Skip to content

Commit 3280a65

Browse files
navnit-elasticnavnit-elastic
authored
crowdstrike: provide alternate endpoint to query host data for GovCloud CIDs (elastic#16007)
This change adds a toggle in the host data stream manifest to switch between two different device endpoints to query host data. The "/devices/combined/devices/v1" endpoint is not supported in GovCloud CIDs, which was introduced in this PR[1]. This impacted GovCloud users to encounter errors when enabling the host data stream. This change provides an option for GovCloud users to query an alternate endpoint, "/devices/entities/devices/v2". If the GovCloud flag is enabled, the CEL program uses "/devices/queries/devices/v1" endpoint else it uses "/devices/combined/devices/v1" endpoint. The implementation for querying "/devices/queries/devices/v1" endpoint is taken from the previous codebase before combined devices endpoint was introduced with a few fixes. [1] elastic#15419
1 parent 1ed3776 commit 3280a65

File tree

11 files changed

+790
-157
lines changed

11 files changed

+790
-157
lines changed

packages/crowdstrike/_dev/build/docs/README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,9 @@ The [CrowdStrike](https://www.crowdstrike.com/) integration allows you to easily
2020

2121
- `alert` dataset: It is typically used to retrieve detailed information about unified alerts generated by the CrowdStrike Falcon platform, via Falcon Intelligence Alert API - `/alerts/combined/alerts/v1`.
2222

23-
- `host` dataset: It retrieves all the hosts/devices in your environment providing information such as device metadata, configuration, and status generated by the CrowdStrike Falcon platform, via Falcon Intelligence Host/Device API - `/devices/combined/devices/v1`. It is more focused to provide the management and monitoring information of devices such as login details, status, policies, configuration etc.
23+
- `host` dataset: It retrieves all the hosts/devices in your environment providing information such as device metadata, configuration, and status generated by the CrowdStrike Falcon platform, via Falcon Intelligence Host/Device API - `/devices/combined/devices/v1`. For GovCloud CIDs it uses `/devices/queries/devices/v1` and `/devices/entities/devices/v2` endpoints. It is more focused to provide the management and monitoring information of devices such as login details, status, policies, configuration etc.
24+
25+
> NOTE: GovCloud CID users must enable the GovCloud option in the integration configuration to query the `/devices/queries/devices/v1` endpoint instead of the unsupported `/devices/combined/devices/v1` endpoint.
2426
2527
- `vulnerability` dataset: It retrieves all the vulnerabilities in your environment, providing information such as severity, status, confidence levels, remediation guidance, and affected hosts, as detected by the CrowdStrike Falcon platform, via the Falcon Spotlight Vulnerability API - `/spotlight/combined/vulnerabilities/v1`.
2628

