- Jamf Nation Community
- Products
- Jamf Pro
- CrowdStrike Falcon Sensor Extension Attributes
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
Hi Jamf Nation Team,
We are currently working to deploy the Falcon Sensor in our system, but we need to monitor the sensor's status. Unfortunately, the Extension Attribute I was using is not gathering the necessary information.
Could you please help me if you have any that I can use:
Sensor Registration: Confirms whether the Falcon Sensor is correctly registered with the CrowdStrike cloud.
Sensor Operational Status: Checks if the Falcon Sensor service is running correctly on the endpoint.
Sensor Cloud Connectivity: Verifies that the sensor can successfully communicate with CrowdStrike’s cloud infrastructure.
Thank you!
Alvaro Ortiz
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
Within our environment, I put together some extension attributes for monitoring the status of the Falcon Sensor.
Below is the extension attributes I created within Jamf Pro, and the scripts needed for them:
CrowdStrike | Falcon Sensor | Agent ID
#!/bin/bash
echo "<result>$(sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | awk '/agentID:/ {print $2}')</result>"CrowdStrike | Falcon Sensor | Customer ID
#!/bin/bash
echo "<result>$(sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | awk '/customerID:/ {print $2}')</result>"
CrowdStrike | Falcon Sensor | Installed
#!/bin/bash
csfs=`ls /Applications | grep 'Falcon.app'`
if [ "$csfs" != "" ]; then
echo "<result>Installed</result>"
else
echo "<result>Not Installed</result>"
fi
rm -f "$csfs"
CrowdStrike | Falcon Sensor | Sensor Operational
#!/bin/bash
echo "<result>$(sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | grep "Sensor operational:" | awk '{print $3}')</result>"
CrowdStrike | Falcon Sensor | Version
#!/bin/bash
FalconVersion=`defaults read /Applications/Falcon.app/Contents/Info.plist CFBundleShortVersionString`
FalconVersionCheck=`"$FalconVersion" | grep "*does not exist"`
if [ "$FalconVersionCheck" != "*does not exist" ]; then
echo "<result>$FalconVersion</result>"
else
echo "<result>Not Installed</result>"
fi
rm -f "$FalconVersion"
rm -f "$FalconVersionCheck"
The results of these extension attributes can then allow for all kinds of reports to be generated, to ensure all is working as you would want or expect for Falcon Sensor deployments.
I hope these help.
Reply
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
Within our environment, I put together some extension attributes for monitoring the status of the Falcon Sensor.
Below is the extension attributes I created within Jamf Pro, and the scripts needed for them:
CrowdStrike | Falcon Sensor | Agent ID
#!/bin/bash
echo "<result>$(sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | awk '/agentID:/ {print $2}')</result>"CrowdStrike | Falcon Sensor | Customer ID
#!/bin/bash
echo "<result>$(sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | awk '/customerID:/ {print $2}')</result>"
CrowdStrike | Falcon Sensor | Installed
#!/bin/bash
csfs=`ls /Applications | grep 'Falcon.app'`
if [ "$csfs" != "" ]; then
echo "<result>Installed</result>"
else
echo "<result>Not Installed</result>"
fi
rm -f "$csfs"
CrowdStrike | Falcon Sensor | Sensor Operational
#!/bin/bash
echo "<result>$(sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | grep "Sensor operational:" | awk '{print $3}')</result>"
CrowdStrike | Falcon Sensor | Version
#!/bin/bash
FalconVersion=`defaults read /Applications/Falcon.app/Contents/Info.plist CFBundleShortVersionString`
FalconVersionCheck=`"$FalconVersion" | grep "*does not exist"`
if [ "$FalconVersionCheck" != "*does not exist" ]; then
echo "<result>$FalconVersion</result>"
else
echo "<result>Not Installed</result>"
fi
rm -f "$FalconVersion"
rm -f "$FalconVersionCheck"
The results of these extension attributes can then allow for all kinds of reports to be generated, to ensure all is working as you would want or expect for Falcon Sensor deployments.
I hope these help.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
Thank you! I see the issue with the ones that I have now, appreciate your help!
Alvaro Ortiz
Reply
