Crowd strike installed not installed list using palo alto HIP object

cancel
Showing results for 
Search instead for 
Did you mean: 

Crowd strike installed not installed list using palo alto HIP object

L1 Bithead

Hi Teams & Friends,

                                   Hope you're good and safe !

                                    We have configured GP VPN we have license for configuring HIP objects it was working as expected one of our new requirement was to know ANTI-MALWARE which is installed in client machines also need to know how many users installed crowd strike how many not installed and need to trigger notification to install crowd-strike.

 

We tried KB & docs below :

 

HIP OBJECT WORKING MECHANISM

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLSYCA4

 

Tried HIP Notifications

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/globalprotect/network-globalp...

 

HIP OBJECT MALWARE PROTECTION TAB

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/globalprotect/objects-globalp...

 

++ We tried above but no luck kindly let me know incase any way to find out that which all the devices crowd strikes installed and not.

 

++ It's been great if we got solution guys....looking for your quick replies friends.....;)....;)

 

 

Regards

Thanks & Regards,
Kirubakaran M - Security Support Engineer

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Kirubakaran.M
Security Support Engineer
1 REPLY 1

L2 Linker

Hi Kirubakaran,

Good topic to raise. I have taken a few screenshots of an approach I would take. I use Cortex XDR Advanced Endpoint Protection so was unable to check we dont get the HIP log and alert if Crowdsrike was installed. But if you use the details below and test yourself. If not getting expected results, it may need a TAC case. 

 

Good link below that looks at using HIP checks when multiple OS's connecting to the same portals and gateways. I wrote up a few years ago under a different logon... 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTnCAK

 

 

create hip objects. Be basic and build layers. Create objects to just ID the OS. 

hc-demo-hip-objects.PNG

 

 

 Build up the HIP profiles. the setup below will check if Crowdstrike is NOT installed on macbook and windows only and not ios devices. It also checks if windows defender is installed on windows pc's only. 

hc-demo-hip-profiles.PNG

 

 Handy report below. Set the time frame accordingly and ideally link this up in a report group , then email scheduler to get the reports emailed out on a schedule.  

hc-demo-report-config.PNG

 

The report configured above looks at the crowdstrike check only. We can traceback user and device from the report.  

 

hc-demo-report.PNG

 

hc-demo-hip-notify.PNG

 

The screenshot above notifies the user if the check is matched / they dont have Crowdstrike installed. 

 

 

 

 

hope that helps, 

 

Rob 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!