Query prevention policies in multiple tenants #873
-
|
Hey all, I'm trying to query all of our CIDs' prevention policies from our managing MSSP account. Currently, I can get policies from the MSSP CID that are inherited by children, but not those exclusive to the children themselves. I can't find anything in the documentation that can make this query -- would any of you happen to have any insight? Thanks. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Hi @munsworth-legato - Thanks for the question! When you query the child (using either the I'm researching if you can filter by CID using the queryCombinedPreventionPolicies operation. In the interim, , since
"""Retrieve child prevention policies only."""
from argparse import ArgumentParser, RawTextHelpFormatter
from falconpy import FlightControl, PreventionPolicy
parser = ArgumentParser(description=__doc__, formatter_class=RawTextHelpFormatter)
req = parser.add_argument_group("required arguments")
req.add_argument("-k", "--falcon_client_id", help="CrowdStrike Falcon API client ID", required=True)
req.add_argument("-s", "--falcon_client_secret", help="CrowdStrike Falcon API client Secret", required=True)
cmd_line = parser.parse_args()
mssp = FlightControl(client_id=cmd_line.falcon_client_id, client_secret=cmd_line.falcon_client_secret)
children = []
children_lookup = mssp.query_children()
lookup_status = children_lookup["status_code"]
if lookup_status == 200:
children = children_lookup["body"]["resources"]
if not children:
fail_message = "No children found!"
if lookup_status in [401, 403]:
fail_message = "You cannot access this service collection using the credentials provided."
if lookup_status == 429:
fail_message = "Rate limit met, please try your request after waiting a few seconds."
raise SystemExit(fail_message)
for child_id in children:
policy_api = PreventionPolicy(client_id=cmd_line.falcon_client_id,
client_secret=cmd_line.falcon_client_secret,
member_cid=child_id
)
policy_lookup = policy_api.query_combined_policies()
if policy_lookup["status_code"] == 200:
policies = policy_lookup["body"]["resources"]
if not policies:
print(f"No policies found for {child_id}.")
for policy in policies:
result = f"[{child_id}] {policy['name']} ({policy['id']})"
if policy["cid"] == child_id:
print(result) |
Beta Was this translation helpful? Give feedback.
-
|
This discussion was used to create a new sample! 😃 |
Beta Was this translation helpful? Give feedback.
Hi @munsworth-legato -
Thanks for the question!
When you query the child (using either the
member_cidkeyword or keys for the child), you'll be returned a list of all policies for the tenant (which will include any policies that flow down from the parent).I'm researching if you can filter by CID using the queryCombinedPreventionPolicies operation.
In the interim, , since
cidis present in the return, we can lean on this value to identify policies that are exclusive to the child. Here is a quick example using the FlightControl and PreventionPolicy Service Classes.