Replies: 1 comment
-
|
Hello! We have a solution for MSSP usage of FalconPy as implemented in PR #48. This allows you to manage instances attached to your "parent" CID as long as the tenants you are managing are configured for peering or mapping to your CID. Example using the Uber class: from falconpy import api_complete as FalconSDK
creds={
"client_id": falcon_client_id,
"client_secret": falcon_client_secret,
"member_cid": CID_OF_MEMBER_TENANT_HERE
}
host_id = HOST_AID_HERE
falcon = FalconSDK.APIHarness(creds=creds)
host = falcon.command('GetDeviceDetails', ids=host_id)
print(json.dumps(host, indent=4))Which should produce: {
"status_code": 200,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "1576",
"Content-Type": "application/json",
"Date": "Thu, 18 Feb 2021 01:31:55 GMT",
"X-Cs-Region": "us-1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5999"
},
"body": {
"meta": {
"query_time": 0.002158804,
"powered_by": "device-api",
"trace_id": "9af1592f-c81e-4428-85c5-8c8088ebe7b0"
},
"resources": [
{
"device_id": "f38a7beREDACTED",
"cid": "c6ec9130f89REDACTED",
"agent_load_flags": "0",
"agent_local_time": "2021-01-21T23:49:23.572Z",
"agent_version": "6.14.12806.0",
"bios_manufacturer": "Xen",
"bios_version": "4.2.amazon",
"build_number": "14393",
"config_id_base": "65994753",
"config_id_build": "12806",
"config_id_platform": "3",
"cpu_signature": "198386",
"external_ip": "54.173.123.45",
"mac_address": "06-9e-70-12-34-45",
"instance_id": "i-REDACTED",
"service_provider": "AWS_EC2",
"service_provider_account_id": "REDACTED",
"hostname": "INSTANCE-RDP-BAS",
"first_seen": "2020-09-22T20:58:52Z",
"last_seen": "2021-02-18T01:00:33Z",
"local_ip": "172.31.12.345",
"major_version": "10",
"minor_version": "0",
"os_version": "Windows Server 2016",
"platform_id": "0",
"platform_name": "Windows",
"policies": [
{
"policy_type": "prevention",
"policy_id": "e09237aREDACTED",
"applied": true,
"settings_hash": "1ccc49c",
"assigned_date": "2021-01-18T15:50:39.298795094Z",
"applied_date": "2021-01-18T15:51:28.537446054Z",
"rule_groups": []
}
],
"reduced_functionality_mode": "no",
"device_policies": {
"prevention": {
"policy_type": "prevention",
"policy_id": "e09237a592REDACTED",
"applied": true,
"settings_hash": "1ccc49c",
"assigned_date": "2021-01-18T15:50:39.298795094Z",
"applied_date": "2021-01-18T15:51:28.537446054Z",
"rule_groups": []
},
"sensor_update": {
"policy_type": "sensor-update",
"policy_id": "cd462746REDACTED",
"applied": true,
"settings_hash": "tagged|1;101",
"assigned_date": "2021-01-21T23:44:54.736338274Z",
"applied_date": "2021-01-21T23:45:25.639342878Z",
"uninstall_protection": "ENABLED"
},
"device_control": {
"policy_type": "device-control",
"policy_id": "1587c7f9REDACTED",
"applied": true,
"assigned_date": "2021-02-12T07:47:16.213934831Z",
"applied_date": "2021-02-12T07:51:38.601513417Z"
},
"global_config": {
"policy_type": "globalconfig",
"policy_id": "450acbcfREDACTED",
"applied": true,
"settings_hash": "5b6c78c3",
"assigned_date": "2021-01-22T00:30:47.297248223Z",
"applied_date": "2021-01-22T01:10:04.013684623Z"
},
"remote_response": {
"policy_type": "remote-response",
"policy_id": "4fdd5ab9dcREDACTED",
"applied": true,
"settings_hash": "f472bd8e",
"assigned_date": "2020-09-22T21:00:33.287827705Z",
"applied_date": "2020-09-22T21:01:34.851678284Z"
},
"firewall": {
"policy_type": "firewall",
"policy_id": "737a7e1f80bREDACTED",
"applied": true,
"assigned_date": "2021-02-12T07:47:16.213851598Z",
"applied_date": "2021-02-12T07:51:38.737540003Z",
"rule_set_id": "737a7e1f80bREDACTED"
}
},
"groups": [],
"group_hash": "e3b0c44298fc1c149afbf4c8996fb9REDACTED",
"product_type": "3",
"product_type_desc": "Server",
"provision_status": "Provisioned",
"serial_number": "ec2b1dd9-5795-2420-REDACTED",
"service_pack_major": "0",
"service_pack_minor": "0",
"pointer_size": "8",
"status": "normal",
"system_manufacturer": "Xen",
"system_product_name": "HVM domU",
"tags": [],
