Help

CrowdStrike and Extension Attributes

peele87
New Contributor

Posted on ‎02-25-2023 03:14 AM

I am looking at building a script for an Extension Attribute for Falcon | Crowdstrike with the desired result:

Read the CID of an installed Falcon Sensor Compare the CID to one of two Pushed by the JSS

One CID falls in 'Complete' - Managed by Falcon Complete Team

One CID falls in 'Lite' - AV/ED/Reporting/Remediation functions only; which is managed by our team/department.

Upon comparison - output either 'Lite' or 'Complete' to the extension attribute based on the CID detected on the client/endpoint.

I have found many of the other Crowdstrike EA's that folks have put out; but have not run across any that are able to complete a process as I've described above.

Any ideas or food for thought anyone can think of to help me kick it off/get started on it? Possible existing resources I can use to build off of?

100001.onl/ 1921681254.mx/
0 Kudos
1 REPLY 1

sdagley
Esteemed Contributor II

‎02-25-2023 11:46 AM - edited ‎02-25-2023 11:46 AM

@peele87 Here's an EA to return the customerID from an active CS Falcon install:

 

#!/bin/sh

# Reports back the customerID: result from the agent_info section of a falconctl stats query

result="Not Installed or Running"

if [ -e /Applications/Falcon.app/Contents/MacOS/Falcon ]; then
	syextNum=$(systemextensionsctl list | awk '/com.crowdstrike.falcon.Agent/ {print $7,$8}' | wc -l) 
	if [ $syextNum -gt 0 ]; then
		result=$(/Applications/Falcon.app/Contents/Resources/falconctl stats | awk '/customerID:/ {print $2}')
	fi
fi

echo "<result>$result</result>"

 

You can extend that to compare the customerID found to the two you're expecting in to report either Lite or Complete. Or just use the EA as provided, and create two Smart Groups which use the EA result as a criteria to match either Lite or Complete. 

0 Kudos