combined_id of USB device #977
-
|
Hi All! I need to retrieve combined_id of USB devices plugged in by a given user. At UI I can find this data at Device Usage by Host. How can I get this details via API? Update: I inspected the website and it looks CS is making a call to splunk to pull these details. Please correct me if I am wrong here. Thank you in advance for any response and help! Best regards, |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
Hi @megimcdonalds - This functionality is not currently exposed via the public API. As a workaround, you can put this device in a monitor only group, and then extract the activity data from the console directly. This is a good functionality suggestion, you might consider posting it as an IDEA: https://us-1.ideas.crowdstrike.com/ |
Beta Was this translation helpful? Give feedback.
-
|
Hello @jshcodes, first of all, thank you for quick reply. I appreciate your help a lot. Thank you for the hint for workaround. Quick question though, which API should I use in order to put the given host in monitoring group and then get all events related to the particular device? Will it be Recon? Thank you in advance for your response. Best regards, |
Beta Was this translation helpful? Give feedback.
-
|
You should be able to create a Host Group (don't forget to add hosts if you create a static group), and a Device Control Policy. Then using the performDeviceControlPoliciesAction operation, you could add the Host Group to the newly created policy. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks a lot! I'll give it a try! Best regards, |
Beta Was this translation helpful? Give feedback.
-
|
Hello again @jshcodes! I've started working on my automation and since I am quite new to Crowdstrike it takes me a while. Here is what I want to achieve: I want to allow exception for a given USB device when user requests it. By default we block all USB, so the user need to ask for the exception. I get the combined ID of the blocked device based on the hostname and then create a new exception for existing policy to allow it. And this is something I would like to automate to. Is it possible to be done via API, to capture combined id of blocked device and creating an exception out of it? Thank you in advance for your help. Best regards, |
Beta Was this translation helpful? Give feedback.
You should be able to create a Host Group (don't forget to add hosts if you create a static group), and a Device Control Policy. Then using the performDeviceControlPoliciesAction operation, you could add the Host Group to the newly created policy.