CrowdStrike Stale Sensor Cleanup

Overview

Over time, CrowdStrike deployments accumulate stale sensors: decommissioned devices, reimaged machines, long-offline laptops. These inflate license counts and clutter the console. This playbook finds sensors that haven't checked in for 12 hours, requests human approval via Slack, and cleans them up on confirmation.

Who this is for: SOC managers and IT asset owners who maintain CrowdStrike Falcon deployments

Why automate this

Stale sensor buildup is a silent cost and operational problem. Licenses get consumed for devices that don't exist, alerts get skewed by the noise, and the console becomes harder to navigate. This playbook turns cleanup into a scheduled, approval-gated automation instead of a manual chore.

How it works

1. 01

   Scheduled trigger (weekly or daily)

2. 02

   Query CrowdStrike Falcon for all sensors with last-seen > 12 hours

3. 03

   Filter out known long-lived offline devices via an allow-list

4. 04

   Post a Slack message listing candidate sensors with an approve button

5. 05

   Wait for analyst approval via Slack interactive message

6. 06

   On approval, call the Falcon API to delete the stale sensors

Impact

• Reduces CrowdStrike license costs by reclaiming stale seats

• Keeps the Falcon console clean and searchable

• Human-in-the-loop approval prevents accidental mass-delete

• Scheduled cadence ensures cleanup never gets forgotten