Crowdstrike OAuth API: Feature: Support for Online-State handler - Get the online status for one or more hosts

crowdstrike_get_online_status.html

@@ -0,0 +1,187 @@
+{% extends 'widgets/widget_template.html' %}
+{% load custom_template %}
+
+{% block custom_title_prop %}{% if title_logo %}style="background-size: auto 60%; background-position: 50%; background-repeat: no-repeat; background-image: url('/app_resource/{{ title_logo }}');"{% endif %}{% endblock %}
+{% block title1 %}{{ title1 }}{% endblock %}
+{% block title2 %}{{ title2 }}{% endblock %}
+{% block custom_tools %}
+{% endblock %}
+
+{% block widget_content %} <!-- Main Start Block -->
+
+<!-- File: crowdstrike_get_online_state.html
+  Copyright (c) 2019-2023 Splunk Inc.
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software distributed under
+  the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+  either express or implied. See the License for the specific language governing permissions
+  and limitations under the License.
+-->
+
+<style>
+
+
+    .crowdstrike a:hover {
+        text-decoration:underline;
+    }
+
+
+    .crowdstrike .wf-table-vertical {
+    width: initial;
+    font-size: 12px;
+    }
+
+    .crowdstrike .wf-table-vertical td{
+    padding: 8px 10px;
+    border: 1px solid;
+    }
+
+    .crowdstrike .wf-table-vertical tr td:first-child {
+    font-weight: bold;
+    }
+
+    .crowdstrike .wf-table-horizontal {
+        border: 1px solid;
+        font-size: 12px;
+    }
+
+    .crowdstrike .wf-table-horizontal th {
+        text-align: center;
+        border: 1px solid;
+        text-transform: uppercase;
+        font-weight: normal;
+        padding: 5px;
+    }
+
+    .crowdstrike .wf-table-horizontal td {
+        border: 1px solid;
+        padding: 5px;
+        padding-left: 4px;
+    }
+
+    .crowdstrike .wf-h3-style {
+        font-size : 20px
+    }
+
+    .crowdstrike .wf-h4-style {
+        font-size : 16px
+    }
+
+    .crowdstrike .collapse.in {
+        display: block !important;
+    }
+
+    .crowdstrike .panel-collapse {
+        overflow-x: auto;
+    }
+
+    .crowdstrike .glyphicon.glyphicon-dot:before {
+        content: "\25cf"; font-size: 10px;
+    }
+
+    .crowdstrike a.nowrap {
+        white-space:nowrap;
+    }
+
+    tbody {
+		counter-reset: serial-number;  /* Set the serial number counter to 0 */
+	}
+
+    #tb2:before {
+		counter-increment: serial-number;  /* Increment the serial number counter */
+		content: counter(serial-number);  /* Display the counter */
+	}
+    /*td { word-wrap:break-word }*/
+    table {
+        border-collapse: collapse;
+        table-layout: fixed;
+        width: 310px;
+   }
+    table td {
+    border: solid 1px #666;
+    width: 110px;
+    word-wrap: break-word;
+  }
+
+</style>
+<div class="crowdstrike" style="overflow: auto; width: 100%; height: 100%; padding-left:10px; padding-right:10px"> <!-- Main Div -->
+    {% for result in results %} <!-- loop for each result -->
+    <br>
+
+    <!------------------- For each Result ---------------------->
+    {% if not result.data %}
+        <h4 class="wf-h4-style">No data found</h4>
+    {% else %}
+        <h3 class="wf-h3-style">Online State Info</h3>
+        <div class="metadata_div">
+        <!--Default View-->
+        <div class="panel-group" id="server-information">
+            <div class="panel">
+                <div id="default-view-table" class="panel-collapse collapse in">
+                    <table class="wf-table-horizontal datatable">
+                        <thead>
+                            <tr>
+                                <th>State</th>
+                            </tr>
+                        </thead>
+                        <tbody>
+                            {% for data in result.data %}
+                                <tr>
+                                    <td>
+                                      <a href="javascript:;"
+                                        onclick="context_menu(this, [{'contains': ['crowdstrike detection id'], 'value': '{{ data.detection_id }}' }], 0, {{ container.id }}, null, false);">{{data.detection_id}}
+                                            &nbsp;
+                                            <span class="fa fa-caret-down" style="font-size: smaller;"></span>
+                                        </a>
+                                    </td>
+                                    <td>
+                                        <a href="javascript:;"
+                                        onclick="context_menu(this, [{'contains': ['crowdstrike device id'], 'value': '{{ data.device.device_id }}' }], 0, {{ container.id }}, null, false);">{{data.device.device_id}}
+                                            &nbsp;
+                                            <span class="fa fa-caret-down" style="font-size: smaller;"></span>
+                                        </a>
+                                    </td>
+                                    <td>{{data.state}}</td>
+                                  </tr>
+                            {% endfor %}
+                        </tbody>
+                    </table>
+                </div>
+            </div>
+        </div>
+    </div>
+    {% endif %}
+    <br>
+    {% endfor %} <!-- loop for each result end -->
+</div> <!-- Main Div -->
+<script>
+    function displayDataTable(){
+    $.extend(true, $.fn.dataTable.defaults, {
+      "searching": false,
+      "bLengthChange": false,
+      "language": {
+          "paginate": {
+              "previous": "<i class='fa fa-angle-left fa-lg'></i>",
+              "next": "<i class='fa fa-angle-right fa-lg'></i>"
+          }
+      },
+      "dom": '<"top">rt<"bottom"p><"clear">',
+      drawCallback: function(settings) {
+          var pagination = $(this).closest('.dataTables_wrapper').find('.dataTables_paginate');
+          pagination.toggle(this.api().page.info().pages > 1);
+      }
+  });
+  $.fn.DataTable.ext.pager.numbers_length = 5;
+  $('.datatable').DataTable({
+    "iDisplayLength": 5
+  });
+  }
+  displayDataTable();
+</script>
+{% endblock %} <!-- Main Start Block -->

