noahtalerman
commented
2 years ago Customer that requested has the crowdstrike extension deployed with osquery.
Open mikermcneil opened 2 years ago
noahtalerman
commented
2 years ago Customer that requested has the crowdstrike extension deployed with osquery.
nonpunctual
commented
4 months ago One way to do this would be to expose the Falcon binary "stats" data as an osquery table which someone has already done:
https://github.com/bdemetris/osquery-crowdstrike-ext
@getvictor @sharon-fdm can we validate this extension (I know we probably don't have a Crowdstrike install anywhere but can the extension code be vaildated is what I mean) & can this extension be added to the Fleet data table / orbit tables extensions / schema? Thanks!
sharon-fdm
commented
4 months ago @xpkoala, IIRC you may have/had a Crowdstrike agent installed somewhere. Would you be able to install this ext and if it works?
getvictor
commented
4 months ago FYI. That extension does not have a license, which means all rights are reserved by default. We would need to contact the author to add a license or write our own table.
nonpunctual
commented
4 months ago Thanks @getvictor I put in an issue on his repo asking him to add some sort of license (I suggested MIT...)
sharon-fdm
commented
4 months ago @nonpunctual just following up on this so it doesn't fall between the cracks. This task is not on our radar for this sprint. If it's needed, please make sure it goes through product.
nonpunctual
commented
4 months ago @getvictor @sharon-fdm Update: in contact with the developer.
sharon-fdm
commented
4 months ago @nonpunctual SGTM. if we want this as a feature, we could use this table or, if need be, develop one. cc: @noahtalerman
nonpunctual
commented
4 months ago I was able to contact the developer & he seems receptive to adding a license in his repo.
nonpunctual
commented
4 months ago @getvictor @sharon-fdm https://github.com/bdemetris/osquery-crowdstrike-ext is now updated with MIT license. Thanks!
sharon-fdm
commented
4 months ago @noahtalerman @nonpunctual we could estimate this in our next est session if you need it for featurefest
nonpunctual
commented
4 months ago @noahtalerman @sharon-fdm I feel like it's a pretty easy win so I vote yes, but, I always vote yes on my own issues. :) customer-honoria is currently piloting new queries for Falcon. Thanks.
PS. I have not reviewed this code or tested it so that would also need to be part of the estimate - ie, try this extension which might add difficulty to the effort because testing requires a CrowdStrike install.
noahtalerman
commented
4 months ago @sharon-fdm I think let's stick the current process. New requests are sent to feature fest => prioritized => drafted => then estimated.
That way the team stays focused on the stories we prioritized.
That said, it would be helpful to get a rough estimate. What's the t-shirt size? small, medium, large, x-large.
noahtalerman
commented
4 months ago @nonpunctual FYI we have a couple CrowdStrike tables today:
I agree adding more would be a good quick win.
nonpunctual
commented
4 months ago @noahtalerman yes, but, the original request was for the falcon CLI stats option. It has more data & it has data about the server side & host side. I don't think anything we currently get has all the data that stats has, but, I would have to get access to a falcon install to test that. I am assuming that from memory of using it in the past.
noahtalerman
commented
4 months ago Soon we'll be dogfooding CrowdStrike!
cc @roperzh
noahtalerman
commented
4 months ago Sharon: Level of effort is a medium (1-3 days for 1 engineer)
Noah: Thanks! Good to know. As for when we work on this, I think let’s stick to the prioritization process: feature fest => drafting => estimation.
noahtalerman
commented
3 months ago I don't think anything we currently get has all the data that stats has, but, I would have to get access to a falcon install to test that.
Hey @nonpunctual, have you had a chance to verify that adding this table would expose more info than we already get w/ the existing CrowdStrike Falcon table's? Those are falconctl_options and falcon_kernel_check
Looking at the columns here, it like maybe there's some info that we don't get. That said, I think let's verify that before we invest time in building/maintaining a new table.
nonpunctual
commented
3 months ago @noahtalerman I spoke with @PezHub about access to the CrowdStrike install. I am not sure how to get it. I don't see it in dogfood but maybe I am doing it wrong...
