Skip to main content

Hi Jamf Nation Team,


We are currently working to deploy the Falcon Sensor in our system, but we need to monitor the sensor's status. Unfortunately, the Extension Attribute I was using is not gathering the necessary information.


Could you please help me if you have any that I can use:


Sensor Registration: Confirms whether the Falcon Sensor is correctly registered with the CrowdStrike cloud.
Sensor Operational Status: Checks if the Falcon Sensor service is running correctly on the endpoint.
Sensor Cloud Connectivity: Verifies that the sensor can successfully communicate with CrowdStrike’s cloud infrastructure.


Thank you!

Within our environment, I put together some extension attributes for monitoring the status of the Falcon Sensor.
Below is the extension attributes I created within Jamf Pro, and the scripts needed for them:

CrowdStrike | Falcon Sensor | Agent ID


#!/bin/bash

echo "<result>$(sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | awk '/agentID:/ {print $2}')</result>"



CrowdStrike | Falcon Sensor | Customer ID


#!/bin/bash

echo "<result>$(sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | awk '/customerID:/ {print $2}')</result>"

 


 


CrowdStrike | Falcon Sensor | Installed


#!/bin/bash

csfs=`ls /Applications | grep 'Falcon.app'`

if [ "$csfs" != "" ]; then
echo "<result>Installed</result>"
else
echo "<result>Not Installed</result>"
fi

rm -f "$csfs"

 


 


CrowdStrike | Falcon Sensor | Sensor Operational


#!/bin/bash

echo "<result>$(sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | grep "Sensor operational:" | awk '{print $3}')</result>"

 


CrowdStrike | Falcon Sensor | Version


#!/bin/bash

FalconVersion=`defaults read /Applications/Falcon.app/Contents/Info.plist CFBundleShortVersionString`
FalconVersionCheck=`"$FalconVersion" | grep "*does not exist"`

if [ "$FalconVersionCheck" != "*does not exist" ]; then
echo "<result>$FalconVersion</result>"
else
echo "<result>Not Installed</result>"
fi

rm -f "$FalconVersion"
rm -f "$FalconVersionCheck"

 


The results of these extension attributes can then allow for all kinds of reports to be generated, to ensure all is working as you would want or expect for Falcon Sensor deployments.

I hope these help.

Within our environment, I put together some extension attributes for monitoring the status of the Falcon Sensor.
Below is the extension attributes I created within Jamf Pro, and the scripts needed for them:

CrowdStrike | Falcon Sensor | Agent ID


#!/bin/bash

echo "<result>$(sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | awk '/agentID:/ {print $2}')</result>"



CrowdStrike | Falcon Sensor | Customer ID


#!/bin/bash

echo "<result>$(sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | awk '/customerID:/ {print $2}')</result>"

 


 


CrowdStrike | Falcon Sensor | Installed


#!/bin/bash

csfs=`ls /Applications | grep 'Falcon.app'`

if [ "$csfs" != "" ]; then
echo "<result>Installed</result>"
else
echo "<result>Not Installed</result>"
fi

rm -f "$csfs"

 


 


CrowdStrike | Falcon Sensor | Sensor Operational


#!/bin/bash

echo "<result>$(sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | grep "Sensor operational:" | awk '{print $3}')</result>"

 


CrowdStrike | Falcon Sensor | Version


#!/bin/bash

FalconVersion=`defaults read /Applications/Falcon.app/Contents/Info.plist CFBundleShortVersionString`
FalconVersionCheck=`"$FalconVersion" | grep "*does not exist"`

if [ "$FalconVersionCheck" != "*does not exist" ]; then
echo "<result>$FalconVersion</result>"
else
echo "<result>Not Installed</result>"
fi

rm -f "$FalconVersion"
rm -f "$FalconVersionCheck"

 


The results of these extension attributes can then allow for all kinds of reports to be generated, to ensure all is working as you would want or expect for Falcon Sensor deployments.

I hope these help.


Thank you! I see the issue with the ones that I have now, appreciate your help!

Reply


Terms & ConditionsCookie settings