crowdstrike / cloud-azure Goto Github PK
View Code? Open in Web Editor NEWDiscover for Cloud and Containers Azure
Discover for Cloud and Containers Azure
The instructions for setting up the Azure Virtual Machine Application to deploy the CS Sensor on Linux [๐link] mentions:
Make sure to keep some iteration of mv CrowdStrike-Falcon-Linux-Installer falcon-linux-install.sh in --install-command. Otherwise, the application will fail to install.
In this case, the --package-file-name parameter is not included in the example, and the file is downloaded as falcon-linux-install.sh
.
The current code example causes the installation to fail and therefore should be updated with either
mv CrowdStrike-Falcon-Linux-Installer falcon-linux-install.sh &&
from the install-command, or--package-file-name CrowdStrike-Falcon-Linux-Installer
to the gallery-app version creation commandUsing the current code example, installaton fails:
Error output in /var/lib/waagent/Microsoft.CPlat.Core.VMApplicationManagerLinux/CrowdStrike-Falcon-Linux-Installer/{version}:
$ cat ./stderr
mv: cannot stat 'CrowdStrike-Falcon-Linux-Installer': No such file or directory
After removing from the install-command, the output to stdout is:
$ cat ./stdout
Check if Falcon Sensor is running ...[ Not present ]
Falcon Sensor Install ... [ Ok ]
Falcon Sensor Register ... [ Ok ]
Falcon Sensor Restart ... [ Ok ]
Falcon Sensor installed successfully.
I'm having trouble with the uninstall command of the Azure VM application removing Crowdstrike against a Windows Server 2019 VM. The install works as expected. Below can be seen in VmAppExt_*.log:
`Info 2023/03/01 19:20:49 Calling command 'powershell.exe -Command .\falcon_windows_install.ps1 -Uninstall 1' for application CrowdStrike-Falcon-Windows-Installer, version 1.0.4
Info 2023/03/01 19:20:50 command: powershell.exe -Command .\falcon_windows_install.ps1 -Uninstall 1
Info 2023/03/01 19:20:50 stdout:
Info 2023/03/01 19:20:50 stderr:
.\falcon_windows_install.ps1 : The term '.\falcon_windows_install.ps1' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At line:1 char:1
+ CategoryInfo : ObjectNotFound: (.\falcon_windows_install.ps1:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
`
After the uninstall operation is initiated from the console, log above can be seen. Additionally, the following folder is removed: C:\Packages\Plugins\Microsoft.CPlat.Core.VMApplicationManagerWindows\1.0.9\Downloads\CrowdStrike-Falcon-Windows-Installer
It almost seems like the script is being removed as part of the Azure uninstall job before the script is called -- thus Crowdstrike fails to be removed as the script can't be found.
When the script is copied to the VM and run interactively on an elevated powershell session, Crowdstrike is uninstalled as expected.
vm-extensions bootstrap script does not work and points to a deprecated script in the Cloud-AWS repository
I'm needing the falcon sensor installation to run every time a new virtual machine is spun up within Azure. I need this to be done with automation and not manually. How do I do this?
In the VM run command examples, update to include docs around:
master branch is no longer the standard in git repos. We should be consistent and rename to main.
Hello,
I have attempted to deploy your running powershell script in my terraform vm extension module. I examined the powershell script and could not find any reference to passing installation tokens?
Is this possible?
It appears that the linux bash scripts have this option but not powershell?
maybe I am missing something?
The arm template commandtoexecute should be moved to protectedSettings since it has the clientid and clientsecret. If it isn't in protectedSettings, it is logged in cleartext on the vm the CSE runs on.
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows#extension-schema
Same thing applies to your cli example. https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux#azure-cli Has a protectedsettings example
Based on internal requests, consider adding examples for using Azure DSC to deploy our sensor
Description of your question
This has surfaced when we noticed a certain individual has not return his/her work laptop to the company after they left.
As he/she was using an old account, login to windows would still work as the machine was at home and not contacted the corp network.
We would like to leverage the API connection between Crowdstrike and Azure Sentinel to allow an analytic rule to be in place for when an account is disabled in Azure Sentinel (through Audit Logs) that if the machine remains online within CrowdStrike, that it flags in Azure Sentinel and creates an Alert/Incident.
The analytic rule currently stands at below without using any connection to the CrowdStrike Services
let watchlist = _GetWatchlist("keyStakeholders");
AuditLogs
| where OperationName == "Disable account"
| extend accountDisabled = tostring(TargetResources[0].userPrincipalName)
| where (accountDisabled has_any(watchlist))
We currently already have an API connection that provides other information from CrowdStrike to Sentinel.
Environment (please complete the following information):
CrowdStrike
Azure Sentinel
Can you please add a working example of using terraform to deploy the falcon sensor on windows VMs in Azure?
.\falcon_windows_install.ps1 -Uninstall $true
This parameter does not exist in the script
When I run the following command I am getting an error:
az vm extension set
--resource-group PALANI_DEV2_RG
--vm-name testvm2
--name customScript
--publisher Microsoft.Azure.Extensions
--protected-settings '{"fileUris": ["https://raw.githubusercontent.com/crowdstrike/falcon-scripts/main/bash/install/falcon-linux-install.sh"],"commandToExecute": "export FALCON_CLIENT_ID=123 && export FALCON_CLIENT_SECRET=abc && /bin/bash falcon-linux-install.sh"}'
Output:
(VMExtensionProvisioningError) VM has reported a failure when processing extension 'customScript'. Error message: "Enable failed: failed to execute command: command terminated with exit status=100
[stdout]
Falcon Sensor Install ...
[stderr]
E: Invalid archive member header
E: Could not read meta data from /tmp/tmp.DC8beNp6oV/falcon-sensor.deb
E: The package lists or status file could not be parsed or opened.
"
More information on troubleshooting is available at https://aka.ms/vmextensionlinuxtroubleshoot
Code: VMExtensionProvisioningError
Message: VM has reported a failure when processing extension 'customScript'. Error message: "Enable failed: failed to execute command: command terminated with exit status=100
[stdout]
Falcon Sensor Install ...
[stderr]
E: Invalid archive member header
E: Could not read meta data from /tmp/tmp.DC8beNp6oV/falcon-sensor.deb
E: The package lists or status file could not be parsed or opened.
"
More information on troubleshooting is available at https://aka.ms/vmextensionlinuxtroubleshoot
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.