u/Only-Objective-6216

Need some advice from people who create executive-level BPA/security assessment reports.

I’m working on a CrowdStrike BPA report that will be reviewed mainly by the CISO and management team, not by SOC analysts/admins.

The challenge is around presenting unassigned detections.

Current data after review:

Total detections: 281,159

False positives: 261,629 detections caused by one custom IOA rule flagging fsquirt.exe (legitimate Windows process)

Remaining detections after filtering false positives: 19,375

Unassigned detections (last 90 days): 18,425

Severity breakdown:
867 Critical
1,150 High
653 Medium
201 Low
15,554 Informational

The question from leadership is:
“Are these detections real threats/true positives or not?”

The problem is:

I have not individually investigated thousands of detections, so I cannot confidently classify them as true positives or false positives.

At the same time, doing detailed analysis for every alert would make the BPA report extremely large and too technical for executive readers.

So I’m trying to understand the best way to present this in a concise executive format.

Basically, how do you present large volumes of unassigned detections in a BPA report without making it a SOC investigation document or a long technical story that leadership won’t read?

Would appreciate examples or guidance from people who regularly build CISO-facing assessment reports.

Need some advice from people who create executive-level BPA/security assessment reports.

I’m working on a CrowdStrike BPA report that will be reviewed mainly by the CISO and higher management team, not by SOC analysts/admins.

The challenge is around presenting unassigned detections.

Current data after review:

Total detections: 281,159

False positives: 261,629 detections caused by one custom IOA rule flagging fsquirt.exe (legitimate Windows process)

Remaining detections after filtering false positives: 19,375

Unassigned detections (last 90 days): 18,425

Severity breakdown:
867 Critical

1,150 High

653 Medium

201 Low

15,554 Informational

The question from leadership is:

“Are these detections real threats/true positives or not?”

The problem is:

I have not individually investigated thousands of detections, so I cannot confidently classify them as true positives or false positives.

At the same time, doing detailed analysis for every alert would make the BPA report extremely large and too technical for executive readers.

So I’m trying to understand the best way to present this in a concise executive format.

Basically, how do you present large volumes of unassigned detections in a BPA report without making it a SOC investigation document or a long technical story that leadership won’t read?

Would appreciate examples or guidance from people who regularly build CISO-facing assessment reports.

Hey,

While reviewing a client’s CrowdStrike setup, I found an ML exclusion for:

C:\Program Files\Falcon\CrowdstrikeFalconEDR.exe

From what I understand, this is basically the CrowdStrike sensor itself. I’m not sure why this would be excluded from ML detection.

My questions:

-Is it normal to exclude the EDR’s own executable like this?

-Could this create any detection blind spots?

Is this considered bad practice, or just a harmless config?

-Have you seen similar exclusions in real environments?

Would appreciate your thoughts

Hi all,

Is there any CQL query to find endpoints that are not on a specific sensor version (for example, our recommended n-1 version is 7.35.20709.0 for windows)?

We want to identify all devices across Windows, macOS, and Linux that are not running this sensor version, ideally also scoped by host group if possible.

Basically, we need a list of all devices that are not on the approved version.

Thanks in advance!

Hey everyone,

Running into something odd with SentinelOne and wanted to sanity check with others.

We’re seeing multiple endpoints where:

* Agent is installed and running

* Status in Agent Management → Endpoints is Active / Protecting

* Devices are checking in without issues

But in Inventory → Assets, some of these same systems are flagged with:

**“Missing Protection: EPP”**

What’s confusing is that the protection clearly looks healthy from the endpoint side, but Inventory is telling a different story.

A few things I’m trying to figure out:

* Is this expected behavior in certain scenarios?

* Could this be related to duplicate asset entries or multiple data sources?

* How are you guys cleaning up or reconciling these mismatches?

* Any best practices to make Inventory reflect actual protection status more accurately?

Curious if anyone else has run into this and how you handled it.

Thanks!