"modified_timestamp": "2021-02-18T01:00:49Z",
"slow_changing_modified_timestamp": "2021-02-17T23:56:35Z",
"meta": {
"version": "7154"
},
"zone_group": "us-east-1e"
}
],
"errors": []
}
}For environments where you are not operating as a MSSP, a possible scenario would be to leverage multiple instances of the class you are wanting to work with. Here's an example using the Uber class to pull host details from two different CIDs via the Hosts API: import json
from falconpy import api_complete as FalconSDK
falcon1 = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id_1,
'client_secret': falcon_client_secret_1
}
)
falcon2 = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id_2,
'client_secret': falcon_client_secret_2
}
)
resultOne = falcon1.command('GetDeviceDetails',ids="DEVICE_ID_FOR_DEVICE_IN_CID_1")
resultTwo = falcon2.command('GetDeviceDetails',ids="DEVICE_ID_FOR_DEVICE_IN_CID_2")
print(json.dumps(resultOne,indent=4))
print(json.dumps(resultTwo,indent=4))This should produce a result similar to the following: {
"status_code": 200,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "1379",
"Content-Type": "application/json",
"Date": "Wed, 17 Feb 2021 22:40:26 GMT",
"X-Cs-Region": "us-1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5998"
},
"body": {
"meta": {
"query_time": 0.002416176,
"powered_by": "device-api",
"trace_id": "5e723e3e-827b-4867-85cc-70ad8c579443"
},
"resources": [
{
"device_id": "12345-REDACTED",
"cid": "98765-REDACTED",
"agent_load_flags": "0",
"agent_local_time": "2021-02-17T05:49:34.972Z",
"agent_version": "6.16.11307.0",
"bios_manufacturer": "Xen",
"bios_version": "4.2.amazon",
"config_id_base": "65994753",
"config_id_build": "11307",
"config_id_platform": "8",
"cpu_signature": "263921",
"detection_suppression_status": "suppressed",
"external_ip": "52.40.116.56",
"mac_address": "02-42-02-??-cd-??",
"instance_id": "i-REDACTED",
"service_provider": "AWS_EC2",
"service_provider_account_id": "REDACTED",
"hostname": "mod-357b4bc3c0d04f36",
"host_hidden_status": "hidden",
"first_seen": "2021-02-17T05:48:00Z",
"last_seen": "2021-02-17T15:23:35Z",
"local_ip": "172.17.0.1",
"major_version": "4",
"minor_version": "14",
"os_version": "Amazon Linux 2",
"platform_id": "3",
"platform_name": "Linux",
"policies": [
{
"policy_type": "prevention",
"policy_id": "df86850688db4c389a7fe1ea39c77416",
"applied": true,
"settings_hash": "765cb407",
"assigned_date": "2021-02-17T05:57:37.10563612Z",
"applied_date": "2021-02-17T05:58:53.134018816Z",
"rule_groups": [
"6211a11267914c1fb58005c45a995c9a"
]
}
],
"reduced_functionality_mode": "no",
"device_policies": {
"prevention": {
"policy_type": "prevention",
"policy_id": "df86850688db4c389a7fe1ea39c77416",
"applied": true,
"settings_hash": "765cb407",
"assigned_date": "2021-02-17T05:57:37.10563612Z",
"applied_date": "2021-02-17T05:58:53.134018816Z",
"rule_groups": [
"6211a11267914c1fb58005c45a995c9a"
]
},
"sensor_update": {
"policy_type": "sensor-update",
"policy_id": "8bfe4ec000f44de495427a8d97cdcfdc",
"applied": true,
"settings_hash": "3210;",
"assigned_date": "2021-02-17T05:49:04.190636992Z",
"applied_date": "2021-02-17T05:49:55.618131985Z",
"uninstall_protection": "UNKNOWN"
},
"global_config": {
"policy_type": "globalconfig",
"policy_id": "ccbd9726b5054f138b1e2428a32c80c2",
"applied": true,
"settings_hash": "153afa73",
"assigned_date": "2021-02-17T05:49:35.530463406Z",
"applied_date": "2021-02-17T05:49:55.6960471Z"
},
"remote_response": {
"policy_type": "remote-response",
"policy_id": "fe5a9913d1ee42899396e87f4364c431",
"applied": true,
"settings_hash": "17550b92",
"assigned_date": "2021-02-17T05:55:14.064651948Z",
"applied_date": "2021-02-17T05:56:49.494219098Z"
}
},
"groups": [],
"group_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"product_type_desc": "Server",
"provision_status": "NotProvisioned",
"serial_number": "ec2250a6-95b4-b874-29c7-1c20d8888365",
"status": "normal",
"system_manufacturer": "Xen",
"system_product_name": "HVM domU",
