CrowdStrike Sensor Update Policy Auto – N-1 – Could have avoided catastrophic failure

This catastrophic failure could have been avoided by implementing a CrowdStrike Sensor update policy to match your change control process or simply using an N-1 strategy. If left to default, it would auto-update. All these companies left it either on Auto- Latest or didn’t even set the Policy

Unfortunately, I can’t link to the CrowdStrike documentation as they hide support and documentation behind a customer login. As always, this setting is often overlooked unless you have a really good Sales Engineer who conducts best practices with customers.

You can’t just purchase software and set it and forget it. You need an internal policy to maintain, update, review, and renew over the lifetime of that investment.

I have had commentators say that Setting this policy to static would not have any effect and the problem would happen, well , you better do more more due diligence of CrowdStrike, you purchase rather than believing the hyper train..

This problem was caused by CrowdStrike, not other endpoint vendors, so don’t bring us into it. Go and have difficult conversation with CrowdStrike and leave other vendors out of it and trying to say all endpoint vendors have this kind of problem. Because they DON’T. People always follow the trend because its easy and lazy.

Most likely this was caused by disgruntled employee, complete guess but more than likely as large software development companies like this do have strict SDLC and release management and someone was shorting the Stock at the same time the update was pushed –,

We will never know either way!!

Summary of Risk-Based Hierarchy of Workload Protection Controls by Gartner

Summary of Risk-Based Hierarchy of Workload Protection Controls by Gartner

Here’s an expanded explanation of the points in the graphic above, to help you figure out how best to incorporate these strategies into your hybrid cloud or multi-cloud data center protection program. 

Hardening, Configuration, and Vulnerability Management: Properly configure systems to reduce risks. Use automated vulnerability management tools to identify and fix software issues that could be exploited.

Identity-based Segmentation and Network Visibility: Implement network segmentation and ensure comprehensive visibility in cloud environments. Use advanced micro-segmentation technology to automatically discover applications, traffic, and dependencies, and create context-driven segmentation rules to enhance security and compliance.

System Integrity Assurance: Utilize File Integrity Monitoring to detect unauthorized file changes. Maintain an inventory of systems, software, and configurations to establish relevant alert procedures.

Application Control/Whitelisting: Enforce policies to control traffic between application components, ensuring security throughout the cloud transition. Employ granular control features, such as micro-segmentation, to limit lateral movement and use whitelist/blacklist models to manage application traffic effectively.

Exploit Prevention/Memory Protection: Focus on exploit prevention through breach detection and response tools. Maintain visibility and mapping of the network to identify unpatched vulnerabilities and abnormal communications, establishing a baseline for legitimate traffic to highlight suspicious activities.


HowTo: Download VMware Workstation Pro and VMware Fusion Pro for FREE.

  1. Create account on
  2. Register your personal email at
  3. After logging in click on following links;

DO NOT INSTALL ON YOUR COMPANY DEVICES, That is a violation of the Terms and Conditions. You can go ahead and purchase a commercial license.


QuickStart: Carbon Black Cloud API Postman Scripting

QuickStart: Carbon Black Cloud API Postman Scripting

“Postman writes powershell scripts? ” – That was a response made by a someone recently, allot of people don’t know that Postman has a features to give you code for many languages to access any API, you can then use ChatGPT to do allot more.

One of the most difficult things in API scripting and programing is getting the Syntax correct, once you have the initial API script setup, you are past the biggest hurdle. The following video tutorial shows you how to access this feature of Postman and this applies to any API not just Carbon Black.

Here is a video demonstration to help people get started with Carbon Black Cloud – API Scripting,

This is not my voice, its changed to stop AI voice scams.

One of the key skills for any Presales role is your ability to demonstrate and provide solutions that your customers can replicate.

