search

CrowdStrike / falcon-scripts

Scripts to streamline the deployment and use of the CrowdStrike Falcon sensor
The Unlicense
145 stars 85 forks source link

[Windows/Powershell]: unable to install sensor #261

Closed hazcod closed 7 months ago

hazcod commented 7 months ago

Hi there,

Trying to install a falcon sensor on a Windows Server EC2 instance on AWS. We're using the current version of the PowerShell script.

The token created has read perms for hosts and host update policy. The script returns: "Unable to fetch policy details from the CrowdStrike Falcon API." Can you please advise?

Scopes: image

Log:

 C:\Windows\Temp\falcon_windows_install.ps1 -FalconClientId <clientid> -FalconClientSecret <secret> -FalconCid <cid> -Verbose -Tags "os/windows"
...
DEBUG:     ! SET $message = 'Unable to fetch policy details from the CrowdStrike F…'.
DEBUG:  289+                  >>>> throw $message

DEBUG:  293+              >>>> Write-VerboseLog -VerboseInput $_.Exception -PreMessage 'Get-ResourceContent - CAUGHT EXCEPTION - $_.Exception:'

DEBUG:  147+     function Write-VerboseLog ([psobject] $VerboseInput, [string] $PreMessage)  >>>> {

DEBUG:     ! CALL function 'Write-VerboseLog'  (defined in file 'C:\Windows\Temp\falcon_windows_install.ps1')
DEBUG:  150+         if ( >>>> $VerboseInput -is [string]) {

DEBUG:  154+              >>>> $message = $VerboseInput | ConvertTo-Json -Depth 10

DEBUG:     ! SET $message = '{
  "ErrorRecord": {
    "Exception": {
      "Mes…'.
DEBUG:  158+         if ( >>>> $PreMessage) {

DEBUG:  159+              >>>> $message = "$PreMessage`r`n$message"

DEBUG:     ! SET $message = 'Get-ResourceContent - CAUGHT EXCEPTION - $_.Exception…'.
DEBUG:  163+          >>>> Write-Verbose $message

VERBOSE: Get-ResourceContent - CAUGHT EXCEPTION - $_.Exception:
{
  "ErrorRecord": {
    "Exception": {
      "Message": "Unable to fetch policy details from the CrowdStrike Falcon API.",
      "TargetSite": null,
      "Data": {},
      "InnerException": null,
      "HelpLink": null,
      "Source": null,
      "HResult": -2146233087,
      "StackTrace": null
    },
    "TargetObject": null,
    "CategoryInfo": {
      "Category": 0,
      "Activity": "",
      "Reason": "ParentContainsErrorRecordException",
      "TargetName": "",
      "TargetType": ""
    },
    "FullyQualifiedErrorId": "RuntimeException",
    "ErrorDetails": null,
    "InvocationInfo": null,
    "ScriptStackTrace": null,
    "PipelineIterationInfo": []
  },
  "WasThrownFromThrowStatement": true,
  "TargetSite": null,
  "Message": "Unable to fetch policy details from the CrowdStrike Falcon API.",
  "Data": {},
  "InnerException": null,
  "HelpLink": null,
  "Source": null,
  "HResult": -2146233087,
  "StackTrace": null
}
DEBUG:  166+          >>>> Write-FalconLog -Source 'VERBOSE' -Message $message -stdout $false

DEBUG:  133+     function Write-FalconLog ([string] $Source, [string] $Message, [bool] $stdout = $true)  >>>> {

DEBUG:     ! CALL function 'Write-FalconLog'  (defined in file 'C:\Windows\Temp\falcon_windows_install.ps1')
DEBUG:  134+          >>>> $Content = @(Get-Date -Format 'yyyy-MM-dd hh:MM:ss')

DEBUG:  134+         $Content = @( >>>> Get-Date -Format 'yyyy-MM-dd hh:MM:ss')

DEBUG:     ! SET $Content = '2024-02-14 11:02:05'.
DEBUG:  135+         if ( >>>> $Source -notmatch '^(StartProcess|Delete(Installer|Script))$' -and

DEBUG:  140+          >>>> "$(@($Content + $Source) -join ' '): $Message" | Out-File -FilePath $LogPath -Append -Encoding utf8

DEBUG:  140+         "$( >>>> @($Content + $Source) -join ' '): $Message" | Out-File -FilePath $LogPath -Append -Encoding utf8

DEBUG:  142+         if ( >>>> $stdout) {

DEBUG:  145+      >>>> }

DEBUG:  167+      >>>> }

DEBUG:  294+              >>>> $response = $_.Exception.Response

DEBUG:     ! SET $response = ''.
DEBUG:  296+             if ( >>>> !$response) {

DEBUG:  297+                  >>>> $message = "Unhandled error occurred. Error: $($_.Exception.Message)"

DEBUG:  297+                 $message = "Unhandled error occurred. Error: $( >>>> $_.Exception.Message)"

DEBUG:     ! SET $message = 'Unhandled error occurred. Error: Unable to fetch poli…'.
DEBUG:  298+                  >>>> throw $message

Exception: C:\Windows\Temp\falcon_windows_install.ps1:298
Line |
 298 |                  throw $message
     |                  ~~~~~~~~~~~~~~
     | Unhandled error occurred. Error: Unable to fetch policy details from the CrowdStrike Falcon API.
carlosmmatos commented 7 months ago

By default, when you don't pass in a sensor update policy itself, it will use the platform_default value which should exist. Can you verify the following exists in for your env:

CleanShot 2024-02-14 at 09 39 30@2x

hazcod commented 7 months ago

Hi @carlosmmatos , it does exist, however it is inherited from a FlightControl instance. image

carlosmmatos commented 7 months ago

Let me do some testing with that.. usually with flight control there is an associated member_cid that get's passed for the oauth2 authentication, but I haven't tested this in flight control so not sure yet.

hazcod commented 7 months ago

FYI @carlosmmatos it suddenly started working after 1 day. 🤷🏼

carlosmmatos commented 7 months ago

Ok great because I could not figure out what was going on! Thanks for updating us!