thetanz / csfalcon Goto Github PK
View Code? Open in Web Editor NEWcrowdstrike tips & tricks π¦ πΆβπ«οΈ
Home Page: https://csfalcon.thetadev.services
crowdstrike tips & tricks π¦ πΆβπ«οΈ
Home Page: https://csfalcon.thetadev.services
Troubleshooting
Windows:
Get AID From Powershell powershell.exe -command "[System.BitConverter]::ToString( ((Get-ItemProperty 'HKLM:\SYSTEM\CrowdStrike{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}{16e0423f-7058-48c9-a204-725362b67639}\Default' -Name AG).AG)).ToLower() -replace '-',''"
Verify that the Sensor is Running sc.exe query csagent
Ensure we are able to resolve the DNS addresses the sensors require to communicate Test-NetConnection -ComputerName ts01-b.cloudsink.net -DiagnoseRouting Test-NetConnection -ComputerName lfodown01-b.cloudsink.net -DiagnoseRouting
Ensure the traffic is allowed outbound and we donβt get headers from a firewall/proxy curl -v https://ts01-b.cloudsink.net
When running the curl command on the above, we would expect to see the below in the output HTTP/1.1 200 OK Content-Length: 509 Content-Type: text/plain; charset=utf-8 Date: Mon, 24 Jun 2019 06:26:39 GMT
Hi tester "/" Method: GET Protocol: HTTP/1.1 Host: ts01-b.cloudsink.net
Check for active connections to Falcon Cloud netstat -f
The following output is displayed if the sensor can connect to the CrowdStrike cloud: Active Connections Proto Local Address State Foreign Address TCP 192.0.2.130:49790 ec2-54-219-145-181.us-west-1.compute.amazonaws.com:https ESTABLISHED
In this example, ec2-54-219-145-181 indicates a connection to a specific IP address in the CrowdStrike cloud, 54.219.145.181.
macOS: Verify that the Sensor is Running
sysctl cs
The output shows a list of details about the sensor, including its agent ID (AID), version, customer ID, and more.
Verify that Sensor Components Were Installed Run to see a list of the kernel extensions installed with the CrowdStrike sensor
kextstat | grep crowd
The output shows two kernel extensions, com.crowdstrike.platform and com.crowdstrike.sensor:
189 1 0xffffff7f8345b000 0x5000 0x5000 com.crowdstrike.platform (1.1) 450E6B1A-46C4-3B88-BEC4-147139B71E2C <7 5 4 3 2 1> 190 0 0xffffff7f8351e000 0xef000 0xef000 com.crowdstrike.sensor (53.03) F356DB5C-4044-3DD9-810E-0620678E4A20 <189 43 7 5 4 3 2 1>
Verify that the Sensor is Connected to the Cloud
sudo /Library/CS/falconctl stats
In the output, look for the Cloud Info section:
Cloud Info IP: ts01-b.cloudsink.net Port: 443 State: connected Cloud Activity Attempts: 1 Connects: 1
Logs The Falcon sensor disables logging by default. When enabled, logs are stored at /var/log/system.log and contain the string CrowdStrike. Logs are kept according to the host's log rotation settings. Enable Logging
sysctl cs.feature=3
Disable Logging
sysctl cs.feature=0
Expected Output
A normal startup log includes messages similar to these: The sensor is starting. The sensor is locating and initializing the config. The sensor is checking communications (whether to use proxy or not and on which host/port). The sensor is connecting and setting up SSL. The sensor connected and is sending its first message to CrowdStrike cloud. The sensor received a response from cloud. All startup tasks are complete.
LINUX
Verify that the Sensor is Running
ps -e | grep -e falcon-sensor
Check kernel modules to verify the Falcon sensor's kernel modules are running
lsmod | grep falcon
Check the Falcon sensor's configurable options
sudo /opt/CrowdStrike/falconctl -g Optional parameters: --aid: the sensor's agent ID --cid: your Customer ID --apd: the sensor's proxy status (enabled or disabled) --aph: the sensor's proxy host --app: the sensor's proxy port
Verify the Sensor Files on Disk
sudo ls -al /opt/CrowdStrike /opt/CrowdStrike/falcon-sensor
This should be a symlink to either:
the original sensor installation at /opt/CrowdStrike/falcon-sensor a sensor update package with a release build number, such as /opt/CrowdStrike/falcon-sensor3000
Verify that the Sensor is Connected to the Cloud
sudo netstat -tapn | grep falcon
If the Falcon sensor is communicating with the cloud, you'll see something similar to
tcp 0 0 192.0.2.176:35382 ec2-54-148-96-12:443 ESTABLISHED 3228/falcon-sensor
Logs
grep falcon /var/log/messages | tail -n 100
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.