Carbon Black On Prem EDR – Auto Install on VMware Workstation using Hashicorp Vagrant

Carbon Black On Prem EDR – Auto Install on VMware Workstation using Hashicorp Vagrant

Carbon Black On Prem EDR is a comprehensive endpoint security solution designed to detect, respond to, and prevent a wide range of cyber threats. EDR solutions focus on monitoring and analyzing endpoint activities to identify and mitigate potential security incidents.

This HashiCorp Vagrant script will automatically setup supported CentOS and then download and install Carbon Black On Prem EDR within 5 mins. (Word.)

This script is also a demonstration of how to automate installation using HashiCorp. I’ll work on this and use Terraform to deploy onto Azure.

This is also a good example script to use for installation on to Linux for your lab environments. Vagrant and Terraform have terrible documentation, so its good to have a working example script that works. You can use Ansible for configuration management, but that’s for another day.

Note: The Carbon Black EDR, RPM file and License is not included in the Git Repo, you need to request this via your SE.

Demo Vagrant Install

Increase youtube playback quality to see textI

If you are like me, I love spending hours installing Operating Systems. So, I decided to build my labs using Automation, it takes a lot of effort upfront, but saves a lot of effort down the track and opens up a lot of possibilities in the future.

So, this is a journey and takes a lot of effort, if anyone else wants to participate, I have some grand plans we can build.

Automation Options

There are a lot of ways to skin this cat, but, I am restricting my self to using HashiCorp Vagrant and Terraform, possibly convert to OpenTofu to support open source.

Vagrant and Terraform are ‘same same but different’, Vagrant is more for local labs and Terraform for Public Clouds (AWS, Azure, GCP.) thou, its possible to use Vagrant for Public Cloud as well, but has limited functionality compared to Terraform, Terraform has ‘provisioners’ that supports Cloud native ‘stuff’. I’ll convert this script to Terraform later.

Carbon Black On Prem EDR – Auto Install on VMware Workstation using Hashicorp Vagrant
Here is a Vagrant script to auto install Carbon Black On Prem EDR onto VMware Workstation.

You will need to make sure you install VMware Workstation Vagrant Utility and VMware Workstation Plugin, all free, from – Installation – VMware Provider | Vagrant | HashiCorp Developer

The following Vagrant Script, is a good base to 1) Copy a file from local to VM 2) execute shell commands within the VM.

Setup Instructions

  1. Create a folder for VM
  2. Put the carbonblack RPM file in the same directory as Vagrantfile
  3. Put the cbcinit.ini in the same directory – cbinit.ini from
  4. Create the Vagrantfile from
  5. run vagrant init
  6. run vagrant up
  7. run vagrant destroy
  8. Login to Carbon Black EDR –

App Control Auto Install
# Carbon Black App Control Install
# Example Microsoft Vagrantfile -
# Carbon Black App Control Pre-requesits script -
# Operating System Architecture Service Pack Additional Notes/Requirements
# Windows Server 2012 R2 x64 Use Latest If virtual, HVM only
# Windows Server 2016 x64 Use Latest If virtual, HVM only
# Windows Server 2019 x64 Use Latest If virtual, HVM only
# Windows Server 2022 x64 Use Latest If virtual, HVM only
# Vagrant - Window Server -

Vagrant.configure("2") do |config| = "StefanScherer/windows_2022" # This image bluescreens on first boot, but, I don't care.
  config.vm.provider "vmware_desktop" do |v|
    v.gui = true

  # 8.10.0 Server Download Link
  # IMPORTANT: Before using the download link, make sure you have logged into the Carbon Black User Exchange (UEX).
  # Files put inside C:\Users\vagrant\Documents
  config.vm.provision "file", source: "Servers_CB App Control", destination: "Servers_CB App Control"

  config.vm.provision "shell", inline: <<-SHELL, privileged: true
    # Set Execution Policy, enable TLS 1.2, and install Chocolatey
    Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString(''))
    choco feature enable -n allowGlobalConfirmation
    choco install vscode -y

