Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a limit to cs falcon search device command #32979

Merged
merged 21 commits into from
Feb 25, 2024
Merged

Add a limit to cs falcon search device command #32979

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
394f80d
added a limit parameter to search device command
omerKarkKatz Feb 18, 2024
a9935f7
updated release notes
omerKarkKatz Feb 18, 2024
6be357b
updated docker image
omerKarkKatz Feb 18, 2024
e772767
updated the release notes
omerKarkKatz Feb 18, 2024
8a84e3b
merge with master
omerKarkKatz Feb 18, 2024
ce98425
merge with master
omerKarkKatz Feb 21, 2024
1b94bb9
add BC release ntoes and parameters to endpoint command
omerKarkKatz Feb 21, 2024
03156af
docker update
omerKarkKatz Feb 21, 2024
a46bb2d
removed the params from the endpoint command
omerKarkKatz Feb 21, 2024
ea33d9f
Merge branch 'master' into add_a_limit_to_cs_falcon_serach_device_com…
omerKarkKatz Feb 21, 2024
1c6bd93
Merge branch 'master' into add_a_limit_to_cs_falcon_serach_device_com…
omerKarkKatz Feb 22, 2024
bb300b5
Merge branch 'master' into add_a_limit_to_cs_falcon_serach_device_com…
omerKarkKatz Feb 22, 2024
b504ab8
Merge branch 'master' into add_a_limit_to_cs_falcon_serach_device_com…
omerKarkKatz Feb 22, 2024
c841cc6
Merge branch 'master' into add_a_limit_to_cs_falcon_serach_device_com…
omerKarkKatz Feb 22, 2024
76ac5d1
Merge branch 'master' into add_a_limit_to_cs_falcon_serach_device_com…
omerKarkKatz Feb 22, 2024
5b146c5
updated the docker image
omerKarkKatz Feb 22, 2024
401b674
removed unrelated files
omerKarkKatz Feb 22, 2024
390c284
Mgrge with remote
omerKarkKatz Feb 22, 2024
0ea6215
removed unrelated files
omerKarkKatz Feb 22, 2024
b411de6
Trigger-build
omerKarkKatz Feb 22, 2024
64cd47b
Merge branch 'master' into add_a_limit_to_cs_falcon_serach_device_com…
omerKarkKatz Feb 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1763,6 +1763,8 @@ def search_device(filter_operator='AND'):
'site_name': str(args.get('site_name', '')).split(','),
'local_ip': str(args.get('ip', '')).split(',')
}
limit = int(args.get('limit', 50))
offset = int(args.get('offset', 0))
url_filter = '{}'.format(str(args.get('filter', '')))
op = ',' if filter_operator == 'OR' else '+'
# In Falcon Query Language, '+' stands for AND and ',' for OR
Expand All @@ -1783,7 +1785,7 @@ def search_device(filter_operator='AND'):
# All args should be a list. this is a fallback
url_filter = "{url_filter}{operator}{inp_arg}:'{arg_val}'".format(url_filter=url_filter, operator=op,
inp_arg=k, arg_val=arg)
raw_res = http_request('GET', '/devices/queries/devices/v1', params={'filter': url_filter})
raw_res = http_request('GET', '/devices/queries/devices/v1', params={'filter': url_filter, 'limit': limit, 'offset': offset})
device_ids = raw_res.get('resources')
if not device_ids:
return None
Expand Down
18 changes: 12 additions & 6 deletions Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
category: Endpoint

Check failure on line 1 in Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.yml

View workflow job for this annotation

GitHub Actions / pre-commit / pre-commit

Validation Error DO106 

The docker image tag is not the latest numeric tag, please update it.
The docker image tag in the yml file is: 1.0.0.88148
The latest docker image tag in docker hub is: 1.0.0.88283

