Getting devices with active directory object_sid property

[yoavhiz]

Hi,

I'm wondering is there a way I can get the active directory's object_sid property of a given device from crowd strike?

Thanks,
Yoav

[jshcodes]

Hi @yoavhiz -

object_sid is not returned as part of the get_device_details operation (Hosts service collection).

If we absolutely must retrieve this value from the machine directly, we will have to try something leveraging RTR. (The SID value is stored in a protected key within the registry of the machine. (HKLM\SECURITY\SAM\Domains\Account)) There are several scripts online discussing this. You should be able to execute your preferred one of these as a CloudFile via RTR.

As an alternative, If you have Windows Remote Server Administration tools (RSAT) installed, you could retrieve this detail directly from PowerShell on your local machine using:

Get-ADComputer -Filter “name -eq ‘edlt'” -Properties sid | select name, sid

Please note: This operation connects to the domain controller to retrieve this detail. You will need appropriate permissions to execute this command.

[yoavhiz]

Hi @jshcodes
Thank you very much for your answer :)

Another question if I may, if a device is a cloud instance (for example machine in GCP or AWS) do you know how can I get its cloud id from Crowdstrike? For example, if the device is an instance in GCP I would like to get its GCP instance ID

[jshcodes]

Hi @yoavhiz!

This information can be found using the Hosts service collection (when available).

Here's a quick example (I used AWS):

Example

import os
from falconpy import Hosts
from pprint import pprint

hosts = Hosts(client_id=os.getenv("FALCON_CLIENT_ID"), client_secret=os.getenv("FALCON_CLIENT_SECRET"))
host_id = hosts.query_devices_by_filter(filter="hostname:'HOSTNAME_HERE'")["body"]["resources"]
host_detail = hosts.get_device_details(ids=host_id)
pprint(host_detail)

This should produce a result similar to the following (I've redacted some of the information returned in this example):

Note the instance_id, service_provider, and service_provider_account_id fields. These fields may vary slightly depending on the cloud provider your instance resides within. These fields will not be present when this data is not available.

{
	"body": {
		"errors": [],
		"meta": {
			"powered_by": "device-api",
			"query_time": 0.001541358,
			"trace_id": "8b648c33-ac67-458b-8257-REDACTED"
		},
		"resources": [{
			"agent_load_flags": "0",
			"agent_local_time": "2021-12-27T21:44:58.693Z",
			"agent_version": "6.25.12207.0",
			"bios_manufacturer": "Xen",
			"bios_version": "4.2.amazon",
			"cid": "REDACTED",
			"config_id_base": "REDACTED",
			"config_id_build": "12207",
			"config_id_platform": "8",
			"cpu_signature": "198386",
			"detection_suppression_status": "unsuppressed",
			"device_id": "REDACTED",
			"device_policies": {
				"global_config": {
					"applied": True,
					"applied_date": "2021-12-27T21:45:38.180279526Z",
					"assigned_date": "2021-12-27T21:44:59.751378656Z",
					"policy_id": "REDACTED",
					"policy_type": "globalconfig",
					"settings_hash": "REDACTED"
				},
				"prevention": {
					"applied": True,
					"applied_date": "2022-01-20T23:06:01.677923366Z",
					"assigned_date": "2022-01-20T23:04:28.047905828Z",
					"policy_id": "REDACTED",
					"policy_type": "prevention",
					"rule_groups": ["REDACTED"],
					"settings_hash": "REDACTED"
				},
				"remote_response": {
					"applied": True,
					"applied_date": "2021-08-03T23:12:25.778267519Z",
					"assigned_date": "2021-08-03T23:10:38.217564005Z",
					"policy_id": "REDACTED",
					"policy_type": "remote-response",
					"settings_hash": "REDACTED"
				},
				"sensor_update": {
					"applied": True,
					"applied_date": "2021-07-14T18:36:28.047354857Z",
					"assigned_date": "2021-07-14T18:35:32.648705532Z",
					"policy_id": "REDACTED",
					"policy_type": "sensor-update",
					"settings_hash": ";",
					"uninstall_protection": "UNKNOWN"
				}
			},
			"external_ip": "3.100.200.8",
			"first_seen": "2021-07-14T18:35:27Z",
			"group_hash": "REDACTED",
			"groups": [],
			"host_hidden_status": "visible",
			"hostname": "REDACTED",
			"instance_id": "i-REDACTED",
			"kernel_version": "4.14.232-177.418.amzn2.x86_64",
			"last_seen": "2022-04-18T23:04:30Z",
			"local_ip": "172.1.1.8",
			"mac_address": "01-02-03-40-4f-c4",
			"major_version": "4",
			"meta": {
				"version": "30876"
			},
			"minor_version": "14",
			"modified_timestamp": "2022-04-18T23:04:31Z",
			"os_version": "Amazon Linux 2",
			"platform_id": "3",
			"platform_name": "Linux",
			"policies": [{
				"applied": True,
				"applied_date": "2022-01-20T23:06:01.677923366Z",
				"assigned_date": "2022-01-20T23:04:28.047905828Z",
				"policy_id": "REDACTED",
				"policy_type": "prevention",
				"rule_groups": ["REDACTED"],
				"settings_hash": "REDACTED"
			}],
			"product_type_desc": "Server",
			"provision_status": "NotProvisioned",
			"reduced_functionality_mode": "no",
			"serial_number": "REDACTED-25e7-REDACTED-e9ed-REDACTED",
			"service_provider": "AWS_EC2",
			"service_provider_account_id": "123456789012",
			"slow_changing_modified_timestamp": "2022-04-18T23:04:31Z",
			"status": "normal",
			"system_manufacturer": "Xen",
			"system_product_name": "HVM domU",
			"tags": ["FalconGroupingTags/Testing123"],
			"zone_group": "us-west-1a"
		}]
	},
	"headers": {
		"Content-Encoding": "gzip",
		"Content-Length": "1452",
		"Content-Type": "application/json",
		"Date": "Mon, 18 Apr 2022 23:29:10 GMT",
		"Strict-Transport-Security": "max-age=31536000; "
		"includeSubDomains, "
		"max-age=15724800; includeSubDomains",
		"X-Cs-Region": "us-1",
		"X-Cs-Traceid": "8b648c33-ac67-458b-8257-REDACTED",
		"X-Ratelimit-Limit": "6000",
		"X-Ratelimit-Remaining": "5996"
	},
	"status_code": 200
}

[yoavhiz]

Thank you @jshcodes !!