Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PAPP-35103 Crowdstrike OAuth: Feature - Incident Ingestion Functionality, Run Query Action, and Queue Offline Capabilities #53

Open
wants to merge 8 commits into
base: next
Choose a base branch
from
Open

PAPP-35103 Crowdstrike OAuth: Feature - Incident Ingestion Functionality, Run Query Action, and Queue Offline Capabilities #53

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
a806930
PAPP-35103 added queue_offline session functionality for queueing com…
grokas-splunk Dec 4, 2024
57ab553
PAPP-35103 ingestion of crowdstrike incidents functionality added
grokas-splunk Dec 6, 2024
9f3cd27
PAPP-35103 general run query action added
grokas-splunk Dec 9, 2024
5a18979
Update README.md
Dec 9, 2024
77f3dd9
PAPP-35103 comments cleaning
grokas-splunk Dec 9, 2024
ec43302
PAPP-35103 static fixes
grokas-splunk Dec 9, 2024
dfc2147
PAPP-35103 poll param changes + release notes added
grokas-splunk Dec 9, 2024
786e9e9
Update README.md
Dec 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 45 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ This app integrates with CrowdStrike OAuth2 authentication standard to implement
| **Action** | **Required Scope(s)** | **Read** | **Write** |
|-------------------------------------------------------------|--------------------------------|----------------------|----------------------|
| [test connectivity](#action-test-connectivity) | Hosts | ✓ | ✗ |
| [run query](#action-run-query) | Hosts | ✓ | ✗ |
| [query device](#action-query-device) | Hosts | ✓ | ✗ |
| [list groups](#action-list-groups) | Host Groups | ✓ | ✗ |
| [quarantine device](#action-quarantine-device) | Hosts | ✓ | ✓ |
Expand Down Expand Up @@ -401,18 +402,20 @@ default ports used by Splunk SOAR.
- Updated name from 'lastName' to 'last_name'


### Configuration Variables
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a CrowdStrike asset in SOAR.
### Configuration variables
This table lists the configuration variables required to operate CrowdStrike OAuth API. These variables are specified when configuring a CrowdStrike asset in Splunk SOAR.

VARIABLE | REQUIRED | TYPE | DESCRIPTION
-------- | -------- | ---- | -----------
**url** | required | string | Base URL
**place_holder** | optional | ph | Placeholder
**client_id** | required | password | Client ID
**client_secret** | required | password | Client Secret
**app_id** | optional | string | App ID
**max_events** | optional | numeric | Maximum events to get for scheduled and interval polling
**max_events_poll_now** | optional | numeric | Maximum events to get while POLL NOW
**max_incidents** | optional | numeric | Maximum incidents to get for scheduled and interval polling
**max_incidents_poll_now** | optional | numeric | Maximum incidents to get while POLL NOW
**ingest_incidents** | optional | boolean | Should ingest incidents during polling
**collate** | optional | boolean | Merge containers for hostname and eventname
**merge_time_interval** | optional | numeric | Merge same containers within specified seconds
**max_crlf** | optional | numeric | Maximum allowed continuous blank lines
Expand All @@ -421,6 +424,7 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION

### Supported Actions
[test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
[run query](#action-run-query) - Run a query against CrowdStrike API
[query device](#action-query-device) - Fetch the device details based on the provided query
[list groups](#action-list-groups) - Fetch the details of the host groups
[quarantine device](#action-quarantine-device) - Block the device
Expand Down Expand Up @@ -495,6 +499,42 @@ No parameters are required for this action
#### Action Output
No Output

## action: 'run query'
Run a query against CrowdStrike API

Type: **investigate**
Read only: **True**

#### Action Parameters
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
--------- | -------- | ----------- | ---- | --------
**endpoint** | required | API endpoint path in the format: /<service>/queries/<resource>/<version> (ex: /devices/queries/devices/v1) | string |
**limit** | optional | Maximum number of results to return | numeric |
**filter** | optional | Filter expression (FQL Syntax) | string |
**sort** | optional | Property to sort by | string |
**offset** | optional | Starting index for results | numeric |

#### Action Output
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
--------- | ---- | -------- | --------------
action_result.status | string | |
action_result.parameter.endpoint | string | |
action_result.parameter.limit | numeric | |
action_result.parameter.filter | string | |
action_result.parameter.sort | string | |
action_result.parameter.offset | numeric | |
action_result.data.\*.resource_id | string | |
action_result.summary.total_objects | numeric | |
action_result.summary.total_count | numeric | |
action_result.summary.offset | numeric | |
action_result.summary.limit | numeric | |
action_result.summary.query_time | numeric | |
action_result.summary.powered_by | string | |
action_result.summary.trace_id | string | |
summary.total_objects | numeric | | 1
summary.total_objects_successful | numeric | | 1
action_result.message | string | |

## action: 'query device'
Fetch the device details based on the provided query

Expand Down Expand Up @@ -788,12 +828,14 @@ Read only: **False**
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
--------- | -------- | ----------- | ---- | --------
**device_id** | required | Device ID for session to be created | string | `crowdstrike device id`
**queue_offline** | optional | Queue commands for offline devices, will execute when system comes back online | boolean |

