From e7291062ecc2a32ac1436fae0133d771adeb6fa7 Mon Sep 17 00:00:00 2001
From: Steven Palmesano <3100993+spalmesano0@users.noreply.github.com>
Date: Tue, 9 Dec 2025 14:16:35 -0600
Subject: [PATCH] Add CrowdStrike Falcon System Extension policy (#36994)

---
 .../standard-query-library.yml                | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
index dfa8705551..c69af8428d 100644
--- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
+++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
@@ -2143,4 +2143,22 @@ spec:
       <integer>1</integer>
     </dict>
     </plist>
-
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CrowdStrike Falcon System Extension enabled and activated (macOS)
+  query: |
+  SELECT 1 
+  WHERE (EXISTS (SELECT 1 FROM system_extensions WHERE identifier = 'com.crowdstrike.falcon.Agent'))
+    AND EXISTS (SELECT 1 FROM system_extensions WHERE state = 'activated_enabled');
+  bash: systemextensionsctl list | grep 'falcon' | grep 'activated enabled'
+  description: Checks to make sure that the CrowdStrike System Extension is enabled and activated on macOS devices.
+  resolution: "To activate the CrowdStrike Falcon System Extension, on the failing device, run the following command in the Terminal app: sudo /Applications/Falcon.app/Contents/Resources/falconctl load"
+  tags: compliance, hardening, critical
+  platform: darwin
+  contributors: spalmesano0
+  script: |
+    #!/bin/sh
+    
+    /Applications/Falcon.app/Contents/Resources/falconctl load