Unable to conect to host

[hermanmaleiane]

Hi team,

Hope you are doing well.
I have already made this integration with falconpy to start scans based on windows defender.
The problem is that now i'm not able to connect to any of my hosts in my organization.
Can you please help me to uderstand whats happening?

I got this method to execute scan:

def execut_scan(device_id,incident_id, event_type, hostname):
    target_aid = get_host_aid(device_id)                     # Retrieve our test instance's AID
    session_id = init_session(target_aid)
    response = falcon_rtra.execute_admin_command(base_command="runscript",
                                                 command_string=f"runscript -Raw=```Start-MpScan -ScanType QuickScan ```",
                                                 session_id=session_id,
                                                 timeout=80
                                                 )
    print(response) 

the response is:

500onnecting to target
Unable to establish session with host

When i try to execute the command direct in the web console:
Using this option:

I got the below error:

Thanks in advance

[jshcodes]

Hi @hermanmaleiane -

A couple of follow up questions:

• This was working before and it just stopped?
• Have you connected to this host successfully previously (within a short period of time before generating this 500)

[hermanmaleiane]

hi @jshcodes!!!

Question 1: Was working perfectly!!
Question 2: It's been 3 months that i dont test. Last week i tested with other host but the result is the same. It's happening with all my organizations hosts.

[jshcodes]

Hi @hermanmaleiane -

I have more questions! 😄

• Have you tried other RTR commands? Do they work? (can you pull a simple directory listing with ls or a process list with ps?)
• Can you execute the Start-MpScan -ScanType QuickScan process on a target locally without error?
• What does the get_host_aid method do? (It appears to consume a device_id and then return a device_id. Is it somehow altering the format of your target_aid value or is just pulling the ID out of a resources branch?)

[hermanmaleiane]

Hi @jshcodes

Question 1: Yes it's working for other rtr commands.

For example when i want to retrieve windows events.

`command= "Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' | Select-Object -First 2 -ExpandProperty Message | Select"
response = falcon_rtra.execute_admin_command(base_command="runscript",
command_string=f"runscript -Raw={command} ",
session_id=session_id,
timeout=600
)

print(response)         

then i get the cloud_request_id and

`response = falcon_rtra.check_admin_command_status(
cloud_request_id=uuid_value, sequence_id=0
)

response1= response["body"]["resources"]`



                  `

I got the response

[{'session_id': '3c582a71-87b6-4e47-b041-0d806bf6e8be', 'task_id': '48a77c0b-1cc2-46ff-8de8-9f715c4de7e0', 'complete': True, 'stdout': 'Endpoint Protection client health report (time in UTC):\r\n \tPlatform version: 4.18.2203.5\r\n \tEngine version: 1.1.19200.6\r\n \tNetwork Realtime Inspection engine version: 1.1.19200.6\r\n \tAntivirus security intelligence version: 1.367.1279.0\r\n \tAntispyware security intelligence version: 1.367.1279.0\r\n \tNetwork Realtime Inspection security intelligence version: 1.367.1279.0\r\n \tRTP state: Disabled\r\n \tOA state: Disabled\r\n \tIOAV state: Disabled\r\n \tBM state: Disabled\r\n \tAntivirus security intelligence age: 1\r\n \tAntispyware security intelligence age: 1\r\n \tLast quick scan age: 2\r\n \tLast full scan age: 4294967295\r\n \tAntivirus security
intelligence creation time: 09/06/2022 03:24:47\r\n \tAntispyware security intelligence creation time: 09/06/2022 03:24:47\r\n \tLast quick scan start time: 08/06/2022 00:14:13\r\n \tLast quick scan end time: 08/06/2022 00:19:01\r\n \tLast quick scan source: 2\r\n \tLast full scan start time: 01/01/1601 00:00:00\r\n \tLast full scan end time: 01/01/1601 00:00:00\r\n \tLast full scan source: 0\r\n \tProduct status: 0x00080000\r\n\nEndpoint Protection client health report (time in UTC):\r\n \tPlatform version: 4.18.2203.5\r\n \tEngine version: 1.1.19200.6\r\n \tNetwork Realtime Inspection engine version: 1.1.19200.6\r\n \tAntivirus security intelligence version: 1.367.1279.0\r\n \tAntispyware security intelligence version: 1.367.1279.0\r\n \tNetwork Realtime Inspection security intelligence version: 1.367.1279.0\r\n \tRTP state: Disabled\r\n \tOA state: Disabled\r\n \tIOAV state: Disabled\r\n \tBM state: Disabled\r\n \tAntivirus security intelligence age: 0\r\n \tAntispyware security intelligence age: 0\r\n \tLast quick scan age: 1\r\n \tLast full scan age: 4294967295\r\n \tAntivirus security intelligence creation time: 09/06/2022 03:24:47\r\n \tAntispyware security intelligence creation time: 09/06/2022 03:24:47\r\n \tLast quick scan start time: 08/06/2022 00:14:13\r\n \tLast
quick scan end time: 08/06/2022 00:19:01\r\n \tLast quick scan source: 2\r\n \tLast full scan start time: 01/01/1601 00:00:00\r\n \tLast full scan end time: 01/01/1601 00:00:00\r\n \tLast full scan source: 0\r\n \tProduct status: 0x00080000\r\n', 'stderr': '', 'base_command': 'runscript'}]

Question 2:

Question 3:

Retrieves the AID for a given device_id:

def get_host_aid(device_id):

result = falconHosts.query_devices_by_filter(filter=f"device_id:'{device_id}'" )
#print(result)

if result["status_code"] == 200:
    if len(result["body"]["resources"]) == 0:
        raise SystemExit(
                "%50s" % f"{' ' * 50}\nUnable to retrieve "     
                "AID for target.  ¯\_(ツ)_/¯\n"                 
                "Check target hostname value."
            )
    returned = result["body"]["resources"][0]
else:
    returned = False

return returned

[jshcodes]

Hi @hermanmaleiane!

I was able to execute this command against a Windows host using the bulk execute sample we maintain in the Samples library. I had to run the command a couple of times before I got the "A scan is already in progress on this device" message. (I was returned timeouts for the default 30 seconds on the first two tries. We could increase this to probably get around this issue.)

Could you try executing the command against a host using this sample? From what I remember of our previous discussion about your code, they should be pretty similar, so I'm curious if this helps us identify a potential syntax issue.

Here's the syntax of my command line:

python3 bulk_execute.py -k CLIENT_ID -s CLIENT_SECRET -f TARGET-HOSTNAME -c "Start-MpScan -ScanType QuickScan"

[jshcodes]

Hi @hermanmaleiane -

As a followup, I've updated the bulk execute sample to allow for specifying a timeout for the command using the -t or --timeout argument. I'm hoping this assists with your testing. (I was able to successfully execute using a timeout of 180 seconds.)

[hermanmaleiane]

Thank you so much @jshcodes !!
It works