Preventing RFM in CrowdStrike: A Guide with Tanium Integration
Written on
Understanding RFM in CrowdStrike
The issue of RFM (Rapid Failure Mode) in CrowdStrike can be quite vexing for many users. You might have an exceptional tool for defense, but if your administrators apply patches too rapidly without proper support, the effectiveness of the product diminishes significantly. This situation creates a perplexing dilemma—while the security mantra is often to "PATCH, PATCH, PATCH," in this instance, you might want to exercise caution.
It's a challenge that the CrowdStrike team is diligently addressing. I genuinely appreciate the platform, so this is not a critique, just an observation. In the meantime, what options do you have? You could wait it out or manually verify patch compatibility, but that can be cumbersome. Running N-2 on patching is a possibility, yet it risks leaving you behind. For my needs, a degree of automation is preferable.
Note: This is a preliminary draft of the script, and while I typically create more structured functions, this iteration is more of a quick initial assembly. It's specifically aimed at Linux environments.
The Purpose of the Script
The script I am sharing utilizes PowerShell to interact with both the CrowdStrike and Tanium APIs. Its primary function is to monitor which patches are being applied and whether they are supported by CrowdStrike, allowing you to inform your administrators accordingly.
How It Operates
First, the script queries a report from Tanium that tracks kernel updates scheduled for installation on Linux hosts. Once the report is retrieved, it filters the data and checks the kernel versions against the CrowdStrike API to determine what is supported. It flags any unsupported versions, indicating potential RFM risks.
Next, it provides updates on what is now supported, using a text file to maintain a record. This allows you to keep track of supported kernels, enabling you to lift any blocks and proceed with patching. At the conclusion of each run, the script automatically rotates the Tanium API key for security.
The Automation Process
The automation begins with the report generated in Tanium. To retrieve the kernels intended for installation, navigate to Data > Reports and create a report that captures relevant details, particularly the Computer Name and Applicable Patches Files, which encompass the kernel updates.
After setting up the report, note the ID from the URL (e.g., /ui/reporting/reports/report?id=[Your ID]) and input it into the script as follows:
#-- Tanium
$tantoken = Get-Content ""
$tanreportID = "[ Place it here ] "
$tantokenloc = ""
Tanium API Credentials
To run this script, you'll need valid API credentials from your Tanium instance. Ensure that you create these credentials securely and limit the IP ranges as needed:
#-- Tanium
$tantoken = Get-Content " [ Place it here ] "
$tanreportID = ""
$tantokenloc = ""
The script rotates the credentials upon execution, so if you wish to use this feature, remember to update $tantokenloc. Otherwise, you can remove it.
CrowdStrike API Integration
On the CrowdStrike side, you only need to adjust the API credentials. After setting them up, insert them here:
# -- Falcon API --
$clientid = ""
$csecret = ""
Tracking Unsupported Kernels
While the method I’ve implemented may not be the most advanced, it is functional. You will need to update the path to keep a record of unsupported kernels and confirm their status on subsequent runs:
# location output
$kernellist = "C:PreventRFMUnsupported.txt"
Next Steps
With the pending kernels identified, the next step is to manage them. Although I am working on automating this process, currently, it must be done manually. In Tanium, you can manage a block list under Modules > Patch > Block List to prevent problematic kernels from updating and triggering RFM in CrowdStrike.
Future Improvements
I made this script public to assist others and to motivate myself to enhance it further. I hope that in the future, the PATCH API for Tanium will be expanded to allow for automated management of the Block List. For now, this script can bring you closer to preventing RFM without having to sift through extensive support documentation.