"tags": [],
"modified_timestamp": "2021-02-17T15:58:57Z",
"slow_changing_modified_timestamp": "2021-02-17T15:58:57Z",
"meta": {
"version": "31"
},
"zone_group": "us-west-2a"
}
],
"errors": []
}
}
{
"status_code": 200,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "1347",
"Content-Type": "application/json",
"Date": "Wed, 17 Feb 2021 22:40:28 GMT",
"X-Cs-Region": "us-1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5998"
},
"body": {
"meta": {
"query_time": 0.002764646,
"powered_by": "device-api",
"trace_id": "ce2eee19-f052-4d44-b742-5ba67332b9fa"
},
"resources": [
{
"device_id": "998877-REDACTED",
"cid": "123450987-REDACTED",
"agent_load_flags": "0",
"agent_local_time": "2021-01-29T12:40:58.787Z",
"agent_version": "6.14.11110.0",
"bios_manufacturer": "Xen",
"bios_version": "4.2.amazon",
"config_id_base": "65994753",
"config_id_build": "11110",
"config_id_platform": "8",
"cpu_signature": "198386",
"external_ip": "18.133.11.11",
"mac_address": "06-eb-XX-11-f3-aa",
"instance_id": "i-REDACTED",
"service_provider": "AWS_EC2",
"service_provider_account_id": "REDACTED",
"hostname": "mdrp-3452mf83n2d94nma",
"first_seen": "2021-01-29T12:39:38Z",
"last_seen": "2021-02-17T22:34:11Z",
"local_ip": "172.16.64.30",
"major_version": "4",
"minor_version": "14",
"os_version": "Amazon Linux 2",
"platform_id": "3",
"platform_name": "Linux",
"policies": [
{
"policy_type": "prevention",
"policy_id": "68504b2ff3804d0b9b7d57682e693f5f",
"applied": true,
"settings_hash": "765cb407",
"assigned_date": "2021-01-29T12:46:21.557573061Z",
"applied_date": "2021-01-29T12:47:28.168076134Z",
"rule_groups": [
"c501fd9a26ce4a24a453c3d59ce34e8f"
]
}
],
"reduced_functionality_mode": "no",
"device_policies": {
"prevention": {
"policy_type": "prevention",
"policy_id": "68504b2ff3804d0b9b7d57682e693f5f",
"applied": true,
"settings_hash": "765cb407",
"assigned_date": "2021-01-29T12:46:21.557573061Z",
"applied_date": "2021-01-29T12:47:28.168076134Z",
"rule_groups": [
"c501fd9a26ce4a24a453c3d59ce34e8f"
]
},
"sensor_update": {
"policy_type": "sensor-update",
"policy_id": "b5536f46c8e24acfb1d68f2fb58e8298",
"applied": true,
"settings_hash": "3200;",
"assigned_date": "2021-01-29T12:40:42.562961735Z",
"applied_date": "2021-01-29T12:41:34.788285264Z",
"uninstall_protection": "UNKNOWN"
},
"global_config": {
"policy_type": "globalconfig",
"policy_id": "9fb2cf5af2aa4fdbbc9bcca02fad9449",
"applied": true,
"settings_hash": "153afa73",
"assigned_date": "2021-01-29T12:40:59.84704017Z",
"applied_date": "2021-01-29T12:41:51.076818027Z"
},
"remote_response": {
"policy_type": "remote-response",
"policy_id": "9dd604b5daae4bea978cca69eda8a93f",
"applied": true,
"settings_hash": "17550b92",
"assigned_date": "2021-01-29T12:48:10.141356057Z",
"applied_date": "2021-01-29T12:50:01.471557834Z"
}
},
"groups": [],
"group_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"product_type_desc": "Server",
"provision_status": "NotProvisioned",
"serial_number": "ec213592-f025-8d54-1308-3f41cea3b277",
"status": "normal",
"system_manufacturer": "Xen",
"system_product_name": "HVM domU",
"tags": [],
"modified_timestamp": "2021-02-17T22:35:33Z",
"slow_changing_modified_timestamp": "2021-02-17T12:40:55Z",
"meta": {
"version": "934"
},
"zone_group": "eu-west-2a"
}
],
"errors": []
}
}Does this speak to what you're trying to accomplish? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
We use falconpy with TheHive webhooks to automatically triggers some actions based on events or actions in TheHive.
It works pretty well with one tenant but we now have multiple tenant in Crowdstrike.
Since we only have one API key configured in falconpy and using the root tenant API Key does not allow to do change on other tenants, it becomes difficult to automate things with falconpy.
Do you have a solution for this or is it something that is coming in feature release ?
Thanks for your work !
Regards
Beta Was this translation helpful? Give feedback.
All reactions