Extension Attribute Falcon Host

danseals
New Contributor II

I haven't had to do much with extension attributes yet, looking for an easy way to determine if something is installed and the version number, and if it isn't installed, to also note that.

So the command I run on a local machine is:

sysctl cs.version

That will return the version number of the Falcon Host installed, something like:

cs.version: 2.27.4809.0

If the application isn't installed it returns:

sysctl: unknown oid 'cs.version'

Ultimately I will use a smart group to make sure Falcon Host is installed, and if it is not installed, to flag it for installation. The version number is just nice to know.

Is there an easy way to do this that anyone would know? If it works, I'm happy to submit it to the EA list as well.

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor II

When making an Extension Attribute, the goal in many cases is to either capture the output of a command and echo that information back between <result> tags, or to check the output of the command/s and, depending on the result, set a string or variable that gets echoed between the <result> tags.

So using what you posted, you can grab the version information from the sysctl command, or the output and then check what it returned in the script and set a variable. Example:

#!/bin/sh

## Run the sysctl command to check for Falcon Host, and print column 2 from the result
FHCheck=$(sysctl cs.version 2>&1 | awk '{print $2}')

## If Falcon Host is not installed, column 2 from the sysctl command is "unknown". Check to see if that was our result
if [ "$FHCheck" == "unknown" ]; then
   result="Not Installed"
else
   ## If the output was not "unknown", set the result variable to the command's output
   result="Version $FHCheck Installed"
fi

## This line is what actually gets picked up in the JSS for the Extension Attribute
echo "<result>$result</result>"

Note that I'm printing column 2 from the command's output, which, when installed, looks to be the version information. When it's not installed, its "unknown" which is a bit lucky in this case, since we can check to see if that's the result we got and go from there. It doesn't always turn out to be that simple though.

You can learn a bit about how to create your own Extension Attributes by studying some of the ones that Jamf provides in their JSS EA templates. That's how I learned some methods of making useful EAs. There are also tons of examples and user submitted ones here on JamfNation that you can grab and look at.

EDIT: Also just wanted to mention, I know nothing about Falcon Host or what it is. But, is there an associated application that gets installed into the Applications folder? If so, an EA would not be necessary since you could use the native inventory collection to build your Smart Group. I'm assuming the answer is no or you wouldn't be asking about how to create an EA.
Just keep in mind while EAs are fantastic ways of getting data, each one you make does add a little bit of overhead to your inventory collection, since it needs to run those scripts, collect the results and send them back up to the asset record with everything else that gets collected.

View solution in original post

8 REPLIES 8

mm2270
Legendary Contributor II

When making an Extension Attribute, the goal in many cases is to either capture the output of a command and echo that information back between <result> tags, or to check the output of the command/s and, depending on the result, set a string or variable that gets echoed between the <result> tags.

So using what you posted, you can grab the version information from the sysctl command, or the output and then check what it returned in the script and set a variable. Example:

#!/bin/sh

## Run the sysctl command to check for Falcon Host, and print column 2 from the result
FHCheck=$(sysctl cs.version 2>&1 | awk '{print $2}')

## If Falcon Host is not installed, column 2 from the sysctl command is "unknown". Check to see if that was our result
if [ "$FHCheck" == "unknown" ]; then
   result="Not Installed"
else
   ## If the output was not "unknown", set the result variable to the command's output
   result="Version $FHCheck Installed"
fi

## This line is what actually gets picked up in the JSS for the Extension Attribute
echo "<result>$result</result>"

Note that I'm printing column 2 from the command's output, which, when installed, looks to be the version information. When it's not installed, its "unknown" which is a bit lucky in this case, since we can check to see if that's the result we got and go from there. It doesn't always turn out to be that simple though.

You can learn a bit about how to create your own Extension Attributes by studying some of the ones that Jamf provides in their JSS EA templates. That's how I learned some methods of making useful EAs. There are also tons of examples and user submitted ones here on JamfNation that you can grab and look at.

