server uptime

[Siva700]

Hi ,

Is there a way i can use falconpy module to find host uptime please ?

Thanks - Siva

[jshcodes]

Hi @Siva700 -

Thank you for the question!!

There isn't a field returned in any of the APIs that directly speak to this value. (You could perform some calculations with last_seen and first_seen but this wouldn't always be accurate.)

Instead, we can use the RealTimeResponse and RealTimeResponseAdmin service collections to request this data from the hosts themselves. To demonstrate this, I've coded up a simple example for you.

A couple of notes

• Specify the host to check using the hostname argument (-n).
• You can search your entire tenant by calling this application without providing a value for the hostname command line argument (-n). Depending on the number of hosts in your environment, this may take some time. For extremely large environments, you should consider enhancing this example to leverage batching.
• Should work on Windows, Linux and Mac hosts.
• In order to keep this example as digestible as possible, I have not added code to speak to things like rate limiting, queueing for offline hosts, or batching. I also did not do much to format the output.

Example source

"""Retrieve uptime using Real Time Response."""
from argparse import ArgumentParser, RawTextHelpFormatter
from falconpy import Hosts, RealTimeResponse, RealTimeResponseAdmin

parser = ArgumentParser(description=__doc__, formatter_class=RawTextHelpFormatter)
parser.add_argument("-n", "--hostname", help="Hostname to target.  Will handled multiple matches.", required=False)
req = parser.add_argument_group("required arguments")
req.add_argument("-k", "--falcon_client_id", help="CrowdStrike Falcon API client ID", required=True)
req.add_argument("-s", "--falcon_client_secret", help="CrowdStrike Falcon API client Secret", required=True)
cmd_line = parser.parse_args()

UPTIME_BASH = """
#!/bin/bash
uptime
"""

UPTIME_WIN = """
wmic path Win32_OperatingSystem get LastBootUpTime
"""

hosts = Hosts(client_id=cmd_line.falcon_client_id, client_secret=cmd_line.falcon_client_secret)
rtr = RealTimeResponse(auth_object=hosts)
rtr_admin = RealTimeResponseAdmin(auth_object=hosts)

host_filter = None
if cmd_line.hostname:
    host_filter = f"hostname:*'*{cmd_line.hostname}*'"

hosts_to_check = hosts.query_devices_by_filter_scroll(filter=host_filter)
if hosts_to_check["status_code"] != 200:
    raise SystemExit("Unable to retrieve host list. Check credentials.")

if not hosts_to_check["body"]["resources"]:
    raise SystemExit("Unable to retrieve host detail. Check hostname.")

hosts_detail = hosts.get_device_details(ids=hosts_to_check["body"]["resources"])

if hosts_detail["status_code"] != 200:
    raise SystemExit("Unable to retrieve host detail. Check permissions / hostname.")

results = {}

for host in hosts_detail["body"]["resources"]:
    hostname = host.get('hostname')
    device_id = host.get('device_id')
    platform = host.get('platform_name')

    session_init = rtr.init_session(device_id=device_id, queue_offline=False)
    if session_init["status_code"] != 201:
        # RTR session connection failure.
        print(f"Unable to open RTR session with {device_id}")
    else:
        session_id = session_init["body"]["resources"][0]["session_id"]
        # Craft a command string based upon the platform we are targeting.
        if platform.lower() in ['mac', 'linux']:
            command_string = f"runscript -Raw=```{UPTIME_BASH}```"
        else:
            command_string = f"runscript -Raw=```{UPTIME_WIN}```"

        check_result = rtr_admin.execute_admin_command(device_id=device_id,
                                                       session_id=session_id,
                                                       base_command="runscript",
                                                       command_string=command_string
                                                       )

        if check_result["status_code"] != 201:
            # RTR command execution failure.
            print(f"Unable to execute RTR command on {device_id}")
        else:
            request_id = check_result["body"]["resources"][0]["cloud_request_id"]
            completed = False
            while not completed:
                result = rtr_admin.check_admin_command_status(cloud_request_id=request_id, sequence_id=0)
                stdout = result["body"]["resources"][0]["stdout"]
                stderr = result["body"]["resources"][0]["stderr"]
                if stdout or stderr:
                    completed = True
            rtr.delete_session(session_id=session_id)
            results[device_id] = stdout
            if stderr:
                results[device_id] = stderr
            print(f"Host uptime retrieved for {device_id}.")

# Print out the retrieved results.
for host_id, output in results.items():
    print(f"{host_id}: {output}")

[jshcodes]

Hi @Siva700 -

We now also have a sample demonstrating this procedure. 😄

[Siva700]

Thank you…..this is really great Best Regards Siva