ingressu.com

Preventing RFM in CrowdStrike: A Guide with Tanium Integration

Written on

Understanding RFM in CrowdStrike

The issue of RFM (Rapid Failure Mode) in CrowdStrike can be quite vexing for many users. You might have an exceptional tool for defense, but if your administrators apply patches too rapidly without proper support, the effectiveness of the product diminishes significantly. This situation creates a perplexing dilemma—while the security mantra is often to "PATCH, PATCH, PATCH," in this instance, you might want to exercise caution.

It's a challenge that the CrowdStrike team is diligently addressing. I genuinely appreciate the platform, so this is not a critique, just an observation. In the meantime, what options do you have? You could wait it out or manually verify patch compatibility, but that can be cumbersome. Running N-2 on patching is a possibility, yet it risks leaving you behind. For my needs, a degree of automation is preferable.

Note: This is a preliminary draft of the script, and while I typically create more structured functions, this iteration is more of a quick initial assembly. It's specifically aimed at Linux environments.

The Purpose of the Script

The script I am sharing utilizes PowerShell to interact with both the CrowdStrike and Tanium APIs. Its primary function is to monitor which patches are being applied and whether they are supported by CrowdStrike, allowing you to inform your administrators accordingly.

How It Operates

First, the script queries a report from Tanium that tracks kernel updates scheduled for installation on Linux hosts. Once the report is retrieved, it filters the data and checks the kernel versions against the CrowdStrike API to determine what is supported. It flags any unsupported versions, indicating potential RFM risks.

Next, it provides updates on what is now supported, using a text file to maintain a record. This allows you to keep track of supported kernels, enabling you to lift any blocks and proceed with patching. At the conclusion of each run, the script automatically rotates the Tanium API key for security.

The Automation Process

The automation begins with the report generated in Tanium. To retrieve the kernels intended for installation, navigate to Data > Reports and create a report that captures relevant details, particularly the Computer Name and Applicable Patches Files, which encompass the kernel updates.

After setting up the report, note the ID from the URL (e.g., /ui/reporting/reports/report?id=[Your ID]) and input it into the script as follows:

#-- Tanium

$tantoken = Get-Content ""

$tanreportID = "[ Place it here ] "

$tantokenloc = ""

Tanium API Credentials

To run this script, you'll need valid API credentials from your Tanium instance. Ensure that you create these credentials securely and limit the IP ranges as needed:

#-- Tanium

$tantoken = Get-Content " [ Place it here ] "

$tanreportID = ""

$tantokenloc = ""

The script rotates the credentials upon execution, so if you wish to use this feature, remember to update $tantokenloc. Otherwise, you can remove it.

CrowdStrike API Integration

On the CrowdStrike side, you only need to adjust the API credentials. After setting them up, insert them here:

# -- Falcon API --

$clientid = ""

$csecret = ""

Tracking Unsupported Kernels

While the method I’ve implemented may not be the most advanced, it is functional. You will need to update the path to keep a record of unsupported kernels and confirm their status on subsequent runs:

# location output

$kernellist = "C:PreventRFMUnsupported.txt"

Next Steps

With the pending kernels identified, the next step is to manage them. Although I am working on automating this process, currently, it must be done manually. In Tanium, you can manage a block list under Modules > Patch > Block List to prevent problematic kernels from updating and triggering RFM in CrowdStrike.

Future Improvements

I made this script public to assist others and to motivate myself to enhance it further. I hope that in the future, the PATCH API for Tanium will be expanded to allow for automated management of the Block List. For now, this script can bring you closer to preventing RFM without having to sift through extensive support documentation.

Share the page:

Twitter Facebook Reddit LinkIn

-----------------------

Recent Post:

A Comedic Journey: Larry vs. the Sound Saboteurs

A humorous tale of Larry's determination against digital pranksters.

# Discover Why You May Be Lacking Focus and How to Improve It

Explore the reasons behind your lack of focus and discover effective strategies to enhance your productivity.

The Rise of Influencers: Navigating the Social Media Landscape

Exploring how influencers are reshaping Hollywood and social media, highlighting the competition among platforms for user attention.

# Climate Scientist Raises Alarm Over Populism's Impact on Amazon

Nobel laureate Carlos Nobre discusses the imminent dangers facing the Amazon Rainforest due to climate change and rising populism.

Inspiring Others: The Hallmark of Great Leadership

Discover how impactful leadership inspires growth in others and shapes their futures.

The Exciting Future of Lucid Dreaming: Technology and Beyond

Explore the promising advancements in lucid dreaming, from technology to therapeutic applications, and envision its future.

Understanding Abortion Regulations in Australia: A Comprehensive Guide

An in-depth overview of abortion laws across Australia, exploring the complexities of access and regulations.

Advanced Insights into A/B Testing: Navigating Complexities

Explore the intricacies of A/B testing, focusing on privacy, interleaving methods, and effective metrics for evaluation.