Replies: 3 comments
-
The offline queue functionality is part of the Real-time Response APIs, not PSFalcon. PSFalcon doesn't "do" anything by itself--all of the commands in the module are simply formatting requests and sending them to the respective API (with the exception of a few, more complex commands). If the script seems like it's not running, I would assume there's an error somewhere in the script being run. You can check the status of the script using 'Get-FalconQueue' to retrieve results from the offline queue and reference that against the session_id and cloud_request_id values that were output when you originally queued up the command. |
Beta Was this translation helpful? Give feedback.
-
I encountered the same or at least a similar issue. I had five hosts that were offline and queued a simple script to run on all five of the hosts with Today, I checked the remaining four hosts, and they still haven't been run, but when I checked the hosts' status, I found that two were online at that very moment. I logged into Falcon Console and ran the script manually in RTR sessions instead. I find it interesting that the first one ran as I would expect, but the remaining hosts have not. |
Beta Was this translation helpful? Give feedback.
-
Thanks for your comment! If you're finding that certain Real-time Response commands are not being processed, the Real-time Response API team will definitely want to know about it. Opening a ticket with CrowdStrike support will help ensure any recurring issues are fixed. |
Beta Was this translation helpful? Give feedback.
-
We are attempting to use the Offline Queue feature in PSFalcon. As far as I can tell, it's a function of PSFalcon, not something in Crowdstrike's API itself. If I'm wrong, sorry about that, please just let me know!
I am not sure if this issue is due to us not using it correctly, or it just not working.
We add it here, this command is part of a loop:
Invoke-FalconRTR -Command runscript -Arguments "-CloudFile='ourscript'" -HostIds $id -QueueOffline $true
When we run this, the output will list offline_queued:True for offline systems that exist in Crowdstrike, but the script does not appear to run against the offline hosts once the host comes back online. The script we run doesn't appear to keep running after it completes, and I don't believe PSFalcon runs in the background, so the system I run this script from is shut off after business hours my time. Is this incorrect?
We are using this to install an agent on 50 hosts in various timezones. No "offline queued" systems appear to have the agent installed when the host comes online. What are we doing wrong? Any help would be appreciated!
Beta Was this translation helpful? Give feedback.
All reactions