From 746371fa397ab303e6f5cd419e3f6ce8fe52533c Mon Sep 17 00:00:00 2001 From: nusantara-self <15647296+nusantara-self@users.noreply.github.com> Date: Tue, 14 Jan 2025 18:49:19 +0800 Subject: [PATCH] Add custom base_url support --- .../CrowdstrikeFalcon_GetDeviceVulnerabilities.json | 8 ++++++++ .../CrowdstrikeFalcon_GetDeviceVulnerabilities.py | 4 ++-- analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py | 3 ++- .../CrowdstrikeFalcon_Sandbox_Android.json | 8 ++++++++ .../CrowdstrikeFalcon_Sandbox_Linux.json | 8 ++++++++ .../CrowdstrikeFalcon_Sandbox_MacOS.json | 8 ++++++++ .../CrowdstrikeFalcon_Sandbox_Win10.json | 8 ++++++++ .../CrowdstrikeFalcon_Sandbox_Win11.json | 8 ++++++++ .../CrowdstrikeFalcon_Sandbox_Win7.json | 8 ++++++++ .../CrowdstrikeFalcon_Sandbox_Win7_64.json | 8 ++++++++ .../CrowdstrikeFalcon_getDeviceAlerts.json | 8 ++++++++ .../CrowdstrikeFalcon_getDeviceAlerts.py | 3 ++- .../CrowdstrikeFalcon_getDeviceDetails.json | 8 ++++++++ .../CrowdstrikeFalcon_getDeviceDetails.py | 4 +++- .../CrowdstrikeFalcon/CrowdStrikeFalcon_AddIOC.json | 8 ++++++++ responders/CrowdstrikeFalcon/CrowdStrikeFalcon_Sync.json | 8 ++++++++ .../CrowdstrikeFalcon/CrowdStrikeFalcon_removeIOC.json | 8 ++++++++ responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py | 4 +++- responders/CrowdstrikeFalcon/CrowdstrikeFalconIOC.py | 9 ++++++--- responders/CrowdstrikeFalcon/CrowdstrikeFalconSync.py | 8 +++++--- .../CrowdstrikeFalcon/CrowdstrikeFalcon_containHost.json | 8 ++++++++ .../CrowdstrikeFalcon/CrowdstrikeFalcon_hideHost.json | 8 ++++++++ .../CrowdstrikeFalcon_liftContainmentHost.json | 8 ++++++++ .../CrowdstrikeFalcon_suppressDetections.json | 8 ++++++++ .../CrowdstrikeFalcon/CrowdstrikeFalcon_unhideHost.json | 8 ++++++++ .../CrowdstrikeFalcon_unsuppressDetection.json | 8 ++++++++ 26 files changed, 175 insertions(+), 12 deletions(-) diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.json index 865f707fd..d3f90b3dc 100644 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.json +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.json @@ -32,6 +32,14 @@ "required": true, "defaultValue": "" }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" + }, { "name": "vuln_fields", "description": "Specific field values to keep in resulting payload for vulnerabilities", diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py index bffe8c154..8b9fd49f9 100755 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py @@ -12,7 +12,7 @@ def __init__(self): self.client_id = self.get_param("config.client_id") self.client_secret = self.get_param("config.client_secret") self.vuln_fields = self.get_param("config.vuln_fields", []) - + self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com") def run(self): @@ -23,7 +23,7 @@ def run(self): extra_headers = { "User-Agent": "strangebee-thehive/1.0" } - auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret) + auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url) hosts = Hosts(auth_object=auth, ext_headers=extra_headers) hostname = self.get_data() diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py index 54412b012..d8d75e4e1 100755 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py @@ -15,6 +15,7 @@ def __init__(self): self.filepath = self.getParam("file", None, "File is missing") self.client_id = self.get_param("config.client_id") self.client_secret = self.get_param("config.client_secret") + self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com") self.environment = self.get_param("config.service", 160) self.network_settings = self.get_param("config.network_settings", "default") self.action_script = self.get_param("config.action_script", "default") @@ -48,7 +49,7 @@ def run(self): } with open(filepath, "rb") as sample: - auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret) + auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url) # Define the custom header extra_headers = { "User-Agent": "strangebee-thehive/1.0" diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Android.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Android.json index 5172e4523..f53727d70 100644 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Android.json +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Android.json @@ -32,6 +32,14 @@ "required": true, "defaultValue": "" }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" + }, { "name": "network_settings", "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline", diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Linux.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Linux.json index a9e42738d..f28b4b502 100644 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Linux.json +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Linux.json @@ -32,6 +32,14 @@ "required": true, "defaultValue": "" }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" + }, { "name": "network_settings", "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline", diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_MacOS.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_MacOS.json index 684e78b99..1570912a1 100644 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_MacOS.json +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_MacOS.json @@ -32,6 +32,14 @@ "required": true, "defaultValue": "" }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" + }, { "name": "network_settings", "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline", diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win10.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win10.json index d558bf622..08a057364 100644 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win10.json +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win10.json @@ -32,6 +32,14 @@ "required": true, "defaultValue": "" }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" + }, { "name": "network_settings", "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline", diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win11.