PezHub
commented
3 months ago @nonpunctual it got removed from dogfood as part of the gitops workflow since I had uploaded it via the UI but I'll send you the google shared drive and 1password info in slack
noahtalerman
commented
3 months ago @PezHub could we add it to dogfood via GitOps? https://github.com/fleetdm/fleet/tree/main/it-and-security
nonpunctual
commented
3 months ago @noahtalerman here is the output of falconctl stats
=== CloudInfo ===
Cloud Info
Host: blah.net
Port: 443
State: connected
=== Communications ===
Message Store
Capacity: 380
Size: 0
Cloud Activity
Attempts: 1
Connects: 1
Failures: 0
Timeouts: 0
Malformed Messages: 0
Errors: 0
Established At: Jun 14, 2024 at 6:01:56 PM
Last Established At:
Event Sums 1m 5m 1h 4h 8h 12h 1d
Sent 127 771 771 771 771 771 771
Received 14 38 38 38 38 38 38
Ignored 0 0 0 0 0 0 0
Resent 0 0 0 0 0 0 0
Resend Limit 0 0 0 0 0 0 0
Overflow 0 0 0 0 0 0 0
Acknowledgement Sums 1m 5m 1h 4h 8h 12h 1d
Sent 14 38 38 38 38 38 38
Received 143 771 771 771 771 771 771
Ignored 0 0 0 0 0 0 0
Resent 0 0 0 0 0 0 0
Resend Limit 0 0 0 0 0 0 0
Overflow 0 0 0 0 0 0 0
Events Sent 1m 5m 1h 4h 8h 12h 1d
AdditionalHostInfoMacV3 0 1 1 1 1 1 1
AgentConnectMacV6 0 1 1 1 1 1 1
AgentOnlineMacV13 0 1 1 1 1 1 1
BillingInfoMacV2 0 1 1 1 1 1 1
ChannelVersionRequiredMacV2 0 90 90 90 90 90 90
CloudRequestReceivedMacV1 0 1 1 1 1 1 1
ConfigStateUpdateMacV3 33 40 40 40 40 40 40
ConfigurationLoadedMacV1 0 1 1 1 1 1 1
CurrentSystemTagsMacV1 0 10 10 10 10 10 10
DnsRequestMacV4 10 10 10 10 10 10 10
ErrorEventMacV2 0 1 1 1 1 1 1
FileVaultStatusMacV1 0 1 1 1 1 1 1
FirewallEnabledMacV1 0 1 1 1 1 1 1
FsVolumeMountedMacV5 0 11 11 11 11 11 11
HostInfoMacV5 0 1 1 1 1 1 1
LFODownloadConfirmationMacV1 14 37 37 37 37 37 37
LocalIpAddressIP4MacV4 0 4 4 4 4 4 4
LocalIpAddressIP6MacV4 0 13 13 13 13 13 13
NeighborListIP4MacV1 0 2 2 2 2 2 2
NetworkConnectIP4MacV13 20 26 26 26 26 26 26
NetworkConnectIP6MacV13 0 1 1 1 1 1 1
OsVersionInfoMacV4 0 2 2 2 2 2 2
RawBindIP4MacV11 50 58 58 58 58 58 58
RawBindIP6MacV11 0 1 1 1 1 1 1
SensorHeartbeatMacV4 0 1 1 1 1 1 1
SyntheticProcessRollup2MacV5 0 452 452 452 452 452 452
SystemCapacityMacV2 0 1 1 1 1 1 1
UserIdentityMacV5 0 1 1 1 1 1 1
UserLogonMacV1 0 1 1 1 1 1 1
Events Received 1m 5m 1h 4h 8h 12h 1d
LFODownloadMacV1 14 37 37 37 37 37 37
SetSystemTagsMacV1 0 1 1 1 1 1 1
=== EndpointSecurity ===
auth: 4
authDMC: 0
authExecCount: 0
authLookupCount: 0
authLookupMisses: 0
exec: 4
execDMC: 0
notify: 4
notifyDMC: 0
setflags: 0
signal: 0
tampering: 99
tamperingDMC: 0
timeouts: 0
=== StaticAnalysis ===
avg: 0
max: 0
ready: 1
requests: 0
successes: 0
=== agent_info ===
version: 7.15.18402.0
agentID: blah
customerID: blah
Sensor operational: true
=== corrmgr ===
current: 979
destroyed: 23
instantiated: 1002
max: 982