    # Invoke-WebRequest -Uri -OutFile .\AppControl_Preres.ps1; .\AppControl_Preres.ps1

    #Open "Windows PowerShell ISE" as Administrator
    Set-ExecutionPolicy Bypass -Scope Process

    #Disable Windows Defender 
    Set-MpPreference -DisableRealtimeMonitoring $true
    #Uninstall Windows Defender
    Remove-WindowsFeature Windows-Defender

    #Install IIS
    Install-WindowsFeature -name Web-Server -IncludeManagementTools

    #Enable IIS options
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServerRole
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServer
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-CommonHttpFeatures
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-HttpErrors
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-HttpRedirect
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-ApplicationDevelopment
    Enable-WindowsOptionalFeature -online -FeatureName NetFx4Extended-ASPNET45
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-NetFxExtensibility45
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-HealthAndDiagnostics
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-HttpLogging
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-LoggingLibraries
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-RequestMonitor
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-HttpTracing
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-Security
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-RequestFiltering
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServerManagementTools
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-ManagementConsole

    # OER:
    # You must disable Basic Authentication and Windows Authentication so that the App Control Server handles authentication:
    Disable-WindowsOptionalFeature -Online -FeatureName IIS-BasicAuthentication
    Disable-WindowsOptionalFeature -Online -FeatureName IIS-WindowsAuthentication

    Enable-WindowsOptionalFeature -Online -FeatureName IIS-StaticContent
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-DefaultDocument
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-ISAPIExtensions
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-ISAPIFilter
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-ASPNET45
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-CGI
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-ManagementScriptingTools

    # Install SQL Server Express 2019.

    function Install-SQLServerExpress2019 {
        Write-Host "Downloading SQL Server Express 2019..."
        $Path = $env:TEMP
        $Installer = "SQL2019-SSEI-Expr.exe"
        $URL = ""
        Invoke-WebRequest $URL -OutFile $Path\$Installer

        Write-Host "Installing SQL Server Express..."
        Start-Process -FilePath $Path\$Installer -Args "/ACTION=INSTALL /IACCEPTSQLSERVERLICENSETERMS /QUIET" -Verb RunAs -Wait
        Remove-Item $Path\$Installer


    # 8.10.0 Server Download Link
    # IMPORTANT: Before using the download link, make sure you have logged into the Carbon Black User Exchange (UEX).
    # I just copied the link from the corresponding download link, I am not sure if this link expires, so you may need to update this link as required, or download it to local first.
    # Invoke-WebRequest -Uri "" -OutFile .\
    # Expand-Archive -Path "C:\Users\vagrant\Documents\Servers_CB App Control" -DestinationPath "C:\Users\vagrant\Documents"
    # "C:\Users\vagrant\Documents\ParityServerSetup.exe"
    # This doesnt work yet

HowTo: Install MacOS Sonoma 14  with XCode and iPhone Simulator inside a Windows using VMware Workstation

HowTo: Install MacOS Sonoma 14  with XCode and iPhone Simulator inside a Windows using VMware Workstation

Here is a step by step guide to create a MacOS Sonoma (Intel) virtual machine on VMware Workstation, so that you can run Xcode with iPhone Simulator. It’s nice to have a MacOS virtualised for development and testing.

If you want to test or use MacOS ARM, there are different methods. It does not work.

If you have a Apple Laptop, the EULA allows you to virtualise one copy of the OS

MacOS Intel on VMware Workstation

Creates Empty Disk: hdiutil create -o /tmp/Sonoma -size 16384m -volname Sonoma -layout SPUD -fs HFS+J

Mounts created disk: hdiutil attach /tmp/Sonoma.dmg -noverify -mountpoint /Volumes/Sonoma

Creates install media: sudo /Applications/Install\ macOS\ –volume /Volumes/Sonoma

Unmounts disk image: hdiutil eject -force /Volumes/Install\ macOS\ Sonoma

Creates CDR file: hdiutil convert /tmp/Sonoma.dmg -format UDTO -o ~/Desktop/Sonoma