#### Action Output
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
--------- | ---- | -------- | --------------
action_result.status | string | | success failed
action_result.parameter.device_id | string | `crowdstrike device id` | 07c312fabcb8473454d0a16f118928ab
action_result.parameter.queue_offline | boolean | |
action_result.data.\*.errors | string | |
action_result.data.\*.meta.powered_by | string | | empower-api
action_result.data.\*.meta.query_time | numeric | | 5.917429897
Expand Down
157 changes: 152 additions & 5 deletions crowdstrikeoauthapi.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,33 +75,51 @@
"description": "Maximum events to get while POLL NOW",
"default": 2000
},
"max_incidents": {
"data_type": "numeric",
"order": 7,
"description": "Maximum incidents to get for scheduled and interval polling",
"default": 1000
},
"max_incidents_poll_now": {
"data_type": "numeric",
"order": 8,
"description": "Maximum incidents to get while POLL NOW",
"default": 100
},
"ingest_incidents": {
"data_type": "boolean",
"order": 9,
"description": "Should ingest incidents during polling",
"default": false
},
"collate": {
"data_type": "boolean",
"order": 7,
"order": 10,
"description": "Merge containers for hostname and eventname",
"default": true
},
"merge_time_interval": {
"data_type": "numeric",
"order": 8,
"order": 11,
"description": "Merge same containers within specified seconds",
"default": 0
},
"max_crlf": {
"data_type": "numeric",
"order": 9,
"order": 12,
"default": 50,
"description": "Maximum allowed continuous blank lines"
},
"preprocess_script": {
"data_type": "file",
"description": "Script with functions to preprocess containers and artifacts",
"order": 10
"order": 13
},
"detonate_timeout": {
"data_type": "numeric",
"description": "Timeout for detonation result in minutes (Default: 15 minutes)",
"order": 11,
"order": 14,
"default": 15
}
},
Expand All @@ -116,6 +134,125 @@
"output": [],
"versions": "EQ(*)"
},
{
"action": "run query",
"description": "Run a query against CrowdStrike API",
"type": "investigate",
"identifier": "run_query",
"read_only": true,
"parameters": {
"endpoint": {
"data_type": "string",
"description": "API endpoint path in the format: /<service>/queries/<resource>/<version> (ex: /devices/queries/devices/v1)",
"required": true,
"order": 0
},
"limit": {
"data_type": "numeric",
"description": "Maximum number of results to return",
"order": 1,
"default": 50
},
"filter": {
"data_type": "string",
"description": "Filter expression (FQL Syntax)",
"order": 2
},
"sort": {
"data_type": "string",
"description": "Property to sort by",
"order": 3
},
"offset": {
"data_type": "numeric",
"description": "Starting index for results",
"order": 4,
"default": 0
}
},
"output": [
{
"data_path": "action_result.status",
"data_type": "string"
},
{
"data_path": "action_result.parameter.endpoint",
"data_type": "string"
},
{
"data_path": "action_result.parameter.limit",
"data_type": "numeric"
},
{
"data_path": "action_result.parameter.filter",
"data_type": "string"
},
{
"data_path": "action_result.parameter.sort",
"data_type": "string"
},
{
"data_path": "action_result.parameter.offset",
"data_type": "numeric"
},
{
"data_path": "action_result.data.*.resource_id",
"data_type": "string",
"column_name": "Resource ID",
"column_order": 0
},
{
"data_path": "action_result.summary.total_objects",
"data_type": "numeric"
},
{
"data_path": "action_result.summary.total_count",
"data_type": "numeric"
},
{
"data_path": "action_result.summary.offset",
"data_type": "numeric"
},
{
"data_path": "action_result.summary.limit",
"data_type": "numeric"
},
{
"data_path": "action_result.summary.query_time",
"data_type": "numeric"
},
{
"data_path": "action_result.summary.powered_by",
"data_type": "string"
},
{
"data_path": "action_result.summary.trace_id",
"data_type": "string"
},
{
"data_path": "summary.total_objects",
"data_type": "numeric",
"example_values": [
1
]
},
{
"data_path": "summary.total_objects_successful",
"data_type": "numeric",
"example_values": [
1
]
},
{
"data_path": "action_result.message",
"data_type": "string"
}
],
"versions": "EQ(*)",
"render": {
"type": "table"
}
},
{
"action": "query device",
"description": "Fetch the device details based on the provided query",
Expand Down Expand Up @@ -1779,6 +1916,12 @@
"contains": [
"crowdstrike device id"
]
},
"queue_offline": {
"data_type": "boolean",
"description": "Queue commands for offline devices, will execute when system comes back online",
"default": false,
"order": 1
}
},
"output": [
Expand All @@ -1800,6 +1943,10 @@
"crowdstrike device id"
]
},
{
"data_path": "action_result.parameter.queue_offline",
"data_type": "boolean"
},
{
"data_path": "action_result.data.*.errors",
"data_type": "string"
Expand Down
Loading