Open mikermcneil opened 2 years ago
Customer that requested has the crowdstrike extension deployed with osquery.
One way to do this would be to expose the Falcon binary "stats" data as an osquery table which someone has already done:
https://github.com/bdemetris/osquery-crowdstrike-ext
@getvictor @sharon-fdm can we validate this extension (I know we probably don't have a Crowdstrike install anywhere but can the extension code be vaildated is what I mean) & can this extension be added to the Fleet data table / orbit tables extensions / schema? Thanks!
@xpkoala, IIRC you may have/had a Crowdstrike agent installed somewhere. Would you be able to install this ext and if it works?
FYI. That extension does not have a license, which means all rights are reserved by default. We would need to contact the author to add a license or write our own table.
Thanks @getvictor I put in an issue on his repo asking him to add some sort of license (I suggested MIT...)
@nonpunctual just following up on this so it doesn't fall between the cracks. This task is not on our radar for this sprint. If it's needed, please make sure it goes through product.
@getvictor @sharon-fdm Update: in contact with the developer.
@nonpunctual SGTM. if we want this as a feature, we could use this table or, if need be, develop one. cc: @noahtalerman
I was able to contact the developer & he seems receptive to adding a license in his repo.
@getvictor @sharon-fdm https://github.com/bdemetris/osquery-crowdstrike-ext is now updated with MIT license. Thanks!
@noahtalerman @nonpunctual we could estimate this in our next est session if you need it for featurefest
@noahtalerman @sharon-fdm I feel like it's a pretty easy win so I vote yes, but, I always vote yes on my own issues. :) customer-honoria is currently piloting new queries for Falcon. Thanks.
PS. I have not reviewed this code or tested it so that would also need to be part of the estimate - ie, try this extension which might add difficulty to the effort because testing requires a CrowdStrike install.
@sharon-fdm I think let's stick the current process. New requests are sent to feature fest => prioritized => drafted => then estimated.
That way the team stays focused on the stories we prioritized.
That said, it would be helpful to get a rough estimate. What's the t-shirt size? small, medium, large, x-large.
@nonpunctual FYI we have a couple CrowdStrike tables today:
I agree adding more would be a good quick win.
@noahtalerman yes, but, the original request was for the falcon CLI stats option. It has more data & it has data about the server side & host side. I don't think anything we currently get has all the data that stats has, but, I would have to get access to a falcon install to test that. I am assuming that from memory of using it in the past.
Soon we'll be dogfooding CrowdStrike!
cc @roperzh
Sharon: Level of effort is a medium (1-3 days for 1 engineer)
Noah: Thanks! Good to know. As for when we work on this, I think let’s stick to the prioritization process: feature fest => drafting => estimation.
I don't think anything we currently get has all the data that stats has, but, I would have to get access to a falcon install to test that.
Hey @nonpunctual, have you had a chance to verify that adding this table would expose more info than we already get w/ the existing CrowdStrike Falcon table's? Those are falconctl_options
and falcon_kernel_check
Looking at the columns here, it like maybe there's some info that we don't get. That said, I think let's verify that before we invest time in building/maintaining a new table.
@noahtalerman I spoke with @PezHub about access to the CrowdStrike install. I am not sure how to get it. I don't see it in dogfood but maybe I am doing it wrong...
@nonpunctual it got removed from dogfood as part of the gitops workflow since I had uploaded it via the UI but I'll send you the google shared drive and 1password info in slack
@PezHub could we add it to dogfood via GitOps? https://github.com/fleetdm/fleet/tree/main/it-and-security
@noahtalerman here is the output of falconctl stats
=== CloudInfo ===
Cloud Info
Host: blah.net
Port: 443
State: connected
=== Communications ===
Message Store
Capacity: 380
Size: 0
Cloud Activity
Attempts: 1
Connects: 1
Failures: 0
Timeouts: 0
Malformed Messages: 0
Errors: 0
Established At: Jun 14, 2024 at 6:01:56 PM
Last Established At:
Event Sums 1m 5m 1h 4h 8h 12h 1d
Sent 127 771 771 771 771 771 771
Received 14 38 38 38 38 38 38
Ignored 0 0 0 0 0 0 0
Resent 0 0 0 0 0 0 0
Resend Limit 0 0 0 0 0 0 0
Overflow 0 0 0 0 0 0 0
Acknowledgement Sums 1m 5m 1h 4h 8h 12h 1d
