- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-02-2024 08:43 AM
Hi All,
i am new to XSOAR playbooks but i have managed to get a playbook operational that accepts data from a Microsoft form and then updates a crowdstrike endpoint's tag information (this end point is hard coded atm via its ID).
The automation (cs-update-device-tags) will only accept the Crowdstrike ID. Its a unique 32 character value, which is obviously not user friendly and unreasonable to expect people to know this. The users of the form will know the windows/linux hostname but not know the ID.
I am struggling to come up with a way to take the hostname variable i have collected from the form, and then somehow resolve this to its ID and then continue on with the action of updating the tag via cs-update-device-tags.
Documentation in this area seems quite light. Has anyone done something similar or can offer any ideas?
Thanks in advance!
Steve
04-02-2024 10:01 AM
It looks like you are using the Crowdstrike OpenAPI (Beta) integration. It looks like there is a command cs-query-devices-by-filter which can query your environment using a hostname which I believe will return the ID you need.
04-03-2024 05:53 AM
Hi Amontminy,
Yeah i did see this, and was struggling on how to use this exactly. Couldn't find any information or examples. I am assuming if i can get some detail back then it would need to be manipulated (parsed?) and passed onwards into my variables that then execute the task (that work ok when hard coded).
Will keep on digging! Thanks so far.
Steve
04-04-2024 06:35 AM - edited 04-04-2024 06:36 AM
Hi all,
Pulling my hair out here, i am wondering if this is a bug or something related to it being beta?
If i run this command manually in playground to validate the task was running the correct command, and whilst it completes with no error - i get nothing back (no values returned) :
!cs-query-devices-by-filter offset=1 limit=10 sort=hostname.asc filter_=hostname:'HOST682'
If i run the command below, i get multiple results returned under 'resources' which having checked them look to be the Host IDs of all the hosts that fall under the wildcard (Good!) :
!cs-query-devices-by-filter offset=1 limit=10 sort=hostname.asc filter_=hostname:'HOST68*'
Can anyone explain why when i run the query with a hostname explicitly set it doesn't work (no resource value returned) ??
Thanks
Steve
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!