Audit or deploy the CrowdStrike Falcon Sensor to windows endpoints using Azure Policy, PowerShell DSC and Azure Machine Configuration.
Important
Deployment considerations
-
Create the required APIs by following the instructions here: Falcon Powershell Installation Scripts
-
The machine configuration extension is required for this Azure Policy. To deploy the latest version of the Machine Configuration extension at scale including identity requirements, follow the steps in Create a policy assignment to identify noncompliant resources. Create the following assignment with Azure Policy: Deploy prerequisites to enable Guest Configuration policies on virtual machines
-
The following documentation is showing the deployment of the Falcon sensor with Azure Policy. Please switch the file in your testing and deployment to FalconSensorAuditPolicy.ps1 to audit only.
1.Install the machine configuration DSC resource module from PowerShell Gallery. Reference - Setup up local machine for authoring
Install-Module -Name GuestConfigurationNote
Please use PowerShell 5.1 for the next step
2.Using PowerShell 5.1, author the DSC coniguration. Reference - Author a configuration
When running the steps below you will be prompted for your CustomerId (FalconClientId) and your CustomerAuthentication (FalconClientSecret).
. .\FalconSensorDeployPolicy.ps1
cd .\FalconSensorDeployPolicy\
Rename-Item -Path .\localhost.mof -NewName FalconSensorDeployPolicy.mof -PassThruNote
Please use PowerShell 7.3+ for the next step
3.Using PowerShell 7.3 - create a package that will audit and apply the configuration (Set).
# Create a package that will audit and apply the configuration (Set).
$params = @{
Name = 'FalconSensorDeployPolicy'
Configuration = './FalconSensorDeployPolicy.mof'
Type = 'AuditAndSet'
Force = $true
}
New-GuestConfigurationPackage @params4.This step requires a storage account. If you do not have a storage account and container please create those items before proceeding. Use Set-BlobContext to store the context of your storage account. Please note the connection string of the storage account.
Reference - Publish a configuration package
Reference - Configue Azure Storage connection settings
Using Set-BlobContext.ps1
Note
In the following deployment examples, replace < placeholder > values with specific values for your configuration.
$connectionString = <_ YOUR CONNECTION STRING _>
$context = New-AzStorageContext -ConnectionString $connectionString
$getParams = @{
Context = $context
Container = <_ YOUR CONTAINER _>
File = './FalconSensorDeployPolicy.zip'
}
$blob = Set-AzStorageBlobContent @getParams
$contentUri = $blob.ICloudBlob.Uri.AbsoluteUriExample result:
Next, set the storage context with a SAS token using Set-StorageContext.ps1
$startTime = Get-Date
$endTime = $startTime.AddYears(3)
$tokenParams = @{
StartTime = $startTime
ExpiryTime = $endTime
Container = 'files'
Blob = 'FalconSensorDeployPolicy.zip'
Permission = 'r'
Context = $context
FullUri = $true
}
$contentUri = New-AzStorageBlobSASToken @tokenParams5.To test the package run the following:
# Get the current compliance results for the local machine
Get-GuestConfigurationPackageComplianceStatus -Path ./FalconSensorDeployPolicy.zip
# Test applying the configuration to local machine
Start-GuestConfigurationPackageRemediation -Path ./FalconSensorDeployPolicy.zip6.To create the policy definition run the following lines of code
$PolicyConfig = @{
PolicyId = New-Guid
ContentUri = $contentUri
DisplayName = 'CrowdStrike Falcon Sensor Deployment'
Description = 'CrowdStrike Falcon Sensor Deployment'
Path = './CrowdStrikeFalconSensorDeployment.json'
Platform = 'Windows'
PolicyVersion = '1.0.0'
Mode = 'ApplyAndAutoCorrect'
}
New-GuestConfigurationPolicy @PolicyConfig -Verbose7.To import the policy into your Azure environment
New-AzPolicyDefinition -Name 'CrowdStrike Falcon Sensor Deployment' -Policy '.\FalconSensorDeployPolicy_DeployIfNotExists.json'Example result:
8.After deploying the policy the expected result is as follows:
