Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ BUG ] Missing "Policies" API wrappers ( sca, system-tray, host-retention, content-update ) #1270

Open
59e5aaf4 opened this issue Dec 23, 2024 · 0 comments
Open

[ BUG ] Missing "Policies" API wrappers ( sca, system-tray, host-retention, content-update ) #1270

59e5aaf4 opened this issue Dec 23, 2024 · 0 comments
Labels
bug 🐛 Something isn't working

Comments

@59e5aaf4
Copy link

Describe the bug
New policy types are released every 4 months by CrowdStrike. These usually follow the following deployment process :

  • 1 - Available in the WebUI ( has a WebUI API endpoint )
  • 2 - Available in the API ( has a Swagger API endpoint defined )
  • 3 - Available wrapped by FalconPy / PsFalcon / Caracara

New policy types, exposed by the devices/entities/devices/v2 API don't have an API endpoint to be enumerated. This causes our fancy policy ID renamers ( when querying a specific host ) to output unactionable policy identifiers, and I'd rather prefer not to plug my questionable WebUI client into my code just to pull a few policy names, etc.

Also, I suspect anyone doing policy management at scale will need these endpoints at some point.

Here's

 policy_types = {
     "prevention" : 'queryCombinedPreventionPolicies',       # Prevention Policies     https://falcon.eu-1.crowdstrike.com/configuration/prevention/policies
     "sensor_update": 'queryCombinedSensorUpdatePoliciesV2', # Sensor Update Policies  https://falcon.eu-1.crowdstrike.com/configuration/sensor-update/policies
     "device_control": 'queryCombinedDeviceControlPolicies', # USB device policies     https://falcon.eu-1.crowdstrike.com/policies/device-control
 #   "global_config": None,                                  # (?) Exposed by the Host API but not browsable
     "remote_response": 'queryCombinedRTResponsePolicies',   # Response policies       https://falcon.eu-1.crowdstrike.com/policies/response/windows
     "firewall": 'queryCombinedFirewallPolicies',            # Firewall policies       https://falcon.eu-1.crowdstrike.com/policies/firewallv2
     "sca": None,                                            # (?) On demand scans ???
     "system-tray": None,                                    # Falcon icon policies    https://falcon.eu-1.crowdstrike.com/policies/system-tray/windows
     "host-retention": None,                                 # Host Retention          https://falcon.eu-1.crowdstrike.com/host-management/policies/host-retention/all
     "content-update": None,                                 # Content update          https://falcon.eu-1.crowdstrike.com/policies/content-update/all
 }

To Reproduce

Search for sca, system-tray, host-retention, content-update in the available API endpoints. It's not available :D

Expected behavior

Such function are available.

Environment (please complete the following information):

  • OS: Debian
  • Python: 3.12
  • FalconPy: 1.4.5
@59e5aaf4 59e5aaf4 added the bug 🐛 Something isn't working label Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@59e5aaf4