Since 2020, CrowdStrike Falcon can assess your devices adherence to some criteria, and give it a score out of 100 based on how well it meets these criteria. This implementation works by placing a data.zta file on each of your clients containing their score (as well as some other details), and integrations such as Okta’s CrowdStrike integration work by reading this file out.

If you want to read this out too, you can! Once you’ve enabled the zero-trust integration (which you do by contacting CrowdStrike support), the file will appear on your device (on macOS, under /Library/Application Support/CrowdStrike/ZeroTrustAssessment/data.zta). The file contains a JSON Web Token (JWT), which you can parse in Python as follows:

#!/usr/bin/env python3
import json

from base64 import b64decode

def open_file(path):
	try:
		f = open(path, "r")
	except IOError as e:
		print(f"ERROR: Could not open script file at {path}.")
		print(e)
		exit(1)
	else:
		with f:
			file = f.read()
			return file

def main():
	zta_file = open_file("/Library/Application Support/CrowdStrike/ZeroTrustAssessment/data.zta")
	
	# split header from payload
	zta_score_json = zta_file.split(".")[1]

	# re-add the padding that CrowdStrike leaves out so that we can parse the base64 properly
	if len(zta_score_json) % 4 == 2:
		zta_score_json += "=="
	elif len(zta_score_json) % 4 == 3:
		zta_score_json += "="

	# load it into JSON
	zta_score = json.loads(b64decode(zta_score_json).decode("utf-8"))

	# print some data
	print("Zero Trust Scores:")
	print("------------------")
	print(f"Overall: \t{zta_score['assessment']['overall']}/100")
	print(f"OS: \t\t{zta_score['assessment']['os']}/100")
	print(f"Sensor Config: {zta_score['assessment']['sensor_config']}/100")

if __name__ == '__main__':
	main()

The above script will give you the following output:

Zero Trust Scores:
------------------
Overall: 	99/100
OS: 		96/100
Sensor Config: 100/100

You can modify the above to poke around and see what else is in the JSON. I’ll probably be including this information in a future update to my CrowdStrike MunkiReport module.