diff --git a/crowdstrike_get_online_status.html b/crowdstrike_get_online_status.html new file mode 100644 index 0000000..75638c1 --- /dev/null +++ b/crowdstrike_get_online_status.html @@ -0,0 +1,187 @@ +{% extends 'widgets/widget_template.html' %} +{% load custom_template %} + +{% block custom_title_prop %}{% if title_logo %}style="background-size: auto 60%; background-position: 50%; background-repeat: no-repeat; background-image: url('/app_resource/{{ title_logo }}');"{% endif %}{% endblock %} +{% block title1 %}{{ title1 }}{% endblock %} +{% block title2 %}{{ title2 }}{% endblock %} +{% block custom_tools %} +{% endblock %} + +{% block widget_content %} + + + + +
+ {% for result in results %} +
+ + + {% if not result.data %} +

No data found

+ {% else %} +

Online State Info

+
+ +
+
+
+ + + + + + + + {% for data in result.data %} + + + + + + {% endfor %} + +
State
+ {{data.detection_id}} +   + + + + {{data.device.device_id}} +   + + + {{data.state}}
+
+
+
+
+ {% endif %} +
+ {% endfor %} +
+ +{% endblock %} diff --git a/crowdstrikeoauthapi.json b/crowdstrikeoauthapi.json index 976a75c..2e8238a 100644 --- a/crowdstrikeoauthapi.json +++ b/crowdstrikeoauthapi.json @@ -18,6 +18,9 @@ }, { "name": "Katie Tanner" + }, + { + "name": "Jason Meyer" } ], "license": "Copyright (c) 2019-2023 Splunk Inc.", @@ -3883,6 +3886,40 @@ "view": "crowdstrike_view.display_view" } }, + { + "action": "get_online_state", + "description": "get online state of device(s)", + "type": "generic", + "identifier": "get_online_state", + "read_only": false, + "versions": "EQ(*)", + "parameters": { + "device_id": { + "description": "Device IDs to query for online state, Comma-separated list allowed", + "data_type": "string", + "contains": [ + "crowdstrike device_id or aid" + ], + "primary": true, + "required": true, + "order": 0 + } + }, + "output": [ + { + "data_path": "action_result.state", + "data_type": "string", + "example_values": [ + "online", + "offline", + "unknown" + ] + } + ], + "render": { + "type": "table" + } + }, { "action": "update detections", "description": "Update detections in crowdstrike host", diff --git a/crowdstrikeoauthapi_connector.py b/crowdstrikeoauthapi_connector.py index 650486a..877060b 100644 --- a/crowdstrikeoauthapi_connector.py +++ b/crowdstrikeoauthapi_connector.py @@ -718,6 +718,40 @@ def _handle_get_device_scroll(self, param): self.debug_print('Successfully fetched device scroll with response {0}'.format(response)) return action_result.set_status(phantom.APP_SUCCESS, "Device scroll fetched successfully") + def _handle_get_online_state(self, param): + + # Add an action result to the App Run + self.save_progress("In action handler for: {0}".format(self.get_action_identifier())) + action_result = self.add_action_result(ActionResult(dict(param))) + + fdid = param[CROWDSTRIKE_GET_ONLINE_STATE_DEVICE_ID] + + api_data = { + "ids": fdid + } + + ret_val, response = self._make_rest_call_helper_oauth2(action_result, CROWDSTRIKE_GET_ONLINE_STATE_ENDPOINT, params=api_data) + + if phantom.is_fail(ret_val) and CROWDSTRIKE_STATUS_CODE_CHECK_MESSAGE in action_result.get_message(): + return action_result.set_status(phantom.APP_SUCCESS, CROWDSTRIKE_NO_DATA_MESSAGE) + + if phantom.is_fail(ret_val): + return action_result.get_status() + + # successful request + try: + data = dict(response["resources"][0]) + except Exception as ex: + return action_result.set_status( + phantom.APP_ERROR, "Error occurred while parsing response of 'get_online_state' action." + " Unknown response retrieved Error:{}".format(self._get_error_message_from_exception(ex))) + + action_result.add_data(data) + + summary = action_result.update_summary({}) + self.debug_print('Successfully fetched device online state with response {0}'.format(response)) + return action_result.set_status(phantom.APP_SUCCESS, "Device online state fetched successfully") + def _handle_get_process_detail(self, param): # Add an action result to the App Run @@ -3572,7 +3606,8 @@ def handle_action(self, param): 'detonate_url': self._handle_detonate_url, 'check_detonate_status': self._handle_check_detonate_status, 'get_device_scroll': self._handle_get_device_scroll, - 'get_zta_data': self._handle_get_zta_data + 'get_zta_data': self._handle_get_zta_data, + 'get_online_state': self._handle_get_online_state } action = self.get_action_identifier() diff --git a/crowdstrikeoauthapi_consts.py b/crowdstrikeoauthapi_consts.py index dbac3d4..f2fea5a 100644 --- a/crowdstrikeoauthapi_consts.py +++ b/crowdstrikeoauthapi_consts.py @@ -25,6 +25,7 @@ CROWDSTRIKE_GET_PROCESS_DETAIL_FALCON_PROCESS_ID = "falcon_process_id" CROWDSTRIKE_GET_DEVICE_DETAIL_DEVICE_ID = "id" CROWDSTRIKE_JSON_ID = "id" +CROWDSTRIKE_GET_ONLINE_STATE_DEVICE_ID = "id" CROWDSTRIKE_RESOLVE_DETECTION_TO_STATE = "state" PAYLOAD_SECURITY_API_KEY = 'api_key' # pragma: allowlist secret CROWDSTRIKE_JSON_IOC = "ioc" @@ -179,7 +180,7 @@ CROWDSTRIKE_UPLOAD_FILE_ENDPOINT = "/samples/entities/samples/v2" CROWDSTRIKE_DETONATE_RESOURCE_ENDPOINT = "/falconx/entities/submissions/v1" CROWDSTRIKE_GET_ZERO_TRUST_ASSESSMENT_ENDPOINT = "/zero-trust-assessment/entities/assessments/v1" - +CROWDSTRIKE_GET_ONLINE_STATE_ENDPOINT = "/devices/entities/online-state/v1" CROWDSTRIKE_BASE_ENDPOINT = "/sensors/entities/datafeed/v2" CROWDSTRIKE_FALCONX_API_LIMIT = 5000 CROWDSTRIKE_ENVIRONMENT_ID_DICT = { diff --git a/manual_readme_content.md b/manual_readme_content.md index 29d638f..6dce8fa 100644 --- a/manual_readme_content.md +++ b/manual_readme_content.md @@ -65,6 +65,7 @@ | [check status](#action-check-status) | Sandbox(Falcon Intelligence) | ✓ | ✗ | | [get device scroll](#action-get-device-scroll) | Hosts | ✓ | ✗ | | [get zta data](#action-get-zta-data) | Zero Trust Assessment | ✓ | ✗ | +| [get online state](#action-get-online-state) | Hosts | ✓ | ✗ | ## Preprocess Script