of Macnica CrowdStrike Co., Ltd.

inquiry Document request

Weekdays: 9:00-17:00