A Go program that cleans up your estate of CrowdStrike cloud and endpoint sensors.
The program follows following logic for determining if a sensor is faulty and shrouds your dashboard:
- Any CrowdStrike sensor that was only momentarily online (max. 5 minutes), did not have the chance to donwload any policies and did not report a Hostname.
- Any CrowdStrike endpoint sensor that does not have an
email/tag. (e.g. to use with security-slacker) - Any CrowdStrike sensor that is in RFM mode and was last seen over 24 hours ago.
- Any CrowdStrike cloud sensor that has not been seen for 24 hours. (VMs were most likely destroyed)
- Any hidden CrowdStrike sensor that was still recently seen, e.g. was most likely hidden by accident.
First, ensure you get CrowdStrike API cred
6B8C
entials that can do Hosts:read and Hosts:write.
Then create the following YAML configuration file:
log:
level: INFO
slack:
webhook: "https://hooks.slack.com/services/XXX"
crowdstrike:
region: eu-1
client_id: "XXXX"
client_secret: "XXXX"
You can use following arguments:
./cscleanup -config=config.ymlAnd if you don't want to hide any sensor nor send to Slack:
./cscleanup -config=config.yml -preview