Converts CDR to ISO: mv -v ~/Desktop/Sonoma.cdr ~/Desktop/Sonoma.iso

Cleans up files: rm -fv /tmp/Sonoma.dmg

  • Download and Install VMware MacOS unlocker from –
  • Create a VM with LSI and NVMe, “Virtualize Intel VT-x or AMD-V/RVI”
  • Install VMwae Tools with Unpacker Darwin ISO.
  • Enable VMware Tools under Privacy



Build a VMware Workstation Vagrant Image

  1. Click on the following inside a Mac Intel Machine and it will download the install er to this location..
  2. Or Download the ISO from –
  3. Download Unlocker –
  4. Follow this guide – This has all of the details required
  5. Run Optimiser –
  6. VMware Network Bridging might now work, so set a Manual IP address using Bridge Mode.

Rambo: Making Virtual Machines on Any Provider

Making Virtual Machines on Any Provider

Rambo: Making Virtual Machines on Any Provider

In the fast-paced world of software development, the ability to quickly provision and configure virtual machines (VMs) is invaluable. Whether for local testing or cloud deployment, having a tool that simplifies this process can greatly enhance productivity. This is where Rambo comes in.

What is Rambo?

Rambo is a provisioning and configuring framework developed by Terminal Labs. It allows for the creation of VMs on any provider in a simple, predictable, and highly reproducible way. By leveraging Vagrant and its various plugins for different providers, Rambo enables users to spin up new local instances and nearly identical cloud instances with ease.

Key Features

  • Provider Agnosticism: Rambo is designed to be provider-agnostic, meaning it is not tied to specific cloud or virtualization platforms. This flexibility allows for seamless VM creation across different environments.
  • Compatibility with Provisioners: Rambo is compatible with various provisioners, with SaltStack being supported out of the box. This makes it easy to integrate Rambo into existing infrastructure setups.
  • Quick Start: The framework offers a quick start guide and basic usage examples for creating VMs on different providers, including VirtualBox, LXC, DigitalOcean, and AWS EC2.

Why Use Rambo?

Rambo is particularly useful for expediting project setup and ensuring consistency between development and production environments. By automating the provisioning of VMs, it helps streamline development, identify bugs, and facilitate smoother production releases.

Getting Started with Rambo

To get started with Rambo, you can refer to the official documentation available at Rambo Documentation. The documentation provides detailed instructions, code examples, and commands for installing, customizing, and using Rambo to create VMs on various providers.

Code Examples

Here are some basic code examples to demonstrate the simplicity of using Rambo:

Creating a Virtual Machine on VirtualBox


vagrant up

Creating a Virtual Machine on DigitalOcean


vagrant --target=digitalocean up

These commands showcase how easy it is to create VMs on different providers using Rambo and Vagrant.In conclusion, Rambo is a powerful tool for streamlining the process of VM provisioning and configuration.

Its flexibility, compatibility, and ease of use make it a valuable asset for developers and system administrators alike.I

If you’re looking to enhance your workflow by simplifying VM management, give Rambo a try and experience the efficiency it brings to your development process.

Install Carbon Black Cloud Sensor via API and Python

Introducing a Quick Script to Download and Install Carbon Black Cloud Sensor via API and Python

Are you looking for a streamlined way to download and install the Carbon Black Cloud Sensor? Look no further! We are excited to introduce a quick and efficient script .

This script is designed to automate the process of acquiring and installing the Carbon Black Cloud Sensor, making it easier and faster for you to get up and running with this essential security tool.

The script is tailored to simplify the download and installation process by leveraging the Carbon Black Cloud API. By using this script, you can seamlessly obtain the necessary sensor kit and configuration links, and then proceed to download and install the sensor with just a few simple steps.

The script also provides the flexibility to download the sensor to a specific location using urllib or wget, and to install the sensor within the same script using OS subprocess.To use the script, you will need to manually identify the required sensor and update the variables with your APIs.

