Categorygithub.com/hazcod/cscleanup
module
1.3.2
Repository: https://github.com/hazcod/cscleanup.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
0
Dependents
0
Files
0

# README

cscleanup

A Go program that cleans up your estate of CrowdStrike cloud and endpoint sensors.

How does it work?

The program follows following logic for determining if a sensor is faulty and shrouds your dashboard:

  1. Any CrowdStrike sensor that was only momentarily online (max. 5 minutes), did not have the chance to donwload any policies and did not report a Hostname.
  2. Any CrowdStrike endpoint sensor that does not have an email/ tag. (e.g. to use with security-slacker)
  3. Any CrowdStrike sensor that is in RFM mode and was last seen over 24 hours ago.
  4. Any CrowdStrike cloud sensor that has not been seen for 24 hours. (VMs were most likely destroyed)
  5. Any hidden CrowdStrike sensor that was still recently seen, e.g. was most likely hidden by accident.

Running

First, ensure you get CrowdStrike API credentials that can do Hosts:read and Hosts:write. Then create the following YAML configuration file:

log:
  level: INFO

slack:
  webhook: "https://hooks.slack.com/services/XXX"

crowdstrike:
  region: eu-1
  client_id: "XXXX"
  client_secret: "XXXX"

You can use following arguments:

./cscleanup -config=config.yml

And if you don't want to hide any sensor nor send to Slack:

./cscleanup -config=config.yml -preview

# Packages

No description provided by the author
No description provided by the author
No description provided by the author