Skip to content

Commit

Permalink
PAPP-35103 general run query action added
Browse files Browse the repository at this point in the history
  • Loading branch information
@grokas-splunk
grokas-splunk committed Dec 9, 2024
1 parent 57ab553 commit 9f3cd27
Show file tree
Hide file tree
Showing 3 changed files with 153 additions and 0 deletions.
105 changes: 105 additions & 0 deletions crowdstrikeoauthapi.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,111 @@
"output": [],
"versions": "EQ(*)"
},
{
"action": "run query",
"description": "Run a query against CrowdStrike API",
"type": "investigate",
"identifier": "run_query",
"read_only": true,
"parameters": {
"endpoint": {
"data_type": "string",
"description": "API endpoint path in the format: /<service>/queries/<resource>/<version> (ex: /devices/queries/devices/v1)",
"required": true,
"order": 0
},
"limit": {
"data_type": "numeric",
"description": "Maximum number of results to return",
"order": 1,
"default": 50
},
"filter": {
"data_type": "string",
"description": "Filter expression (FQL Syntax)",
"order": 2
},
"sort": {
"data_type": "string",
"description": "Property to sort by",
"order": 3
},
"offset": {
"data_type": "numeric",
"description": "Starting index for results",
"order": 4,
"default": 0
}
},
"output": [
{
"data_path": "action_result.status",
"data_type": "string"
},
{
"data_path": "action_result.parameter.endpoint",
"data_type": "string"
},
{
"data_path": "action_result.parameter.limit",
"data_type": "numeric"
},
{
"data_path": "action_result.parameter.filter",
"data_type": "string"
},
{
"data_path": "action_result.parameter.sort",
"data_type": "string"
},
{
"data_path": "action_result.parameter.offset",
"data_type": "numeric"
},
{
"data_path": "action_result.data.*.resource_id",
"data_type": "string",
"column_name": "Resource ID",
"column_order": 0
},
{
"data_path": "action_result.summary.total_objects",
"data_type": "numeric"
},
{
"data_path": "action_result.summary.total_count",
"data_type": "numeric"
},
{
"data_path": "action_result.summary.offset",
"data_type": "numeric"
},
{
"data_path": "action_result.summary.limit",
"data_type": "numeric"
},
{
"data_path": "action_result.summary.query_time",
"data_type": "numeric"
},
{
"data_path": "action_result.summary.powered_by",
"data_type": "string"
},
{
"data_path": "action_result.summary.trace_id",
"data_type": "string"
},
{
"data_path": "action_result.message",
"data_type": "string"
}
],
"versions": "EQ(*)",
"render": {
"type": "table"
}
},
{
"action": "query device",
"description": "Fetch the device details based on the provided query",
Expand Down
47 changes: 47 additions & 0 deletions crowdstrikeoauthapi_connector.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -501,6 +501,52 @@ def _handle_test_connectivity(self, param):

return action_result.set_status(phantom.APP_SUCCESS, CROWDSTRIKE_SUCC_CONNECTIVITY_TEST)

def _handle_run_query(self, param):
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
action_result = self.add_action_result(ActionResult(dict(param)))

endpoint = param.get("endpoint")
if not endpoint:
return action_result.set_status(phantom.APP_ERROR, "Please provide endpoint path")

# Ensure using query endpoint
if '/queries/' not in endpoint.lower():
return action_result.set_status(
phantom.APP_ERROR,
CROWDSTRIKE_INVALID_QUERY_ENDPOINT_MESSAGE_ERROR
)

params = {"limit": param.get("limit", 50), "offset": param.get("offset", 0)}

if param.get("filter"):
params["filter"] = param["filter"]
if param.get("sort"):
params["sort"] = param["sort"]

ret_val, response = self._make_rest_call_helper_oauth2(action_result, endpoint, params=params)

if phantom.is_fail(ret_val):
return action_result.get_status()

# Add data items
resources = response.get("resources", [])
for resource in resources:
action_result.add_data({"resource_id": resource})

summary = action_result.update_summary({})
meta = response.get("meta", {})
pagination = meta.get("pagination", {})

summary.update({
"total_objects": len(resources),
"total_count": pagination.get("total", 0),
"query_time": meta.get("query_time", 0),
"powered_by": meta.get("powered_by", ""),
"trace_id": meta.get("trace_id", "")
})

return action_result.set_status(phantom.APP_SUCCESS, "Query completed successfully")

def _get_ids(self, action_result, endpoint, param, is_str=True):

id_list = self._paginator(action_result, endpoint, param)
Expand Down Expand Up @@ -4084,6 +4130,7 @@ def handle_action(self, param):

action_mapping = {
"test_asset_connectivity": self._handle_test_connectivity,
"run_query": self._handle_run_query,
"query_device": self._handle_query_device,
"list_groups": self._handle_list_groups,
"quarantine_device": self._handle_quarantine_device,
Expand Down
1 change: 1 addition & 0 deletions crowdstrikeoauthapi_consts.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@
CROWDSTRIKE_UNICODE_DAMMIT_TYPE_MESSAGE_ERROR = (
"Error occurred while connecting to the Crowdstrike server. " "Please check the asset configuration and|or the action parameters."
)
CROWDSTRIKE_INVALID_QUERY_ENDPOINT_MESSAGE_ERROR = "Invalid endpoint. The endpoint must be a query endpoint"
CROWDSTRIKE_STATUS_CODE_MESSAGE = "Status Code: 404"
CROWDSTRIKE_STATUS_CODE_CHECK_MESSAGE = "Error details: 404"
CROWDSTRIKE_PULLED_EVENTS_MESSAGE = "Pulled {0} events of type 'DetectionSummaryEvent'"
Expand Down

0 comments on commit 9f3cd27

Please sign in to comment.