I am working on a script that will produce an alert message using Swift Dialog if CrowdStrike has logged any malicious behaviors. This is meant for my support team who may be helping one of our users find out if CrowdStrike may be responsible for an issue they are having. I created a Self Service policy that runs the script. I was given this command from our CrowdStrike rep:
log show --predicate 'process == "Falcon Notifications"' --last 1h
I used this command to create a variable:
detection=$(log show --predicate 'process == "Falcon Notifications"' --last 1h | grep "malicious behavior detected")
If I simulate an incident of malicious behavior, the phrase that follows grep will appear in the log. Therefore, when I echo "$detection" it will output a result that contains that phrase. If the log doesn't have that phrase, the output of $detection will be nothing.
Later in the script, I have a conditional statement:
if [ "$detection" ]; then
echo "Malicious behavior detected"
# Display alert
somethingBad
else
echo "No malicious behavior detected"
# Display alert
allGood
fi
The "somethingBad" is the function that generates the alert in Swift Dialog saying that malicious behavior was detected. The "allGood" is a function that generates an alert saying that malicious behavior was not detected. If I simulate a detection event and then run the entire script through CodeRunner, the result will be a Swift Dialog window informing me that malicious behavior was detected. If I run it without first simulating a detection event, the result is the alert that malicious behavior was not detected. When I add this script to a policy in Jamf Pro, I see an error in the policy log stating:
Script result: /Library/Application Support/JAMF/tmp/CrowdStrike Detection Alert:detection:12: too many arguments
Because of the error, the script will always generate an alert saying that no malicious behavior was found. "$detection" will always result in an output of nothing.
I have seen this error before and it usually means that my variable contains whitespace somewhere. I don't think that's what is happening in this case. I have checked, double checked, triple checked, quadruple checked the command in the variable. There is no white space. What else could be causing this error? I'm happy to post the entire script if needed. The logic part of the script is actually the shortest part. It's just a conditional statement that checks if the log has the phrase "malicious behavior detected" and then runs the appropriate function for the output of "$detection". More lines of code are devoted to creating the Swift Dialog alerts than anything else. Those work perfectly. I took on this task to make the job of my support team easier but also to get better at working with Swift Dialog.
What could be causing the "too many arguments" error? I would appreciate some help figuring this out.
