Hi all,
We're moving to Crowdstrike antivirus, there is only cloud console that can be monitored by web API using oauth2 authentication with 30 minutes token.
I'm not a "script guy", I used only some PRTG scripts downloaded by GitHub or other blogs. I've write to Paessler support and they help me with this template and this description: Can someone help me to complete the script? I only need to monitor the virus detection, I'm waiting the query by Crowdstrike support, this is the API specifications: https://assets.falcon.laggar.gcw.crowdstrike.com/support/api/swagger-eagle.html#/detects/QueryDetects
Many thanks
SCRIPT:
Param (
#[Parameter(Mandatory)]
[string]$url = "https://api.crowdstrike.com",
[string]$client_id = "",
[string]$client_secret = ""
)
function Get-AuthenticationToken {
Param(
$baseurl = $script:url,
$client_id = $Script:client_id,
$client_secret = $Script:client_secret,
$method = "POST"
)
$headers = @{
'accept' = 'application/json'
'content-type' = 'application/x-www-form-urlencoded'
}
$payload = "client_id=$client_id&client_secret=$client_secret"
$url = $baseurl.trim("/") + "/oauth2/token"
$token = (Invoke-RestMethod $url -Method $method -Body $payload).access_token
}
try {
# Get a token (will be executed at each script execution)
$token = Get-AuthenticationToken
# Return data in PRTG (example)
$data = @"
{
"prtg": {
"result": [
{
"channel": "NAME",
"value": VALUE,
},
...
]
}
}
"@
Write-Output $data
} catch {
write-host "$($_.exception.message) At line : $($_.InvocationInfo.ScriptLineNumber)"
Exit 1
}
MAIL DESCRIPTION:
The script contains the authentication part however it might need to be modified to work properly. The latter will generate a new token at each execution therefore it might also be necessary to add the support of the token (save it and check if it is still valid before asking for a new one). It also includes the code which returns the data in PRTG for the EXE/Script Advanced sensor indeed. ? You then need to add the query which will get the information you desire to monitor, process the data (convert them to integer or float if needed) and then add them in the JSON response. The channels should then automatically be created in PRTG.
Article Comments
Hello all,
thanks to the "awesome" support, this is the final EXE\script:
Param (
#[Parameter(Mandatory)]
[string]$url = "https://api.crowdstrike.com",
[string]$client_id = "",
[string]$client_secret = ""
)
try {
# Handles authentication
Import-Module -Name PSFalcon
Request-FalconToken -cloud eu-1 -ClientId $client_id -ClientSecret $client_secret
# Get alerts
$alerts = Get-FalconDetection -Filter "status:'new'"
if ($alerts){
Write-Output "$(($alerts | Measure-object -line).Lines):Virus detected !"
Exit 0
}else {
Write-Output "0:Everything is good"
Exit 0
}
} catch {
Write-Output "$($_.exception.message) At line : $($_.InvocationInfo.ScriptLineNumber)"
Exit 1
}
Feb, 2022 - Permalink
Hi,
Thank you very much for sharing it. Glad to hear that it is finally done!
Have a great day.
Feb, 2022 - Permalink
I just discovered that there is a "world" of scripting/powershell around Crowdstrike, there are a lot of .ps make directly by Crowdstrike and a ps module.
With three line of PS script I can authenticate and get the desired information:
Now I need to write the result on PRTG and set a status error if the query answer with some rows (devices with virus detection).
Thanks in advance
Jan, 2022 - Permalink