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win11.json index 9b6a70d8a..06db49be1 100644 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win11.json +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win11.json @@ -32,6 +32,14 @@ "required": true, "defaultValue": "" }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" + }, { "name": "network_settings", "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline", diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7.json index 0e22f239d..33bb8b885 100644 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7.json +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7.json @@ -32,6 +32,14 @@ "required": true, "defaultValue": "" }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" + }, { "name": "network_settings", "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline", diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7_64.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7_64.json index 380b49b25..bcdaf0dc9 100644 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7_64.json +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7_64.json @@ -32,6 +32,14 @@ "required": true, "defaultValue": "" }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" + }, { "name": "network_settings", "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline", diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.json index 198e9a9f5..b51a89852 100644 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.json +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.json @@ -32,6 +32,14 @@ "required": true, "defaultValue": "" }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" + }, { "name": "alert_fields", "description": "Fields to return for each invidividual alerts", diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.py b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.py index 219008f1d..4a36242d5 100755 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.py +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.py @@ -10,6 +10,7 @@ def __init__(self): Analyzer.__init__(self) self.client_id = self.get_param("config.client_id") self.client_secret = self.get_param("config.client_secret") + self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com") self.alert_fields = self.get_param("config.alert_fields") self.days_before = self.get_param("config.days_before") @@ -17,7 +18,7 @@ def run(self): Analyzer.run(self) if self.data_type == 'hostname': try: - auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret) + auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url) # Define the custom header extra_headers = { "User-Agent": "strangebee-thehive/1.0" diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.json index a5f557c5e..6951fbe57 100644 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.json +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.json @@ -31,6 +31,14 @@ "multi": false, "required": true, "defaultValue": "" + }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.py b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.py index f18c63875..b650aa5ce 100755 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.py +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.py @@ -11,12 +11,14 @@ def __init__(self): Analyzer.__init__(self) self.client_id = self.get_param("config.client_id") self.client_secret = self.get_param("config.client_secret") + self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com") + def run(self): Analyzer.run(self) if self.data_type == 'hostname': try: - auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret) + auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url) # Define the custom header extra_headers = { "User-Agent": "strangebee-thehive/1.0" diff --git a/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_AddIOC.json b/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_AddIOC.json index 51946e9a6..81c0b569a 100644 --- a/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_AddIOC.json +++ b/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_AddIOC.json @@ -30,6 +30,14 @@ "required": true, "defaultValue": "" }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" + }, { "name": "severity", "description": "Severity linked to the IoC - informational, low, medium, high, critical", diff --git a/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_Sync.json b/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_Sync.json index 2380e74e1..ae0b9da2a 100644 --- a/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_Sync.json +++ b/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_Sync.json @@ -30,6 +30,14 @@ "required": true, "defaultValue": "" }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" + }, { "name": "custom_field_name_alert_id", "description": "Custom field in TheHive containing the CSFalcon Alert ID", diff --git a/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_removeIOC.json b/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_removeIOC.json index ed02746ac..10016a0b8 100644 --- a/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_removeIOC.json +++ b/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_removeIOC.json @@ -29,6 +29,14 @@ "multi": false, "required": true, "defaultValue": "" + }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py b/responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py index 9e751ca37..09b3954ef 100755 --- a/responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py +++ b/responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py @@ -9,6 +9,8 @@ def __init__(self): self.client_id = self.get_param("config.client_id") self.client_secret = self.get_param("config.client_secret") self.service = self.get_param("config.service", None) + self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com") + def run(self): Responder.run(self) @@ -18,7 +20,7 @@ def run(self): extra_headers = { "User-Agent": "strangebee-thehive/1.0" } - auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret) + auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url) hosts = Hosts(auth_object=auth, ext_headers=extra_headers) # Search for the device ID using the hostname diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalconIOC.py b/responders/CrowdstrikeFalcon/CrowdstrikeFalconIOC.py index 174a978da..57704c8f4 100755 --- a/responders/CrowdstrikeFalcon/CrowdstrikeFalconIOC.py +++ b/responders/CrowdstrikeFalcon/CrowdstrikeFalconIOC.py @@ -2,7 +2,7 @@ from cortexutils.responder import Responder import requests -from falconpy import IOC +from falconpy import OAuth2, IOC from datetime import datetime, timedelta import re from urllib.parse import urlparse @@ -12,6 +12,7 @@ def __init__(self): Responder.