crowdstrikeoauthapi.json

@@ -18,6 +18,9 @@
         },
         {
             "name": "Katie Tanner"
+        },
+        {
+            "name": "Jason Meyer"
         }
     ],
     "license": "Copyright (c) 2019-2023 Splunk Inc.",
@@ -3883,6 +3886,40 @@
                 "view": "crowdstrike_view.display_view"
             }
         },
+        {
+            "action": "get_online_state",
+            "description": "get online state of device(s)",
+            "type": "generic",
+            "identifier": "get_online_state",
+            "read_only": false,
+            "versions": "EQ(*)",
+            "parameters": {
+                "device_id": {
+                    "description": "Device IDs to query for online state, Comma-separated list allowed",
+                    "data_type": "string",
+                    "contains": [
+                        "crowdstrike device_id or aid"
+                    ],
+                    "primary": true,
+                    "required": true,
+                    "order": 0
+                }
+            },
+            "output": [
+                {
+                    "data_path": "action_result.state",
+                    "data_type": "string",
+                    "example_values": [
+                        "online",
+                        "offline",
+                        "unknown"
+                    ]
+                }
+            ],
+            "render": {
+                "type": "table"
+            }
+        },
         {
             "action": "update detections",
             "description": "Update detections in crowdstrike host",

crowdstrikeoauthapi_connector.py

@@ -718,6 +718,40 @@ def _handle_get_device_scroll(self, param):
         self.debug_print('Successfully fetched device scroll with response {0}'.format(response))
         return action_result.set_status(phantom.APP_SUCCESS, "Device scroll fetched successfully")
 
