How to get the process id from crowdstrike (CS) integration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to get the process id from crowdstrike (CS) integration

L0 Member
  1. https://xsoar.pan.dev/docs/reference/integrations/crowdstrike-falcon#30-cs-falcon-process-details
  2. https://xsoar.pan.dev/docs/reference/integrations/crowdstrike-falcon#51-cs-falcon-rtr-list-processes
  3. https://xsoar.pan.dev/docs/reference/integrations/crowdstrike-falcon#7-cs-falcon-run-command



Hi Folks,
In my context I do have the malware process path and malware filename too, I need to find out the local process id in the host.
Please suggest what is best way to do it.


case 1: When I try to use the cs-falcon-process-details it simply gives me the same input paramter in different fields, I was expecting to use the process_id_local, but it is the 2 part of the string split on ":". PFA result.case1case1
case 2: Try to remote fetch list of all running process but result is a big file and I can not process or use it in my playbook to filter 
case2case2

case 3: Try to remote run the ps but the result is too big and I can not pass grep like sub commands to filter.
case3case3

1 accepted solution

Accepted Solutions

hi,
I was not looking at transformation.
Q- "In my context I do have the malware process path and malware filename too, I need to find out the local process id in the host.
Please suggest what is best way to do it."

Did some research and got some help from colleagues used powershell and runscript integrations to get the result; And used extend context to add it context data.

 

!cs-falcon-run-script host_ids="1bbxxxxxxxxxxxxxxxx7f856e" raw="$t=Get-Process ${incident.malwarename} | Format-List Id,ProcessName;Write-Output $t|Out-String -Stream" timeout="30" queue_offline="false" extend-context=true

Thanks

View solution in original post

2 REPLIES 2

L2 Linker

Hi,

 

You can use the Set automation, in the context key, name it with the key you want to save it as. For example, process_id. In the value, you can set the value where you’ve process ID in 2 parts. Use a split transformer and split it at : and call last array element transformer which will get and return the second element (which is last in this case). This will essentially transform and store the process ID in the process_id key. 

You can refer to https://youtu.be/795E42gz8M8?feature=shared for video on using transformers. 

hi,
I was not looking at transformation.
Q- "In my context I do have the malware process path and malware filename too, I need to find out the local process id in the host.
Please suggest what is best way to do it."

Did some research and got some help from colleagues used powershell and runscript integrations to get the result; And used extend context to add it context data.

 

!cs-falcon-run-script host_ids="1bbxxxxxxxxxxxxxxxx7f856e" raw="$t=Get-Process ${incident.malwarename} | Format-List Id,ProcessName;Write-Output $t|Out-String -Stream" timeout="30" queue_offline="false" extend-context=true

Thanks

  • 1 accepted solution
  • 2448 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!