You can check for the most updated version of demisto/py3-tools here: https://hub.docker.com/r/demisto/py3-tools/tags 
To update the docker image run:
demisto-sdk format -ud -i Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.yml
sectionOrder:
- Connect
- Collect
Expand Down Expand Up @@ -186,24 +186,30 @@
auto: PREDEFINED
- description: The query to filter the device.
name: filter
- description: A comma-separated list of device IDs to limit the results.
- description: The maximum records to return [1-5000].
name: limit
defaultValue: 50
- description: The offset to start retrieving records from.
name: offset
defaultValue: 0
- description: 'A comma-separated list of device IDs to limit the results.'
name: ids
- auto: PREDEFINED
description: 'The status of the device. Possible values are: "Normal", "containment_pending", "contained", and "lift_containment_pending".'
name: status
predefined:
- normal
- 'normal'
- containment_pending
- contained
- lift_containment_pending
- auto: PREDEFINED
description: The host name of the device.
description: 'The host name of the device.'
name: hostname
predefined:
- ''
- auto: PREDEFINED
description: 'The platform name of the device. Possible values are: Windows, Mac, and Linux.'
- description: 'The platform name of the device. Possible values are: Windows, Mac, and Linux.'
name: platform_name
auto: PREDEFINED
predefined:
- Windows
- Mac
Expand Down Expand Up @@ -4962,7 +4968,7 @@
- contextPath: CrowdStrike.IOARules.version_ids
description: The IOA Rule's version ID.
type: String
dockerimage: demisto/py3-tools:1.0.0.86612
dockerimage: demisto/py3-tools:1.0.0.88148
isfetch: true
ismappable: true
isremotesyncin: true
Expand Down
7 changes: 4 additions & 3 deletions Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3517,7 +3517,7 @@ def test_get_endpoint_command(requests_mock, mocker):
- The user is running cs-falcon-search-device with an id
Then
- Return an Endpoint context output
"""
"""
from CrowdStrikeFalcon import get_endpoint_command
response = {'resources': {'meta': {'query_time': 0.010188508, 'pagination': {'offset': 1, 'limit': 100, 'total': 1},
'powered_by': 'device-api', 'trace_id': 'c876614b-da71-4942-88db-37b939a78eb3'},
Expand Down Expand Up @@ -3560,13 +3560,14 @@ def test_get_endpoint_command(requests_mock, mocker):
status_code=200,
)

mocker.patch.object(demisto, 'args', return_value={'id': 'dentifier_numbe', 'hostname': 'falcon-crowdstr'})
mocker.patch.object(demisto, 'args', return_value={'id': 'identifier_numbe', 'hostname': 'falcon-crowdstr'})

outputs = get_endpoint_command()
result = outputs[0].to_context()
context = result.get('EntryContext')

assert unquote(query_mocker.last_request.query) == "filter=device_id:'dentifier_numbe',hostname:'falcon-crowdstr'"
api_query = "filter=device_id:'identifier_numbe',hostname:'falcon-crowdstr'&limit=50&offset=0"
assert unquote(query_mocker.last_request.query) == api_query
assert context['Endpoint(val.ID && val.ID == obj.ID && val.Vendor == obj.Vendor)'] == [endpoint_context]


Expand Down
2 changes: 2 additions & 0 deletions Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,8 @@ Searches for a device that matches the query.
| hostname | The host name of the device. Possible values are: . | Optional |
| platform_name | The platform name of the device. Possible values are: Windows, Mac, and Linux. Possible values are: Windows, Mac, Linux. | Optional |
| site_name | The site name of the device. | Optional |
| limit | The maximum number of records to return. Default is 50. | Optional |
| offset | The offset to begin the list from. For example, start from the 10th record and return the list. Default is 0. | Optional |

#### Context Output

Expand Down
4 changes: 4 additions & 0 deletions Packs/CrowdStrikeFalcon/ReleaseNotes/1_13_0.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"breakingChanges": true,
"breakingChangesNotes": "Parameters *limit* (with defualt value 50) and *offset* (with defualt value 0), were introduced to ***cs-falcon-search-device*** command. Number of returned results will be defined by the limit"
}
6 changes: 6 additions & 0 deletions Packs/CrowdStrikeFalcon/ReleaseNotes/1_13_0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

#### Integrations

##### CrowdStrike Falcon
- Added the *limit* and *offset* parameter to the ***cs-falcon-search-device*** command.
- Updated the Docker image to: *demisto/py3-tools:1.0.0.88148*.
2 changes: 1 addition & 1 deletion Packs/CrowdStrikeFalcon/pack_metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "CrowdStrike Falcon",
"description": "The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.",
"support": "xsoar",
"currentVersion": "1.12.17",
"currentVersion": "1.13.0",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down
Loading