+    def _handle_get_online_state(self, param):
+
+        # Add an action result to the App Run
+        self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
+        action_result = self.add_action_result(ActionResult(dict(param)))
+
+        fdid = param[CROWDSTRIKE_GET_ONLINE_STATE_DEVICE_ID]
+
+        api_data = {
+            "ids": fdid
+        }
+
+        ret_val, response = self._make_rest_call_helper_oauth2(action_result, CROWDSTRIKE_GET_ONLINE_STATE_ENDPOINT, params=api_data)
+
+        if phantom.is_fail(ret_val) and CROWDSTRIKE_STATUS_CODE_CHECK_MESSAGE in action_result.get_message():
+            return action_result.set_status(phantom.APP_SUCCESS, CROWDSTRIKE_NO_DATA_MESSAGE)
+
+        if phantom.is_fail(ret_val):
+            return action_result.get_status()
+
+        # successful request
+        try:
+            data = dict(response["resources"][0])
+        except Exception as ex:
+            return action_result.set_status(
+                phantom.APP_ERROR, "Error occurred while parsing response of 'get_online_state' action."
+                                   " Unknown response retrieved Error:{}".format(self._get_error_message_from_exception(ex)))
+
+        action_result.add_data(data)
+
+        summary = action_result.update_summary({})
+        self.debug_print('Successfully fetched device online state with response {0}'.format(response))
+        return action_result.set_status(phantom.APP_SUCCESS, "Device online state fetched successfully")
+
     def _handle_get_process_detail(self, param):
 
         # Add an action result to the App Run
@@ -3572,7 +3606,8 @@ def handle_action(self, param):
             'detonate_url': self._handle_detonate_url,
             'check_detonate_status': self._handle_check_detonate_status,
             'get_device_scroll': self._handle_get_device_scroll,
-            'get_zta_data': self._handle_get_zta_data
+            'get_zta_data': self._handle_get_zta_data,
+            'get_online_state': self._handle_get_online_state
         }
 
         action = self.get_action_identifier()

crowdstrikeoauthapi_consts.py

@@ -25,6 +25,7 @@
 CROWDSTRIKE_GET_PROCESS_DETAIL_FALCON_PROCESS_ID = "falcon_process_id"
 CROWDSTRIKE_GET_DEVICE_DETAIL_DEVICE_ID = "id"
 CROWDSTRIKE_JSON_ID = "id"
+CROWDSTRIKE_GET_ONLINE_STATE_DEVICE_ID = "id"
 CROWDSTRIKE_RESOLVE_DETECTION_TO_STATE = "state"
 PAYLOAD_SECURITY_API_KEY = 'api_key'  # pragma: allowlist secret
 CROWDSTRIKE_JSON_IOC = "ioc"
@@ -179,7 +180,7 @@
 CROWDSTRIKE_UPLOAD_FILE_ENDPOINT = "/samples/entities/samples/v2"
 CROWDSTRIKE_DETONATE_RESOURCE_ENDPOINT = "/falconx/entities/submissions/v1"
 CROWDSTRIKE_GET_ZERO_TRUST_ASSESSMENT_ENDPOINT = "/zero-trust-assessment/entities/assessments/v1"
-
+CROWDSTRIKE_GET_ONLINE_STATE_ENDPOINT = "/devices/entities/online-state/v1"
 CROWDSTRIKE_BASE_ENDPOINT = "/sensors/entities/datafeed/v2"
 CROWDSTRIKE_FALCONX_API_LIMIT = 5000
 CROWDSTRIKE_ENVIRONMENT_ID_DICT = {

manual_readme_content.md

@@ -65,6 +65,7 @@
 | [check status](#action-check-status)                        | Sandbox(Falcon Intelligence)   | ✓              | ✗              |
 | [get device scroll](#action-get-device-scroll)              | Hosts                          | ✓              | ✗              |
 | [get zta data](#action-get-zta-data)                        | Zero Trust Assessment          | ✓              | ✗              |
+| [get online state](#action-get-online-state)                | Hosts                          | ✓              | ✗              |
 
 
 ## Preprocess Script