Suggestion - add a command that reports the connected hosts.

[59e5aaf4]

When connecting to numerous hosts, it isn't clear how much are offline and if some have disconnected, etc. Could there be some "session_status" command reporting which hosts got connected to ?

>>> print('\n'.join(map(lambda x:f'{x["aid"]} {x["session_id"]} {x["errors"]}', self.connected_devices.values())))
28059c27c3694fb59b39e1ba50896d4b  [{'code': 40401, 'message': 'Could not establish sensor comms'}]
2cd5a11cb2c844f5ad678afbda9acf25  [{'code': 40401, 'message': 'Could not establish sensor comms'}]
5146691f5bc24d8991286fb116e88b50 6ee4231d-5876-4bb1-9aa3-b93ec2943321 []
568c6974635e4410b831b3ff05608e41 9a4c6b56-8995-4c81-b105-b62090fca961 []
8816f5c8faff4c508cee4ed193ddbd6a  [{'code': 40401, 'message': 'Could not establish sensor comms'}]
8e50d5bea17f494184e9ba95785f9e37 2a7e9810-4b9c-43e8-9890-38f473b86a9e []
a49de844cf614e9aa4eee305980779f9  [{'code': 40401, 'message': 'Could not establish sensor comms'}]
b321ae381d664c479dafce23d57feb87  [{'code': 40401, 'message': 'Could not establish sensor comms'}]
d0a5967dd31b4bf8afee02bd08a56a05  [{'code': 40401, 'message': 'Could not establish sensor comms'}]
d9a6f368c25141a9af8d2d90e426b1b7 a7055947-a38f-4f7d-9525-c9bb08ca1bf3 []
f3ccc650c86a448b82b04b509c7fd01e  [{'code': 40401, 'message': 'Could not establish sensor comms'}]
f466b414b05146e88c187f7d570e3cf4  [{'code': 40401, 'message': 'Could not establish sensor comms'}]
febbb171f931492c9e5a8e4b9cdd5d93  [{'code': 40401, 'message': 'Could not establish sensor comms'}]

Thanks !

[ChristopherHammond13]

Adding @kenoel to this ticket, who has been building out this functionality. She needs to get some support for this merged into Caracara first, after which this project will be updated with the functionality. Thank you for your patience here!

[59e5aaf4]

Some bits of context, not exactly related to implementing this feature, but that will explain the reasoning behind it.

We're trying to build an RTR automation system that ensures that eventually some RTR command is executed on a host (re-queuing after 7 days if the queued session expired). This involves providing a proper diagnostic to RTR session establishment failures. Part of our tests involved manual batch operations done with falcon-toolkit on some hosts. It's still not clear on our side how the online/unknown=4m/offline=40m system interacts with the RTR session live/queued system, and we are yet to discover a way to properly explain why a live RTR session will not be created when a host is online and reported as online.

Thanks again for the good work, all that lib (+caracara) has introduced our team to numerous modern Python features and modules.

[ChristopherHammond13]

@59e5aaf4 sorry I did not see this comment before! I have spoken to the RTR engineering team about this question and can share that queueing will be instigated automatically if the message to start the session cannot reach the Sensor. Therefore, connecting with a relatively short timeout (60 seconds or so) and queueing enabled should help you to get these commands queued up in a fairly reliable manner.

Where you may face issues is where systems have unreliable Internet connectivity. If you are happy to do more work to get closer to some level of guarantee that commands will eventually be executed, it may be helpful to leverage the work that @kenoel is currently working on to filter only by hosts confirmed to be highly likely online (i.e., checked in within the past five minutes) and not queue for those offline. You could then run your code in a loop every 5 minutes to check for new systems and execute commands on them when they're online.

I hope this helps you to figure this out. If you have more complex or technical questions, please feel free to reach out to us by email. Chris.Hammond at crowdstrike .com will get me, or alternatively if you have a TAM or contact in our Developer Experience team, etc. feel free to reach out there.