=== device_control ===
enabled: 0
fs_auth: 0
rule_count: 0
subscribe_on_storage_connection_enabled: 0
=== dynamic_settings ===
channel: {
"asep_plist_detection_template" = 0;
"basic_process_custom_template" = 0;
"basic_process_multimatch_template" = 0;
"basic_process_v2_multimatch_template" = 2;
"basic_process_v3" = 0;
classification = 1;
"cust_prevent_md5" = 0;
"cust_prevent_sha" = 0;
"device_control" = 0;
"dns_request_template" = 0;
"dropper_template" = 0;
"dyn_patterns" = 2;
"file_path_exc" = 0;
"file_renamed_template" = 2;
"file_written_custom_template" = 0;
"file_written_template" = 2;
"firmware_analysis_policy" = 1;
"global_prevent_md5" = 0;
"global_prevent_sha" = 1;
hbfw = 0;
"ioa_exclusions" = 0;
"ioc_management_md5" = 0;
"ioc_management_sha" = 0;
"ip_allowlist" = 0;
"lfo_up_exc" = 0;
"ml_exclusions" = 0;
"network_connection_custom_template" = 0;
"package_manager" = 0;
"parent_comp_template" = 1;
"pr2_template" = 3;
"process_based_exc" = 0;
"process_comp_template" = 0;
"script_control_template" = 3;
"session_comp_template" = 0;
"str_allowlist" = 2;
}
installGuard: Disabled
systemtags: (
312,
...redacted
)
=== file_metadata ===
active: 0
enabled: 0
filesIterated: 0
iterationStatus: 0
iterationTimeMs: 0
metadataExtractionRequests: 0
metadataExtractionTimeAvg: 0
metadataRequests: 0
=== hashactor ===
current: 0
failed: 0
hits: 114
max: 0
misses: 338
=== hbfw ===
data: 0
lid: 00000000-0000-0000-0000-000000000000
log: 0
packet: 0
rule_count: 0
rwl: 0
wildcards: 0
=== kill_process ===
failure_count: 0
success_count: 0
=== packagemanager ===
downloads: 0
packages: 1
requests: 0
=== queue ===
max_queue_depth: 6
number_of_queues: 5
number_of_workers: 10
queue_depth: 0
total_dequeued: 1040
total_queued: 1040
=== smcache ===
invalidate_hits: 20
invalidate_misses: 5978
read_hits: 1466
read_misses: 32
write_hits: 1
write_misses: 31@PezHub could we add it to dogfood via GitOps? https://github.com/fleetdm/fleet/tree/main/it-and-security
sure but we'll need to upload the required config profiles (i need the UUIDs) for the pre-install conditions since we currently can't edit installer pkgs after upload. Happy to work with @nonpunctual once those are ready
noahtalerman
commented
3 months ago Hey @nonpunctual heads up, this didn't make it to estimation in the current design sprint (ends today).
Brining it back to feature fest so we can discuss prioritization.
Goal
falcon_infotableContext
We chose
falcon_infoname to be consistent w/ existing CrowStrike Falcon tables:falconctl_optionsandfalcon_kernel_checkChanges
Product
falcon_infotablefalcon_infotable using the community (MIT licensed) table here. Add attribution to the community member in the table docs.falcon_infotable to fleetdm.com/tablesEngineering
QA
Risk assessment
Manual testing steps
Testing notes
Confirmation