EDIT: Also just wanted to mention, I know nothing about Falcon Host or what it is. But, is there an associated application that gets installed into the Applications folder? If so, an EA would not be necessary since you could use the native inventory collection to build your Smart Group. I'm assuming the answer is no or you wouldn't be asking about how to create an EA.
Just keep in mind while EAs are fantastic ways of getting data, each one you make does add a little bit of overhead to your inventory collection, since it needs to run those scripts, collect the results and send them back up to the asset record with everything else that gets collected.

View solution in original post

danseals
New Contributor II

Thanks so much Mike, this worked perfectly!

You are correct that Falcon Host , which is a next generation endpoint protection platform, doesn't install an application in the applications folder. That would have made this a LOT easier.

I really want to thank you for taking the time to explain the process as well as providing the code, it's amazingly helpful to both see the code as well as an explanation of what is happening. I truly appreciate it!!

macbentosh
New Contributor III
#!/bin/bash

crowdstrikeVersion=`sysctl cs | grep "version" | awk '{print $2}'` 

if [ "$crowdstrikeVersion" != " " ]; then
    echo "<result>$crowdstrikeVersion</result>"
else
    echo "<result>Not Installed</result>"
fi

That's what I do.

TechM
New Contributor III

Thank you @macbentosh ! This worked for the version we are deploying. It seems there are differences in how this is pulled from version 36 vs version 34. Now I need to figure out how to get the CS UUID.

macbentosh
New Contributor III

Would that be the sensorID or the CustomerID?

Same thing just change the first line

sysctl cs | grep "cs.customerid" | awk '{print $2}'

You can sub this from whatever comes out of sysctl cs

tlarkin
Honored Contributor

FYI couple of tips

sysctl -n will return just the value, no need to grep or awk. Also, in the new release all of this is moving to falconctl which now has plist type output, here is a python 3 script I wrote playing around with the new binary output

#!/opt/snowflake/bin/python3
​
import subprocess
import plistlib
​
cmd = ['/Library/CS/falconctl', 'stats', '-p']
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
out, err = proc.communicate()
data = plistlib.loads(out)
​
agentid = data['agent_info']['agentID'].replace('-','').lower()
version = data['agent_info']['version']
​
print(f'Agent ID: {agentid}')
print(f'CS Version: {version}')

mani2care
Contributor

is there any extension attribue for this to support big sure, Catalina, Mojave, highsierra

dennisnardi
New Contributor III

I believe these two EA's I use will work for any version of CrowdStrike, as they've changed where the binary/falconctl can be called from a few times.

This checks for version:

#!/bin/sh
# Conditional check based on version
if [ -e /Library/CS/falconctl ]; then
    falconHostVersion=$(sysctl cs.version 2>/dev/null | awk '{print $2}')
    if [ -z "$falconHostVersion" ]
    then
        falconHostVersion=$(/Library/CS/falconctl stats 2>/dev/null | grep version | awk '{print $2}')
    fi
elif [ -e /Applications/Falcon.app/Contents/Resources/falconctl ]; then

    falconHostVersion=$(/Applications/Falcon.app/Contents/Resources/falconctl stats 2>/dev/null | grep version | awk '{print $2}')
else
  falconHostVersion="Not Installed"
fi
echo "<result>$falconHostVersion</result>"

This checks for connection state:

#!/bin/sh
# Conditional check based on connection state
if [ -e /Library/CS/falconctl ]; then
    falconHostState=$(/Library/CS/falconctl stats | grep -i "State: " | awk '{print $2}')
    if [ -z "$falconHostState" ]
    then
        falconHostState=$(/Library/CS/falconctl stats 2>/dev/null | grep -i "State: " | awk '{print $2}')
    fi
elif [ -e /Applications/Falcon.app/Contents/Resources/falconctl ]; then

    falconHostState=$(/Applications/Falcon.app/Contents/Resources/falconctl stats 2>/dev/null | grep -i "State: " | awk '{print $2}')
else
  falconHostState="Not Connected"
fi
echo "<result>$falconHostState</result>"

I tested and these worked on the Big Sur beta, but I think right now (CS 6.12) the stats command is buggy. I'm having issues using it, although my client is confirmed to be working in the console; others in the macadmins Slack have reported the same. I'm guessing a future CS release will be more Big Sur friendly.