Skip to main content

I am looking at building a script for an Extension Attribute for Falcon | Crowdstrike with the desired result:

Read the CID of an installed Falcon Sensor Compare the CID to one of two Pushed by the JSS

One CID falls in 'Complete' - Managed by Falcon Complete Team

One CID falls in 'Lite' - AV/ED/Reporting/Remediation functions only; which is managed by our team/department.

Upon comparison - output either 'Lite' or 'Complete' to the extension attribute based on the CID detected on the client/endpoint.

I have found many of the other Crowdstrike EA's that folks have put out; but have not run across any that are able to complete a process as I've described above.

Any ideas or food for thought anyone can think of to help me kick it off/get started on it? Possible existing resources I can use to build off of?

@peele87 Here's an EA to return the customerID from an active CS Falcon install:

 

#!/bin/sh

# Reports back the customerID: result from the agent_info section of a falconctl stats query

result="Not Installed or Running"

if [ -e /Applications/Falcon.app/Contents/MacOS/Falcon ]; then
syextNum=$(systemextensionsctl list | awk '/com.crowdstrike.falcon.Agent/ {print $7,$8}' | wc -l)
if [ $syextNum -gt 0 ]; then
result=$(/Applications/Falcon.app/Contents/Resources/falconctl stats | awk '/customerID:/ {print $2}')
fi
fi

echo "<result>$result</result>"

 

You can extend that to compare the customerID found to the two you're expecting in to report either Lite or Complete. Or just use the EA as provided, and create two Smart Groups which use the EA result as a criteria to match either Lite or Complete. 

Reply


Terms & ConditionsCookie settings