XSOAR Playbook - Crowdstrike Endpoint Update

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XSOAR Playbook - Crowdstrike Endpoint Update

L1 Bithead

Hi All,

i am new to XSOAR playbooks but i have managed to get a playbook operational that accepts data from a Microsoft form and then updates a crowdstrike endpoint's tag information (this end point is hard coded atm via its ID).

The automation (cs-update-device-tags) will only accept the Crowdstrike ID. Its a unique 32 character value, which is obviously not user friendly and unreasonable to expect people to know this. The users of the form will know the windows/linux hostname but not know the ID.

I am struggling to come up with a way to take the hostname variable i have collected from the form, and then somehow resolve this to its ID and then continue on with the action of updating the tag via cs-update-device-tags.

Documentation in this area seems quite light. Has anyone done something similar or can offer any ideas?

Thanks in advance!

 

Steve

3 REPLIES 3

L3 Networker

It looks like you are using the Crowdstrike OpenAPI (Beta) integration. It looks like there is a command cs-query-devices-by-filter which can query your environment using a hostname which I believe will return the ID you need.

L1 Bithead

Hi Amontminy,

Yeah i did see this, and was struggling on how to use this exactly. Couldn't find any information or examples. I am assuming if i can get some detail back then it would need to be manipulated (parsed?) and passed onwards into my variables that then execute the task (that work ok when hard coded).

Will keep on digging! Thanks so far.



Steve

L1 Bithead

Hi all,

Pulling my hair out here, i am wondering if this is a bug or something related to it being beta?

If i run this command manually in playground to validate the task was running the correct command, and whilst it completes with no error - i get nothing back (no values returned) : 

!cs-query-devices-by-filter offset=1 limit=10 sort=hostname.asc filter_=hostname:'HOST682'

If i run the command below, i get multiple results returned under 'resources' which having checked them look to be the Host IDs of all the hosts that fall under the wildcard (Good!) :

!cs-query-devices-by-filter offset=1 limit=10 sort=hostname.asc filter_=hostname:'HOST68*'

Can anyone explain why when i run the query with a hostname explicitly set it doesn't work (no resource value returned) ??

Thanks

Steve



  • 1253 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!