Skip to content

Commit

Permalink
Merge pull request #1307 from TheHive-Project/crowdstrike-falcon-user…
Browse files Browse the repository at this point in the history 
…-agent-fix

CrowdStrike Falcon - Implement TheHive custom user-agent across integrations
  • Loading branch information
@nusantara-self
nusantara-self authored Dec 23, 2024
2 parents c4f38e8 + b8f8fe6 commit b8ce397
Show file tree
Hide file tree
Showing 7 changed files with 50 additions and 16 deletions.
8 changes: 6 additions & 2 deletions analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,12 @@ def run(self):
Analyzer.run(self)
if self.data_type == 'hostname':
try:
# Define the custom header
extra_headers = {
"User-Agent": "strangebee-thehive/1.0"
}
auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
hosts = Hosts(auth_object=auth)
hosts = Hosts(auth_object=auth, ext_headers=extra_headers)
hostname = self.get_data()

# Search for the device ID using the hostname
Expand All @@ -35,7 +39,7 @@ def run(self):
if device_ids:
device_id = device_ids[0]
# Get detailed asset information using the device ID
spotlight = SpotlightVulnerabilities(auth_object=auth)
spotlight = SpotlightVulnerabilities(auth_object=auth, ext_headers=extra_headers)
host_vulns = spotlight.query_vulnerabilities_combined(parameters={"filter": f"aid:'{device_id}'+status:!'closed'"})
host_vulns = host_vulns["body"]["resources"]
#print(host_vulns)
Expand Down
8 changes: 6 additions & 2 deletions analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,12 @@ def run(self):

with open(filepath, "rb") as sample:
auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
samples = SampleUploads(auth_object=auth)
sandbox = FalconXSandbox(auth_object=auth)
# Define the custom header
extra_headers = {
"User-Agent": "strangebee-thehive/1.0"
}
samples = SampleUploads(auth_object=auth, ext_headers=extra_headers)
sandbox = FalconXSandbox(auth_object=auth, ext_headers=extra_headers)
response = samples.upload_sample(file_data=sample.read(),
file_name=filename,
comment=comment,
Expand Down
6 changes: 5 additions & 1 deletion analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,11 @@ def run(self):
if self.data_type == 'hostname':
try:
auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
alerts = Alerts(auth_object=auth)
# Define the custom header
extra_headers = {
"User-Agent": "strangebee-thehive/1.0"
}
alerts = Alerts(auth_object=auth, ext_headers=extra_headers)
hostname = self.get_data()
message = "No alerts found."
filtered_alert_list = []
Expand Down
6 changes: 5 additions & 1 deletion analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,11 @@ def run(self):
if self.data_type == 'hostname':
try:
auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
hosts = Hosts(auth_object=auth)
# Define the custom header
extra_headers = {
"User-Agent": "strangebee-thehive/1.0"
}
hosts = Hosts(auth_object=auth, ext_headers=extra_headers)
hostname = self.get_data()

# Search for the device ID using the hostname
Expand Down
8 changes: 6 additions & 2 deletions responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,12 @@ def run(self):
Responder.run(self)
hostname = self.get_param("data.data", None)
#self.report({'message': f"Host {device_name}"})
# Define the custom headers
extra_headers = {
"User-Agent": "strangebee-thehive/1.0"
}
auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
hosts = Hosts(auth_object=auth)
hosts = Hosts(auth_object=auth, ext_headers=extra_headers)

# Search for the device ID using the hostname
if self.service == "unhide_host":
Expand Down Expand Up @@ -44,4 +48,4 @@ def operations(self, raw):
return operations_list

if __name__ == '__main__':
CrowdstrikeFalconHosts().run()
CrowdstrikeFalconHosts().run()
16 changes: 13 additions & 3 deletions responders/CrowdstrikeFalcon/CrowdstrikeFalconIOC.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,12 @@ def run(self):
case_id = self.get_param("data.case.id", None, "Can't get case ID")
description = f"Pushed from TheHive - {case_title} - {case_id}"

# Define the custom headers
extra_headers = {
"User-Agent": "strangebee-thehive/1.0"
}
# Create the IOC service object
ioc = IOC(client_id=self.client_id, client_secret=self.client_secret)
ioc = IOC(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers)

# Determine if the IOC applies globally or to specific host groups
ioc_kwargs = {
Expand Down Expand Up @@ -117,7 +121,13 @@ def run(self):

filter = f"_all:~'{ioc_value}'"

ioc = IOC(client_id=self.client_id, client_secret=self.client_secret)

# Define the custom headers
extra_headers = {
"User-Agent": "strangebee-thehive/1.0"
}
# Create the IOC service object
ioc = IOC(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers)
# Search for the IOC by value
response = ioc.indicator_search(filter=filter,offset=0, limit=200)

Expand All @@ -143,4 +153,4 @@ def run(self):


if __name__ == '__main__':
CrowdstrikeFalconIOC().run()
CrowdstrikeFalconIOC().run()
14 changes: 9 additions & 5 deletions responders/CrowdstrikeFalcon/CrowdstrikeFalconSync.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,13 @@ def __init__(self):
self.service = self.get_param("config.service", None)
self.custom_field_name_alert_id = self.get_param("config.custom_field_name_alert_id")
self.custom_field_name_incident_id = self.get_param("config.custom_field_name_incident_id")
self.alert_client = Alerts(client_id=self.client_id, client_secret=self.client_secret)
self.incident_client = Incidents(client_id=self.client_id, client_secret=self.client_secret)

def run(self):
if self.service == "sync":
# Define the custom headers
extra_headers = {
"User-Agent": "strangebee-thehive/1.0"
}
#data = self.get_param("data", None, "Can't get case ID")
current_stage = self.get_param("data.stage", None, "Can't get case or alert stage")
detection_id = self.get_param(f"data.customFieldValues.{self.custom_field_name_alert_id}", None)
Expand Down Expand Up @@ -48,6 +50,7 @@ def run(self):

# Update the CrowdStrike alert status
if detection_id:
alert_client = Alerts(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers)
# Determine the corresponding CrowdStrike alert status
cs_status_alert = status_mapping_alert[current_stage]
if isinstance(detection_id,str):
Expand All @@ -62,11 +65,12 @@ def run(self):
}
]
}
alert_response = self.alert_client.update_alerts_v3(body=alert_body)
alert_response = alert_client.update_alerts_v3(body=alert_body)
alert_status_code = alert_response.get('status_code', None)


if incident_id:
incident_client = Incidents(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers)
# Determine the corresponding CrowdStrike incident status
cs_status_incident = status_mapping_incident[current_stage]
if isinstance(incident_id,str):
Expand All @@ -82,7 +86,7 @@ def run(self):
]
}

incident_response = self.incident_client.perform_incident_action(body=incident_body)
incident_response = incident_client.perform_incident_action(body=incident_body)
incident_status_code = incident_response.get('status_code', None)


Expand Down Expand Up @@ -110,4 +114,4 @@ def run(self):
self.report({"message": final_message})

if __name__ == '__main__':
CrowdstrikeFalconSync().run()
CrowdstrikeFalconSync().run()

0 comments on commit b8ce397

Please sign in to comment.