falcon-scripts
falcon-scripts copied to clipboard
CrowdStrike
Allow access token authentication
Allow a user to pass in an access token instead of authenticating with the API to help facilitate further automations.
Does this refer to the maintenance token? Looking for a possible way to pull the maintenance token via API and pass it to the device to uninstall automated the uninstall process if tamperproof protection is enabled.
@stevenwick - No this is for authenticating with the API.
As for the maintenance token being pulled via API, we already do that for powershell. See the uninstall section in the README for an example. You would just essentially pass in your API client id/secret:
I created a new API key and captured Client ID and Secret from console and used the same on my machine, however it throws me an error even though my credentials are correct.
Any idea how to fix it ?
Received a Forbidden response from https://api.us-2.crowdstrike.com/oauth2/token. Please check your credentials and try again. Error: Forbidden At C:\temp\Crowdstrike\Remediation_falcon_windows_uninstall.ps1:209 char:17
-
throw $Message -
~~~~~~~~~~~~~~- CategoryInfo : OperationStopped: (Received a Forb...rror: Forbidden:String) [], RuntimeException
- FullyQualifiedErrorId : Received a Forbidden response from https://api.us-2.crowdstrike.com/oauth2/token. Please check your credentials and try again. Error: Forbidden
Same issue here, I doublechecked the client id/secret and looked at logs, but regardless of endpoint, this happens.
@Henric-Andersson | @Vikasway - what happens if you try using something else to test your creds? Can you try the following:
curl -X POST "https://<YOUR_API_BASE_URL>/oauth2/token" \
-H "accept: application/json" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=xxxxxxxx&client_secret=yyyyyyyy"
- replace <YOUR_API_BASE_URL> with your API url (ie, api.crowdstrike.com)
- replace the
client_id=xxxxxxxxandclient_secret=yyyyyyyywith your api key cred values
That worked @carlosmmatos , see (somewhat masked) result here:
{
"access_token": "secret stuff",
"expires_in": 1799,
"token_type": "bearer"
}
So I re-ran the script but it still fails.
We use https://api.crowdstrike.com/oauth2/token in the script, I even modified the script to manually encode the form data, but it still failed.
Next, I tried removing the CID and now it worked:
# Configure OAuth2 authentication
if ($credsProvided) {
$BaseUrl = Get-FalconCloud $FalconCloud
$Body = @{}
$Body['client_id'] = $FalconClientId
$Body['client_secret'] = $FalconClientSecret
#if ($MemberCid) {
# $Body['member_cid'] = $MemberCid
#}
$BaseUrl, $Headers = Invoke-FalconAuth -WebRequestParams $WebRequestParams -BaseUrl $BaseUrl -Body $Body -FalconCloud $FalconCloud
$Headers['Content-Type'] = 'application/json'
$WebRequestParams.Add('Headers', $Headers)
}
It would seem that me providing the member cid on command line was breaking this function.
That worked @carlosmmatos , see (somewhat masked) result here:
{ "access_token": "secret stuff", "expires_in": 1799, "token_type": "bearer" }So I re-ran the script but it still fails.
We use
https://api.crowdstrike.com/oauth2/tokenin the script, I even modified the script to manually encode the form data, but it still failed.Next, I tried removing the CID and now it worked:
# Configure OAuth2 authentication if ($credsProvided) { $BaseUrl = Get-FalconCloud $FalconCloud $Body = @{} $Body['client_id'] = $FalconClientId $Body['client_secret'] = $FalconClientSecret #if ($MemberCid) { # $Body['member_cid'] = $MemberCid #} $BaseUrl, $Headers = Invoke-FalconAuth -WebRequestParams $WebRequestParams -BaseUrl $BaseUrl -Body $Body -FalconCloud $FalconCloud $Headers['Content-Type'] = 'application/json' $WebRequestParams.Add('Headers', $Headers) }It would seem that me providing the member cid on command line was breaking this function.
membercid is only used for managed services CIDs and have a parent CID attached to them. So if the CID you are using is not a child CID, it shouldn't be used.