__init__(self) self.client_id = self.get_param("config.client_id") self.client_secret = self.get_param("config.client_secret") + self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com") self.service = self.get_param("config.service", None) self.platform_list = self.get_param("config.platform_list", []) self.host_groups_list = self.get_param("config.host_groups_list", []) @@ -83,7 +84,8 @@ def run(self): "User-Agent": "strangebee-thehive/1.0" } # Create the IOC service object - ioc = IOC(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers) + auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url) + ioc = IOC(auth_object=auth, ext_headers=extra_headers) # Determine if the IOC applies globally or to specific host groups ioc_kwargs = { @@ -127,7 +129,8 @@ def run(self): "User-Agent": "strangebee-thehive/1.0" } # Create the IOC service object - ioc = IOC(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers) + auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url) + ioc = IOC(auth_object=auth, ext_headers=extra_headers) # Search for the IOC by value response = ioc.indicator_search(filter=filter,offset=0, limit=200) diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalconSync.py b/responders/CrowdstrikeFalcon/CrowdstrikeFalconSync.py index 83e5d111b..3d057167b 100755 --- a/responders/CrowdstrikeFalcon/CrowdstrikeFalconSync.py +++ b/responders/CrowdstrikeFalcon/CrowdstrikeFalconSync.py @@ -1,13 +1,14 @@ #!/usr/bin/env python3 from cortexutils.responder import Responder -from falconpy import Alerts, Incidents +from falconpy import OAuth2, Alerts, Incidents class CrowdstrikeFalconSync(Responder): def __init__(self): Responder.__init__(self) self.client_id = self.get_param("config.client_id") self.client_secret = self.get_param("config.client_secret") + self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com") self.service = self.get_param("config.service", None) self.custom_field_name_alert_id = self.get_param("config.custom_field_name_alert_id") self.custom_field_name_incident_id = self.get_param("config.custom_field_name_incident_id") @@ -47,10 +48,11 @@ def run(self): if current_stage not in status_mapping_alert: self.error(f"Unknown case status: {current_stage}") + auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url) # Update the CrowdStrike alert status if detection_id: - alert_client = Alerts(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers) + alert_client = Alerts(auth_object=auth, ext_headers=extra_headers) # Determine the corresponding CrowdStrike alert status cs_status_alert = status_mapping_alert[current_stage] if isinstance(detection_id,str): @@ -70,7 +72,7 @@ def run(self): if incident_id: - incident_client = Incidents(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers) + incident_client = Incidents(auth_object=auth, ext_headers=extra_headers) # Determine the corresponding CrowdStrike incident status cs_status_incident = status_mapping_incident[current_stage] if isinstance(incident_id,str): diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_containHost.json b/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_containHost.json index 1298a9086..b0df32e31 100644 --- a/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_containHost.json +++ b/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_containHost.json @@ -29,6 +29,14 @@ "multi": false, "required": true, "defaultValue": "" + }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_hideHost.json b/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_hideHost.json index 1a92a0c7e..fee369dc2 100644 --- a/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_hideHost.json +++ b/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_hideHost.json @@ -29,6 +29,14 @@ "multi": false, "required": true, "defaultValue": "" + }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_liftContainmentHost.json b/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_liftContainmentHost.json index 9f7d8e82d..e46cb3c09 100644 --- a/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_liftContainmentHost.json +++ b/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_liftContainmentHost.json @@ -29,6 +29,14 @@ "multi": false, "required": true, "defaultValue": "" + }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_suppressDetections.json b/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_suppressDetections.json index 81cfe8161..c7ac2c7b0 100644 --- a/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_suppressDetections.json +++ b/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_suppressDetections.json @@ -29,6 +29,14 @@ "multi": false, "required": true, "defaultValue": "" + }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_unhideHost.json b/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_unhideHost.json index 23809e109..b6ae3332d 100644 --- a/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_unhideHost.json +++ b/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_unhideHost.json @@ -29,6 +29,14 @@ "multi": false, "required": true, "defaultValue": "" + }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_unsuppressDetection.json b/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_unsuppressDetection.json index 88e2d5ab0..75660eeef 100644 --- a/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_unsuppressDetection.json +++ b/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_unsuppressDetection.json @@ -29,6 +29,14 @@ "multi": false, "required": true, "defaultValue": "" + }, + { + "name": "base_url", + "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true,