This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

XSOAR Playbook - Crowdstrike Endpoint Update

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

XSOAR Playbook - Crowdstrike Endpoint Update

SHobbins
L1 Bithead

‎04-02-2024 08:43 AM

Hi All,

i am new to XSOAR playbooks but i have managed to get a playbook operational that accepts data from a Microsoft form and then updates a crowdstrike endpoint's tag information (this end point is hard coded atm via its ID).

The automation (cs-update-device-tags) will only accept the Crowdstrike ID. Its a unique 32 character value, which is obviously not user friendly and unreasonable to expect people to know this. The users of the form will know the windows/linux hostname but not know the ID.

I am struggling to come up with a way to take the hostname variable i have collected from the form, and then somehow resolve this to its ID and then continue on with the action of updating the tag via cs-update-device-tags.

Documentation in this area seems quite light. Has anyone done something similar or can offer any ideas?

Thanks in advance!

 

Steve

0 Likes Likes
3 REPLIES 3

amontminy
L3 Networker

‎04-02-2024 10:01 AM

It looks like you are using the Crowdstrike OpenAPI (Beta) integration. It looks like there is a command cs-query-devices-by-filter which can query your environment using a hostname which I believe will return the ID you need.

SHobbins
L1 Bithead

‎04-03-2024 05:53 AM

Hi Amontminy,

Yeah i did see this, and was struggling on how to use this exactly. Couldn't find any information or examples. I am assuming if i can get some detail back then it would need to be manipulated (parsed?) and passed onwards into my variables that then execute the task (that work ok when hard coded).

Will keep on digging! Thanks so far.



Steve

0 Likes Likes

SHobbins
L1 Bithead

‎04-04-2024 06:35 AM - edited ‎04-04-2024 06:36 AM

Hi all,

Pulling my hair out here, i am wondering if this is a bug or something related to it being beta?

If i run this command manually in playground to validate the task was running the correct command, and whilst it completes with no error - i get nothing back (no values returned) : 

!cs-query-devices-by-filter offset=1 limit=10 sort=hostname.asc filter_=hostname:'HOST682'

If i run the command below, i get multiple results returned under 'resources' which having checked them look to be the Host IDs of all the hosts that fall under the wildcard (Good!) :

!cs-query-devices-by-filter offset=1 limit=10 sort=hostname.asc filter_=hostname:'HOST68*'

Can anyone explain why when i run the query with a hostname explicitly set it doesn't work (no resource value returned) ??

Thanks

Steve



0 Likes Likes
  • 474 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks