https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-get-the-process-id-from-crowdstrike-cs-integration/m-p/556328#M2603 <P>hi,<BR />I was not looking at transformation.<BR />Q- "<SPAN>In my context I do have the malware process path and malware filename too, I need to find out the local process id in the host.</SPAN><BR /><SPAN>Please suggest what is best way to do it."<BR /><BR />Did some research and got some help from colleagues used powershell and runscript integrations to get the result; And used extend context to add it context data.<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN><FONT face="courier new,courier"><SPAN class="ui-provider eo cwc cdj dac dae daf dag dah dai daj dak dal dam dan dao dap daq dar das dat dau dav daw dax day daz dba dbb dbc dbd dbe dbf dbg dbh dbi">!cs-falcon-run-script host_ids="1bbxxxxxxxxxxxxxxxx7f856e" raw="$t=Get-Process ${incident.malwarename} | Format-List Id,ProcessName;Write-Output $t|Out-String -Stream" timeout="30" queue_offline="false" extend-context=true</SPAN></FONT><BR /><BR />Thanks</SPAN></P> Mon, 04 Sep 2023 05:31:49 GMT sunipanda660 2023-09-04T05:31:49Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-get-the-process-id-from-crowdstrike-cs-integration/m-p/555816#M2584 <OL> <LI><A href="https://xsoar.pan.dev/docs/reference/integrations/crowdstrike-falcon#30-cs-falcon-process-details" target="_blank">https://xsoar.pan.dev/docs/reference/integrations/crowdstrike-falcon#30-cs-falcon-process-details</A></LI> <LI><A href="https://xsoar.pan.dev/docs/reference/integrations/crowdstrike-falcon#51-cs-falcon-rtr-list-processes" target="_blank">https://xsoar.pan.dev/docs/reference/integrations/crowdstrike-falcon#51-cs-falcon-rtr-list-processes</A></LI> <LI><A href="https://xsoar.pan.dev/docs/reference/integrations/crowdstrike-falcon#7-cs-falcon-run-command" target="_blank">https://xsoar.pan.dev/docs/reference/integrations/crowdstrike-falcon#7-cs-falcon-run-command</A></LI> </OL> <P><BR /><BR />Hi Folks,<BR />In my context I do have the malware process path and malware filename too, I need to find out the local process id in the host.<BR />Please suggest what is best way to do it.</P> <P><BR />case 1: When I try to use the cs-falcon-process-details it simply gives me the same input paramter in different fields, I was expecting to use the process_id_local, but it is the 2 part of the string split on ":". PFA result.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="case1" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53272i594D4F0ADF7869EC/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot 2023-08-30 at 5.26.10 pm.png" alt="case1" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">case1</span></span><BR />case 2: Try to remote fetch list of all running process but result is a big file and I can not process or use it in my playbook to filter&nbsp;<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="case2" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53274i65944FB1CCC31A28/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot 2023-08-30 at 5.37.55 pm.png" alt="case2" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">case2</span></span></P> <P>case 3: Try to remote run the ps but the result is too big and I can not pass grep like sub commands to filter.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="case3" style="width: 815px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53273i9D3D69702051407A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot 2023-08-30 at 5.36.10 pm.png" alt="case3" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">case3</span></span></P> Wed, 30 Aug 2023 07:41:29 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-get-the-process-id-from-crowdstrike-cs-integration/m-p/555816#M2584 sunipanda660 2023-08-30T07:41:29Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-get-the-process-id-from-crowdstrike-cs-integration/m-p/556055#M2591 <P>Hi,</P> <P>&nbsp;</P> <P>You can use the Set automation, in the context key, name it with the key you want to save it as. For example, process_id. In the value, you can set the value where you’ve process ID in 2 parts. Use a split transformer and split it at : and call last array element transformer which will get and return the second element (which is last in this case). This will essentially transform and store the process ID in the process_id key.&nbsp;<BR /><BR /></P> <P>You can refer to&nbsp;<A href="https://youtu.be/795E42gz8M8?feature=shared" target="_blank">https://youtu.be/795E42gz8M8?feature=shared</A> for video on using transformers.&nbsp;</P> Thu, 31 Aug 2023 22:52:42 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-get-the-process-id-from-crowdstrike-cs-integration/m-p/556055#M2591 bhmurali 2023-08-31T22:52:42Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-get-the-process-id-from-crowdstrike-cs-integration/m-p/556328#M2603 <P>hi,<BR />I was not looking at transformation.<BR />Q- "<SPAN>In my context I do have the malware process path and malware filename too, I need to find out the local process id in the host.</SPAN><BR /><SPAN>Please suggest what is best way to do it."<BR /><BR />Did some research and got some help from colleagues used powershell and runscript integrations to get the result; And used extend context to add it context data.<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN><FONT face="courier new,courier"><SPAN class="ui-provider eo cwc cdj dac dae daf dag dah dai daj dak dal dam dan dao dap daq dar das dat dau dav daw dax day daz dba dbb dbc dbd dbe dbf dbg dbh dbi">!cs-falcon-run-script host_ids="1bbxxxxxxxxxxxxxxxx7f856e" raw="$t=Get-Process ${incident.malwarename} | Format-List Id,ProcessName;Write-Output $t|Out-String -Stream" timeout="30" queue_offline="false" extend-context=true</SPAN></FONT><BR /><BR />Thanks</SPAN></P> Mon, 04 Sep 2023 05:31:49 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-get-the-process-id-from-crowdstrike-cs-integration/m-p/556328#M2603 sunipanda660 2023-09-04T05:31:49Z