The script references the official Carbon Black Cloud documentation, providing links to the sensor kit and configuration, as well as the sensor versions, to ensure that you have access to the most relevant and up-to-date information.

Key Features:

  • Automates the download and installation of the Carbon Black Cloud Sensor via API.
  • Provides flexibility to download the sensor to a specific location and install it within the same script.
  • References the official Carbon Black Cloud documentation for accurate and current information.

To get started with the script, visit the GitHub repository at rstar13as/cbc_sensor_request and follow the instructions provided.

We believe that this script will be a valuable addition to your toolkit, enabling you to expedite the process of deploying the Carbon Black Cloud Sensor within your environment.For more details and to access the script, please visit the GitHub repository.

If you have any feedback or questions, we would love to hear from you. Thank you for considering this resource from

Happy securing!

Note: The provided script is not affiliated with or endorsed by Carbon Black Cloud.

Please ensure that you have the necessary permissions and comply with the terms of use when utilizing the Carbon Black Cloud API and related resources. 

Visit the GitHub repository for more information and emphasizes the importance of complying with the terms of use when using the Carbon Black Cloud API.

##   Written by Roshan Ratnayake
##   Purpose: 
##    Automatically download Carbon Black Cloud Sensor and install the sensor.
##   Usage;
##     You will need to manaualy identify the requred Sensor and update the variables with your APIs below.
##   Reference:
##     - Get Sensor Kit and Configuration Links -
##     - Check Sensor versions here -
##     - Use the following URL
##       EAP01:
##       Prod 01:
##       Prod 02:
##       Prod 05:
##       Prod 06:
##       Prod NRT:
##       Prod Syd:
##       Prod UK:
##       AWS GovCloud (US):
##    - Postman -
##   Improvements;
##     - Download the file to a specific location using urllib or wget
##     - Install the sensor within the same script us using OS subprocess
##            import os
##            os.system(‘terraform plan’)
##     - Run the Carbon Black installer
##         Replace 'your_msi_file.msi' with the actual MSI file name
##         msi_file = 'your_msi_file.msi'
##         Replace '/qn' with the actual silent installation switch
##         silent_switch = '/qn'
##         Run the MSI executable with the silent installation switch
##['msiexec', '/i', msi_file, silent_switch])
##         msiexec.exe /q /i <Sensor Installer Path> /L*v msi.log COMPANY_CODE="XYZABC" CLI_USERS=<UserGroupSid> POLICY_NAME="<NAME Virtual Policy>" CONFIGFILE="C:\Path\To\config-blob.ini"
##     - Automatically detect the Operating System and download the correct sensor using  the platform libary.
##        import platform
##        platform.system(),platform.architecture()
##     - Set the expiry automatically + 30 mins
##     Version Control
##     28.12.2023 - Basic version 

import requests
import webbrowser
import json

def download_sensor(url, org_id, x_auth_token, device_type, architecture, sensor_type, version, expires_at):
    headers = {
        'x-auth-token': x_auth_token,

    data = {
        "sensor_types": [
                "device_type": device_type,
                "architecture": architecture,
                "type": sensor_type,
                "version": version
        "expires_at": expires_at

    files = {
        'sensor_url_request': (None, json.dumps(data), 'application/json'),

    endpoint = f'{url}/lcm/v1/orgs/{org_id}/sensor/_download'

    response =, headers=headers, files=files)

    if response.status_code == 200:
        response_data = response.json()

        sensor_url = response_data['sensor_infos'][0]['sensor_url']
        sensor_config_url = response_data['sensor_infos'][0]['sensor_config_url']

        return sensor_url, sensor_config_url
        return f"Error: {response.status_code} - {response.json()}"

# Example usage:
url = ''
org_id = ''
x_auth_token = '' # This is tricky, this is a combination of your API ID and API Secret Key with / in between, eg. XXX/XXXX
device_type = 'WINDOWS'
architecture = '64'
sensor_type = 'WINDOWS'
version = ''
expires_at = '2024-06-05T23:39:52Z'

sensor_url, sensor_config_url = download_sensor(url, org_id, x_auth_token, device_type, architecture, sensor_type, version, expires_at)

print("Sensor URL:", sensor_url)
print("Sensor Config URL:", sensor_config_url)

