Some more scripting sharing. Let me know if it he...
# _general
j
j
One thing I'd add Re: "Update CrowdStrike cached definitions.". The 'process' of uninstalling Falcon -> Reinstalling Falcon on image seal...and the subsequent channel file update that you want to happen on the base image can take up to 30 minutes. Otherwise, that first pull will happen "some time after" a non-persistent desktop boots...which may or may not include any IOA/IOC exclusions during startup/first logon.
Copy code
# Clear the screen
Clear-Host

# Display the warning message
Write-Host "*********************************************"
Write-Host "*                                           *"
Write-Host "*  !!! WAIT 30 MINUTES BEFORE SHUTDOWN !!!  *"
Write-Host "*   CrowdStrike must pull channel files.    *"
Write-Host "*                                           *"
Write-Host "*********************************************"

# Calculate and display the time 30 minutes from now
$safeTime = (Get-Date).AddMinutes(30).ToString("hh:mm tt")
Write-Host ""
Write-Host "Safe to shutdown after $safeTime."
Write-Host ""
👍 1
j
Does Crowdstike have a CLI force pull? Or is it all console based.
j
I haven't found a way to force a Falcon agent to pull. The behind the curtain part of one of the remediation methods (reboot until it works) of the July 19th CrowdStrike Day hellscape was the dice roll of if you received updated channel file 291 before it BSOD'd you.
🤯 1