Sent 14 38 38 38 38 38 38
Received 143 771 771 771 771 771 771
Ignored 0 0 0 0 0 0 0
Resent 0 0 0 0 0 0 0
Resend Limit 0 0 0 0 0 0 0
Overflow 0 0 0 0 0 0 0
Events Sent 1m 5m 1h 4h 8h 12h 1d
AdditionalHostInfoMacV3 0 1 1 1 1 1 1
AgentConnectMacV6 0 1 1 1 1 1 1
AgentOnlineMacV13 0 1 1 1 1 1 1
BillingInfoMacV2 0 1 1 1 1 1 1
ChannelVersionRequiredMacV2 0 90 90 90 90 90 90
CloudRequestReceivedMacV1 0 1 1 1 1 1 1
ConfigStateUpdateMacV3 33 40 40 40 40 40 40
ConfigurationLoadedMacV1 0 1 1 1 1 1 1
CurrentSystemTagsMacV1 0 10 10 10 10 10 10
DnsRequestMacV4 10 10 10 10 10 10 10
ErrorEventMacV2 0 1 1 1 1 1 1
FileVaultStatusMacV1 0 1 1 1 1 1 1
FirewallEnabledMacV1 0 1 1 1 1 1 1
FsVolumeMountedMacV5 0 11 11 11 11 11 11
HostInfoMacV5 0 1 1 1 1 1 1
LFODownloadConfirmationMacV1 14 37 37 37 37 37 37
LocalIpAddressIP4MacV4 0 4 4 4 4 4 4
LocalIpAddressIP6MacV4 0 13 13 13 13 13 13
NeighborListIP4MacV1 0 2 2 2 2 2 2
NetworkConnectIP4MacV13 20 26 26 26 26 26 26
NetworkConnectIP6MacV13 0 1 1 1 1 1 1
OsVersionInfoMacV4 0 2 2 2 2 2 2
RawBindIP4MacV11 50 58 58 58 58 58 58
RawBindIP6MacV11 0 1 1 1 1 1 1
SensorHeartbeatMacV4 0 1 1 1 1 1 1
SyntheticProcessRollup2MacV5 0 452 452 452 452 452 452
SystemCapacityMacV2 0 1 1 1 1 1 1
UserIdentityMacV5 0 1 1 1 1 1 1
UserLogonMacV1 0 1 1 1 1 1 1
Events Received 1m 5m 1h 4h 8h 12h 1d
LFODownloadMacV1 14 37 37 37 37 37 37
SetSystemTagsMacV1 0 1 1 1 1 1 1
=== EndpointSecurity ===
auth: 4
authDMC: 0
authExecCount: 0
authLookupCount: 0
authLookupMisses: 0
exec: 4
execDMC: 0
notify: 4
notifyDMC: 0
setflags: 0
signal: 0
tampering: 99
tamperingDMC: 0
timeouts: 0
=== StaticAnalysis ===
avg: 0
max: 0
ready: 1
requests: 0
successes: 0
=== agent_info ===
version: 7.15.18402.0
agentID: blah
customerID: blah
Sensor operational: true
=== corrmgr ===
current: 979
destroyed: 23
instantiated: 1002
max: 982
=== device_control ===
enabled: 0
fs_auth: 0
rule_count: 0
subscribe_on_storage_connection_enabled: 0
=== dynamic_settings ===
channel: {
"asep_plist_detection_template" = 0;
"basic_process_custom_template" = 0;
"basic_process_multimatch_template" = 0;
"basic_process_v2_multimatch_template" = 2;
"basic_process_v3" = 0;
classification = 1;
"cust_prevent_md5" = 0;
"cust_prevent_sha" = 0;
"device_control" = 0;
"dns_request_template" = 0;
"dropper_template" = 0;
"dyn_patterns" = 2;
"file_path_exc" = 0;
"file_renamed_template" = 2;
"file_written_custom_template" = 0;
"file_written_template" = 2;
"firmware_analysis_policy" = 1;
"global_prevent_md5" = 0;
"global_prevent_sha" = 1;
hbfw = 0;
"ioa_exclusions" = 0;
"ioc_management_md5" = 0;
"ioc_management_sha" = 0;
"ip_allowlist" = 0;
"lfo_up_exc" = 0;
"ml_exclusions" = 0;
"network_connection_custom_template" = 0;
"package_manager" = 0;
"parent_comp_template" = 1;
"pr2_template" = 3;
"process_based_exc" = 0;
"process_comp_template" = 0;
"script_control_template" = 3;
"session_comp_template" = 0;
"str_allowlist" = 2;
}
installGuard: Disabled
systemtags: (
312,
...redacted
)
=== file_metadata ===
active: 0
enabled: 0
filesIterated: 0
iterationStatus: 0
iterationTimeMs: 0
metadataExtractionRequests: 0
metadataExtractionTimeAvg: 0
metadataRequests: 0
=== hashactor ===
current: 0
failed: 0
hits: 114
max: 0
misses: 338
=== hbfw ===
data: 0
lid: 00000000-0000-0000-0000-000000000000
log: 0
packet: 0
rule_count: 0
rwl: 0
wildcards: 0
=== kill_process ===
failure_count: 0
success_count: 0
=== packagemanager ===
downloads: 0
packages: 1
requests: 0
=== queue ===
max_queue_depth: 6
number_of_queues: 5
number_of_workers: 10
queue_depth: 0
total_dequeued: 1040
total_queued: 1040
=== smcache ===
invalidate_hits: 20
invalidate_misses: 5978
read_hits: 1466
read_misses: 32
write_hits: 1
write_misses: 31
@PezHub could we add it to dogfood via GitOps? https://github.com/fleetdm/fleet/tree/main/it-and-security
sure but we'll need to upload the required config profiles (i need the UUIDs) for the pre-install conditions since we currently can't edit installer pkgs after upload. Happy to work with @nonpunctual once those are ready
Hey @nonpunctual heads up, this didn't make it to estimation in the current design sprint (ends today).
Brining it back to feature fest so we can discuss prioritization.
Goal
falcon_info
tableContext
We chose
falcon_info
name to be consistent w/ existing CrowStrike Falcon tables:falconctl_options
andfalcon_kernel_check
Changes
Product
falcon_info
tablefalcon_info
table using the community (MIT licensed) table here. Add attribution to the community member in the table docs.falcon_info
table to fleetdm.com/tablesEngineering
QA
Risk assessment
Manual testing steps
Testing notes
Confirmation