Here is the script


Transfer MSDN to another email address

Transfer MSDN to another email address

Transferring subscriptions is a self-service customer process and I have provided the steps below for you, however, please do be aware that per the offer policy, this offer is limited to one per subscriber. So, this means you would not be able to have two Visual Studio Enterprise – MPN Subscriptions per subscriber.

These are steps for transferring a subscription:

These are steps to move resources from one subscription to another subscription.

In addition, if transferring your subscription to different tenant here are important considerations.

-Co-admins, Service Admin and RBAC permissions will get removed during the transfer procedure however you can manually add them back after the transfer has been completed.

-Any services or deployments that are tied to, or are dependent upon, the specific Azure Active Directory (AAD) tenant will be interrupted during a cross-tenant transfer and you would need to manually re-configure them. We have some detailed documentation that will help guide you in identifying your AAD dependencies:

-Azure AD Domain Services – Cannot be transferred or migrated, as this is a feature tied to a specific AAD tenant.

-Azure Key Vaults – Could be impacted by a SOT if the tenant ID for these resources is not updated. For more information, go t0

-SQL-related users and databases – Could be impacted, especially if you are using an AAD-related authentication. For more information, go to

-App Services – Could be impacted, as these are configured with AAD authentication.

Enhancing Cybersecurity Defenses: The Mathematical Imperative of Application Allowlisting

In the ever-evolving landscape of cybersecurity, the role of Allowlisting, specifically application whitelisting for computing devices, has transformed from being a mere option to an absolute necessity. Operating without this critical defense mechanism not only exposes vulnerabilities but also poses substantial threats to both human and financial resources. To emphasize the urgency of this matter, let’s explore the mathematical perspective of Allowlisting and its impact on the endpoint surface area—a crucial consideration in the battle against malware.

At the core of this mathematical analysis is the concept of the attack surface (S), representing the myriad potential entry points for malware into a system. This surface is influenced by several variables, each playing a distinct role in shaping the overall security posture:

  • E: The number of types of executable files a system can process.
  • A: The number of application files currently permitted to run.
  • D: The daily influx of new executable files, originating from updates or other sources.
  • T: The time elapsed since the last system rebuild.

The formula encapsulating this concept is defined as follows:

S = (E × A) + (D × T)

Breaking down this formula:

  • S: Represents the expanding attack surface over time.
  • E × A: Signifies the baseline attack surface derived from the system’s capabilities.
  • D × T: Illustrates the growth of the attack surface due to the daily addition of new files.

Consider the scenario of a standard Windows 11 x64 Pro desktop, starting with nearly 60,000 potential entry points on the C drive alone. Routine updates contribute around 25,000 new files monthly, averaging about 833 daily. This calculation doesn’t even account for files from less secure sources such as email attachments, drive-by downloads, or shared drives.

Without the implementation of Allowlisting, every one of these files could potentially execute, placing the burden on Endpoint Detection and Response (EDR) systems—a strategy that has proven inadequate over the past decade, as evidenced by the surge in ransomware attacks.

Allowlisting, which involves predefining each file that can run based on factors such as Publisher’s signing Cert, HASH, or location, offers a strategic solution. By significantly narrowing down the number of executable files (A) and controlling the growth of the attack surface (S), this proactive approach not only slows the expansion of potential threats but also ensures that only vetted files can execute.

In essence, for those serious about safeguarding their enterprises from the ever-present threat of malware, Allowlisting is not merely beneficial—it’s imperative in today’s dynamic cybersecurity landscape. Embracing this approach empowers organizations to take a proactive stance against evolving cyber threats, ultimately fortifying their defenses and securing the longevity of their digital infrastructure.