https://github.com/hazcod/cscleanup
CrowdStrike host cleanup script to keep your estate tidy.
https://github.com/hazcod/cscleanup
Last synced: 9 months ago
JSON representation
CrowdStrike host cleanup script to keep your estate tidy.
- Host: GitHub
- URL: https://github.com/hazcod/cscleanup
- Owner: hazcod
- Created: 2023-11-08T07:41:58.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2025-01-13T07:30:54.000Z (over 1 year ago)
- Last Synced: 2025-01-13T08:30:35.695Z (over 1 year ago)
- Language: Go
- Size: 86.9 KB
- Stars: 2
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
README
# cscleanup
A Go program that cleans up your estate of CrowdStrike cloud and endpoint sensors.
## How does it work?
The program follows following logic for determining if a sensor is faulty and shrouds your dashboard:
1. Any CrowdStrike sensor that was only momentarily online (max. 5 minutes), did not have the chance to donwload any policies and did not report a Hostname.
2. Any CrowdStrike endpoint sensor that does not have an `email/` tag. (e.g. to use with [security-slacker](https://github.com/hazcod/security-slacker/))
3. Any CrowdStrike sensor that is in RFM mode and was last seen over 24 hours ago.
4. Any CrowdStrike cloud sensor that has not been seen for 24 hours. (VMs were most likely destroyed)
5. Any hidden CrowdStrike sensor that was still recently seen, e.g. was most likely hidden by accident.
## Running
First, ensure you get CrowdStrike API credentials that can do `Hosts:read` and `Hosts:write`.
Then create the following YAML configuration file:
```yaml
log:
level: INFO
slack:
webhook: "https://hooks.slack.com/services/XXX"
crowdstrike:
region: eu-1
client_id: "XXXX"
client_secret: "XXXX"
```
You can use following arguments:
```shell
./cscleanup -config=config.yml
```
And if you don't want to hide any sensor nor send to Slack:
```shell
./cscleanup -config=config.yml -preview
```