Get Application, System and Security Logs from an Endpoint Using PowerShell Script in Falcon RTR

[usmanzargar]

Hey Guys,

I am looking to find something in PowerShell that would help us in getting and downloading the Application, System and Security Logs from an endpoint using Falcon RTR (Edit and Run Scripts section). I know Analysts usually uses commands in the "Run Commands" section, which upload the logs to the CrowdStrike cloud and then we can download it using a get command (Windows). I am looking to create a script that could be utilized to run in the RTR (Edit and Run Scripts section) and running tat that would fetch the types of logs from endpoints (both Windows & Linux) and also download it in our systems for analysis.

Is this possible in Falcon RTR? If yes, is there any documentation available online that can assist me with it? Assistance on this would be highly appreciated.

Thank you!

[bk-cs]

I'm working on adding two new falconscript files for listing log sources and logs that will be available for all users in the Falcon console. It sounds like you just volunteered to help me test!

EventLog: Return the 100 most recent events for a given ProviderName or LogName, and can also filter to a specific Id (returning the most recent 100 events matching that Id out of the last 1000 log entries).

function Convert-Hashtable([Parameter(Mandatory=$true)][psobject]$Object){
  [hashtable]$i=@{}
  $Object.PSObject.Properties|?{![string]::IsNullOrEmpty($_.Value)}|%{
    $i[($_.Name -replace '\s','_' -replace '\W',$null)]=$_.Value
  }
  $i
}
function Convert-Json([Parameter(Mandatory=$true)][string]$String){
  if($PSVersionTable.PSVersion.ToString() -lt 3.0){
    $Serializer.DeserializeObject($String)
  }else{
    $Object=$String|ConvertFrom-Json
    if($Object){Convert-Hashtable $Object}
  }
}
function Format-Result([Parameter(Mandatory=$true)][hashtable[]]$Hashtable,[string]$String){
  [void]([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$env:ComputerName)|%{
    try{
      $_.OpenSubKey('SYSTEM\\CurrentControlSet\\Services\\CSAgent\\Sim')|%{
        foreach($i in @('AG','CU')){
          nv -Name $i -Value ([System.BitConverter]::ToString($_.GetValue($i))).Replace('-',$null).ToLower()
        }
      }
    }catch{}
  })
  [hashtable]@{script=$String;cid=$CU;aid=$AG;result=$Hashtable}
}
function Write-Json([Parameter(Mandatory=$true)][hashtable]$Hashtable){
  if($PSVersionTable.PSVersion.ToString() -lt 3.0){
    $Serializer.Serialize($Hashtable)
  }else{
    ConvertTo-Json $Hashtable -Depth 8 -Compress
  }
}
function Get-EventLog{
  param(
    [Parameter(ParameterSetName='LogName',Mandatory=$true)]
    [ValidateNotNullOrEmpty()]
    [string]$LogName,
    [Parameter(ParameterSetName='ProviderName',Mandatory=$true)]
    [ValidateNotNullOrEmpty()]
    [string]$ProviderName,
    [Parameter(ParameterSetName='LogName')]
    [Parameter(ParameterSetName='ProviderName')]
    [int32]$MaxEvents
  )
  [void](Get-WinEvent @PSBoundParameters -EA 0 -OV Log)
  if($Log){$Log}else{throw ($Error[0]).Exception.Message}
}
try{
  if($PSVersionTable.PSVersion.ToString() -lt 3.0){
    Add-Type -AssemblyName System.Web.Extensions
    $Serializer=New-Object System.Web.Script.Serialization.JavascriptSerializer
  }
  if($args[0]){$Param=Convert-Json $args[0]}
  $Id=if($Param.Id){$Param.Id;[void]$Param.Remove('Id')}
  $Param['MaxEvents']=if($Id){1000}else{100}
  $Result=Get-EventLog @Param
  if($Result){
    if($Id){$Result=$Result|?{$_.Id -eq $Id}|select -First 100}
    [hashtable[]]$Output=$Result|%{@{TimeCreated=$_.TimeCreated.ToFileTimeUtc();Id=$_.Id;
      ProviderName=$_.ProviderName;LogName=$_.LogName;LevelDisplayName=$_.LevelDisplayName;
      TaskDisplayName=$_.TaskDisplayName;Message=$_.Message;ProcessId=$_.ProcessId;ThreadId=$_.ThreadId}}
    if($Output){
      Write-Json (Format-Result $Output EventLog)
    }else{
      throw ("No result(s) for Id {0} in the 1,000 most recent log entries." -f $Id)
    }
  }
}catch{
  throw $_
}

Input schema:

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "properties": {
    "LogName": {
      "type": "string"
    },
    "ProviderName": {
      "type": "string"
    },
    "Id": {
      "type": "integer"
    }
  },
  "type": "object"
}

Output schema:

{
  "$schema": "https://json-schema.org/draft-07/schema",
  "properties": {
    "aid": {
      "type": "string"
    },
    "cid": {
      "type": "string"
    },
    "result": {
      "items": {
        "properties": {
          "TimeCreated": {
            "type": "string"
          },
          "Id": {
            "type": "integer"
          },
          "ProviderName": {
            "type": "string"
          },
          "LogName": {
            "type": "string"
          },
          "LevelDisplayName": {
            "type": "string"
          },
          "TaskDisplayName": {
            "type": "string"
          },
          "Message": {
            "type": "string"
          },
          "ProcessId": {
            "type": "integer"
          },
          "ThreadId": {
            "type": "integer"
          }
        },
        "required": [
          "TimeCreated",
          "Id",
          "ProviderName"
        ],
        "type": "object"
      },
      "type": "array"
    },
    "script": {
      "type": "string"
    }
  },
  "required": [
    "script",
    "result",
    "cid",
    "aid"
  ],
  "type": "object"
}

