What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Crowdstrike API query with oauth2 authentication

Votes:

0

Your Vote:

Up

Down

Hi all,

We're moving to Crowdstrike antivirus, there is only cloud console that can be monitored by web API using oauth2 authentication with 30 minutes token.

I'm not a "script guy", I used only some PRTG scripts downloaded by GitHub or other blogs. I've write to Paessler support and they help me with this template and this description: Can someone help me to complete the script? I only need to monitor the virus detection, I'm waiting the query by Crowdstrike support, this is the API specifications: https://assets.falcon.laggar.gcw.crowdstrike.com/support/api/swagger-eagle.html#/detects/QueryDetects

Many thanks

SCRIPT:

Param (
    #[Parameter(Mandatory)]
    [string]$url = "https://api.crowdstrike.com",
    [string]$client_id = "",
    [string]$client_secret = ""
)
 
function Get-AuthenticationToken {
    Param(
        $baseurl = $script:url,
        $client_id = $Script:client_id,
        $client_secret = $Script:client_secret,
        $method = "POST"
    )
    $headers = @{
        'accept' = 'application/json'
        'content-type' = 'application/x-www-form-urlencoded'
    }
    $payload = "client_id=$client_id&client_secret=$client_secret"
    $url = $baseurl.trim("/") + "/oauth2/token"
    $token = (Invoke-RestMethod $url -Method $method -Body $payload).access_token
}

try {
    # Get a token (will be executed at each script execution)
    $token = Get-AuthenticationToken
    
    # Return data in PRTG (example)
    $data = @"
    {
        "prtg": {
            "result": [
                {
                    "channel": "NAME",
                    "value": VALUE,
                },
                ...
            ]
        }
    }
"@
    Write-Output $data
   
} catch {
    write-host "$($_.exception.message) At line : $($_.InvocationInfo.ScriptLineNumber)"
    Exit 1
}

MAIL DESCRIPTION:

The script contains the authentication part however it might need to be modified to work properly. The latter will generate a new token at each execution therefore it might also be necessary to add the support of the token (save it and check if it is still valid before asking for a new one). It also includes the code which returns the data in PRTG for the EXE/Script Advanced sensor indeed. ​ You then need to add the query which will get the information you desire to monitor, process the data (convert them to integer or float if needed) and then add them in the JSON response. The channels should then automatically be created in PRTG.

api exe-script-advanced oauth2

Created on Jan 18, 2022 8:26:24 AM by  Cipo80 (0) 1

Last change on Jan 18, 2022 8:40:07 AM by  Florian Lesage [Paessler Support]



3 Replies

Votes:

0

Your Vote:

Up

Down

I just discovered that there is a "world" of scripting/powershell around Crowdstrike, there are a lot of .ps make directly by Crowdstrike and a ps module.

With three line of PS script I can authenticate and get the desired information:

Import-Module -Name PSFalcon
Request-FalconToken -cloud eu-1 -ClientId xxxxxxxxxxxxxxxxxxxx -ClientSecret xxxxxxxxxxxxxxxxxxxxxxxx
Get-FalconDetection -Filter "status:'new'"

Now I need to write the result on PRTG and set a status error if the query answer with some rows (devices with virus detection).

Thanks in advance

Created on Jan 18, 2022 11:45:15 AM by  Cipo80 (0) 1

Last change on Jan 18, 2022 2:00:06 PM by  Florian Lesage [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hello all,

thanks to the "awesome" support, this is the final EXE\script:

Param (
    #[Parameter(Mandatory)]
    [string]$url = "https://api.crowdstrike.com",
    [string]$client_id = "",
    [string]$client_secret = ""
)

try {
    # Handles authentication
    Import-Module -Name PSFalcon
    Request-FalconToken -cloud eu-1 -ClientId $client_id -ClientSecret $client_secret
    
    # Get alerts
    $alerts = Get-FalconDetection -Filter "status:'new'"

    if ($alerts){
        Write-Output "$(($alerts | Measure-object -line).Lines):Virus detected !"
        Exit 0
    }else {
        Write-Output "0:Everything is good"
        Exit 0
    }
   
} catch {
    Write-Output "$($_.exception.message) At line : $($_.InvocationInfo.ScriptLineNumber)"
    Exit 1
}

Created on Feb 2, 2022 11:56:33 AM by  Cipo80 (0) 1



Votes:

0

Your Vote:

Up

Down

Hi,

Thank you very much for sharing it. Glad to hear that it is finally done!

Have a great day.

Created on Feb 2, 2022 12:11:34 PM by  Florian Lesage [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.