topic Re: Crowd strike installed not installed list using palo alto HIP object in GlobalProtect Discussions

Crowd strike installed not installed list using palo alto HIP object

KirubaKaran — Fri, 27 Aug 2021 10:51:23 GMT

Hi Teams & Friends,

Hope you're good and safe !

We have configured GP VPN we have license for configuring HIP objects it was working as expected one of our new requirement was to know ANTI-MALWARE which is installed in client machines also need to know how many users installed crowd strike how many not installed and need to trigger notification to install crowd-strike.

We tried KB & docs below :

HIP OBJECT WORKING MECHANISM

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLSYCA4

Tried HIP Notifications

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/globalprotect/network-globalprotect-gateways/globalprotect-gateways-agent-tab/hip-notification-tab

HIP OBJECT MALWARE PROTECTION TAB

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/globalprotect/objects-globalprotect-hip-objects/hip-objects-anti-malware-tab

++ We tried above but no luck kindly let me know incase any way to find out that which all the devices crowd strikes installed and not.

++ It's been great if we got solution guys....looking for your quick replies friends.....;)....;)

Regards

Thanks & Regards,
Kirubakaran M - Security Support Engineer

Re: Crowd strike installed not installed list using palo alto HIP object

rdonohoe23 — Wed, 22 Sep 2021 14:58:38 GMT

Hi Kirubakaran,

Good topic to raise. I have taken a few screenshots of an approach I would take. I use Cortex XDR Advanced Endpoint Protection so was unable to check we dont get the HIP log and alert if Crowdsrike was installed. But if you use the details below and test yourself. If not getting expected results, it may need a TAC case.

Good link below that looks at using HIP checks when multiple OS's connecting to the same portals and gateways. I wrote up a few years ago under a different logon...

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTnCAK

create hip objects. Be basic and build layers. Create objects to just ID the OS.

Build up the HIP profiles. the setup below will check if Crowdstrike is NOT installed on macbook and windows only and not ios devices. It also checks if windows defender is installed on windows pc's only.

Handy report below. Set the time frame accordingly and ideally link this up in a report group , then email scheduler to get the reports emailed out on a schedule.

The report configured above looks at the crowdstrike check only. We can traceback user and device from the report.

The screenshot above notifies the user if the check is matched / they dont have Crowdstrike installed.

hope that helps,

Rob