EventSource: Lists available LogName and their associated ProviderName for use with EventLog. Use Match to find a name via Regex match.

function Convert-Hashtable([Parameter(Mandatory=$true)][psobject]$Object){
  [hashtable]$i=@{}
  $Object.PSObject.Properties|?{![string]::IsNullOrEmpty($_.Value)}|%{
    $i[($_.Name -replace '\s','_' -replace '\W',$null)]=$_.Value
  }
  $i
}
function Convert-Json([Parameter(Mandatory=$true)][string]$String){
  if($PSVersionTable.PSVersion.ToString() -lt 3.0){
    $Serializer.DeserializeObject($String)
  }else{
    $Object=$String|ConvertFrom-Json
    if($Object){Convert-Hashtable $Object}
  }
}
function Format-Result([Parameter(Mandatory=$true)][hashtable[]]$Hashtable,[string]$String){
  [void]([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$env:ComputerName)|%{
    try{
      $_.OpenSubKey('SYSTEM\\CurrentControlSet\\Services\\CSAgent\\Sim')|%{
        foreach($i in @('AG','CU')){
          nv -Name $i -Value ([System.BitConverter]::ToString($_.GetValue($i))).Replace('-',$null).ToLower()
        }
      }
    }catch{}
  })
  [hashtable]@{script=$String;cid=$CU;aid=$AG;result=$Hashtable}
}
function Write-Json([Parameter(Mandatory=$true)][hashtable]$Hashtable){
  if($PSVersionTable.PSVersion.ToString() -lt 3.0){
    $Serializer.Serialize($Hashtable)
  }else{
    ConvertTo-Json $Hashtable -Depth 8 -Compress
  }
}
try{
  if($PSVersionTable.PSVersion.ToString() -lt 3.0){
    Add-Type -AssemblyName System.Web.Extensions
    $Serializer=New-Object System.Web.Script.Serialization.JavascriptSerializer
  }
  if($args[0]){$Param=Convert-Json $args[0]}
  [hashtable[]]$Output=Get-WinEvent -ListLog * -EA 0|?{$_.RecordCount -gt 0}|%{@{LogName=$_.LogName;
    RecordCount=$_.RecordCount;ProviderNames=$_.ProviderNames}}
  if($Output -and $Param.Match){$Output=$Output|?{$_.LogName -match $Param.Match}}
  if($Output){
    Write-Json (Format-Result $Output EventSource)
  }elseif($Param.Match){
    throw ('No LogNames matching "{0}".' -f $Param.Match)
  }else{
    throw "No result(s)."
  }
}catch{
  throw $_
}

Input schema:

{
  "$schema": "https://json-schema.org/draft-07/schema",
  "properties": {
    "Match": {
      "type": "string"
    }
  },
  "type": "object"
}

Output schema:

{
  "$schema": "https://json-schema.org/draft-07/schema",
  "properties": {
    "aid": {
      "type": "string"
    },
    "cid": {
      "type": "string"
    },
    "result": {
      "items": {
        "properties": {
          "LogName": {
            "type": "string"
          },
          "RecordCount": {
            "type": "integer"
          },
          "ProviderNames": {
            "items": {
              "type": "string"
            },
            "type": "array"
          }
        },
        "required": [
          "LogName",
          "RecordCount"
        ],
        "type": "object"
      },
      "type": "array"
    },
    "script": {
      "type": "string"
    }
  },
  "required": [
    "script",
    "result",
    "cid",
    "aid"
  ],
  "type": "object"
}

[bk-cs]

You can create these as custom scripts in your environment and check the Use with workflows box to add the input and output schema. Below you'll find examples of how to run these scripts on demand in an RTR session in the Falcon UI.

Use EventSource to list available log names

runscript -CloudFile="EventSource"

Use EventSource to list available logs matching PowerShell

runscript -CloudFile="EventSource" -CommandLine=```'{"Match":"PowerShell"}'```

Use EventLog to return the 100 most recent events from the Windows PowerShell log

runscript -CloudFile="EventLog" -CommandLine=```'{"LogName":"Windows PowerShell"}'```

Use EventLog to return the 100 most recent events from the PowerShell provider

runscript -CloudFile="EventLog" -CommandLine=```'{"ProviderName":"PowerShell"}'```

Use EventLog to return the 100 most recent events with the Id 600 from the Windows PowerShell log

runscript -CloudFile="EventLog" -CommandLine=```'{"LogName":"Windows PowerShell","Id":600}'```

[bk-cs]

To take it a step further and run the same command using PSFalcon across multiple devices, you can use Invoke-FalconRtr.

Run EventLog on all Windows devices that are currently online and return the 100 most recent entries for the Windows PowerShell log

 Get-FalconHost -Filter "platform_name:'Windows'+last_seen:>'now-5m'" -All | Invoke-FalconRtr -Command runscript -Argument ('-CloudFile="EventLog" -CommandLine=```' + "'$(@{ LogName = 'Windows PowerShell' } | ConvertTo-Json -Compress)'" + '```') -OutVariable Rtr

This will create a variable called Rtr that can be used to see the log entries for each device under the stdout property. You'll have to drill down a little bit to see the actual log output.

[bk-cs]

Please let me know if this helps with your use case and/or if you have any follow-up questions!