packages/crowdstrike/_dev/deploy/docker/files/config-host.yml

Lines changed: 344 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ rules:
88
- 'application/json'
99
body: |
1010
{"access_token":"xxxx","expires_in":3600,"token_type":"Bearer","refresh_token":"yyyy"}
11+
# test cases for /devices/combined/devices/v1 endpoint
1112
- path: /devices/combined/devices/v1
1213
methods: ['GET']
1314
query_params:
@@ -423,3 +424,346 @@ rules:
423424
]
424425
}
425426
`}}
427+
428+
# test cases for /devices/queries/devices/v1 endpoint
429+
- path: /devices/queries/devices/v1
430+
methods: ['GET']
431+
query_params:
432+
offset: 0
433+
limit: 1
434+
responses:
435+
- status_code: 200
436+
headers:
437+
Content-Type:
438+
- application/json
439+
body: |
440+
{{ minify_json `
441+
{
442+
"meta": {
443+
"query_time": 0.017724698,
444+
"pagination": {
445+
"offset": 0,
446+
"limit": 1,
447+
"total": 3
448+
},
449+
"writes": {
450+
"resources_affected": 0
451+
},
452+
"powered_by": "detectsapi",
453+
"trace_id": "a21557a2-abd0-4363-9293-727c38084b3b"
454+
},
455+
"resources": [
456+
"abc"
457+
]
458+
}
459+
`}}
460+
- path: /devices/queries/devices/v1
461+
methods: ['GET']
462+
query_params:
463+
offset: 1
464+
limit: 1
465+
responses:
466+
- status_code: 200
467+
headers:
468+
Content-Type:
469+
- application/json
470+
body: |
471+
{{ minify_json `
472+
{
473+
"meta": {
474+
"query_time": 0.017724698,
475+
"pagination": {
476+
"offset": 1,
477+
"limit": 1,
478+
"total": 3
479+
},
480+
"writes": {
481+
"resources_affected": 0
482+
},
483+
"powered_by": "detectsapi",
484+
"trace_id": "b21557a2-abd0-4363-9293-727c384b3b"
485+
},
486+
"resources": [
487+
"def"
488+
]
489+
}
490+
`}}
491+
- path: /devices/queries/devices/v1
492+
methods: ['GET']
493+
query_params:
494+
offset: 2
495+
limit: 1
496+
responses:
497+
- status_code: 200
498+
headers:
499+
Content-Type:
500+
- application/json
501+
body: |
502+
{{ minify_json `
503+
{
504+
"meta": {
505+
"query_time": 0.017725698,
506+
"pagination": {
507+
"offset": 2,
508+
"limit": 1,
509+
"total": 2
510+
},
511+
"writes": {
512+
"resources_affected": 0
513+
},
514+
"powered_by": "detectsapi",
515+
"trace_id": "a31557a2-abd0-4363-9293-727c384b3b"
516+
},
517+
"resources": []
518+
}
519+
`}}
520+
- path: /devices/entities/devices/v2
521+
methods: ['POST']
522+
request_body: /.*"abc"*/
523+
responses:
524+
- status_code: 200
525+
headers:
526+
Content-Type:
527+
- application/json
528+
body: |-
529+
{
530+
"resources":[
531+
{
532+
"agent_load_flags":"0",
533+
"agent_local_time":"2023-11-07T04:51:16.678Z",
534+
"agent_version":"7.05.17603.0",
535+
"bios_manufacturer":"ABCInc.",
536+
"bios_version":"2020.0.1.0.0(iBridge:22.11.000.0.0,0)",
537+
"chassis_type":"9",
538+
"chassis_type_desc":"Laptop",
539+
"cid":"92012896127c4948236ba7601b886b0",
540+
"config_id_base":"6594763",
541+
"config_id_build":"1703",
542+
"config_id_platform":"4",
543+
"connection_ip":"81.2.69.192",
544+
"cpu_signature":"460517",
545+
"device_id":"3114433dbce478ca48d9a828b9b34be",
546+
"device_policies":{
547+
"device_control":{
548+
"applied":true,
549+
"applied_date":"2023-06-20T08:45:26.341093915Z",
550+
"assigned_date":"2023-06-20T08:43:47.736146738Z",
551+
"policy_id":"2f88daf0177f467dae69262a5ce71775",
552+
"policy_type":"device-control"
553+
},
554+
"firewall":{
555+
"applied":true,
556+
"applied_date":"2023-09-11T10:33:44.174488832Z",
557+
"assigned_date":"2023-09-11T10:32:47.853976945Z",
558+
"policy_id":"1ee301f7e3e24e96ad6a23c73aaac1e3",
559+
"policy_type":"firewall",
560+
"rule_set_id":"1ee301f7e3e24e96ad6a23c73aaac1e3"
561+
},
562+
"global_config":{
563+
"applied":true,
564+
"applied_date":"2023-11-07T04:52:59.515775409Z",
565+
"assigned_date":"2023-11-07T04:51:18.94671252Z",
566+
"policy_id":"7e3078b60976486cac5dc998808d9135",
567+
"policy_type":"globalconfig",
568+
"settings_hash":"f01def74"
569+
},
570+
"prevention":{
571+
"applied":true,
572+
"applied_date":"2023-06-08T10:04:47.643357971Z",
573+
"assigned_date":"2023-06-08T10:03:49.505180252Z",
574+
"policy_id":"1024fac1b279424fa7300b8ac2d56be5",
575+
"policy_type":"prevention",
576+
"rule_groups":[],
577+
"settings_hash":"f7a54ca1"
578+
},
579+
"remote_response":{
580+
"applied":true,
581+
"applied_date":"2023-06-08T10:04:47.01735027Z",
582+
"assigned_date":"2023-06-08T10:03:49.505163572Z",
583+
"policy_id":"dabb4def99034f11b9b3d52271584c9f",
584+
"policy_type":"remote-response",
585+
"settings_hash":"8a548e5e"
586+
},
587+
"sensor_update":{
588+
"applied":true,
589+
"applied_date":"2023-11-07T04:52:59.659583066Z",
590+
"assigned_date":"2023-11-07T04:47:43.342175341Z",
591+
"policy_id":"64bfa2bbcd4e46da92a66b107933da11",
592+
"policy_type":"sensor-update",
593+
"settings_hash":"tagged|18;101",
594+
"uninstall_protection":"ENABLED"
595+
}
596+
},
597+
"external_ip":"81.2.69.192",
598+
"first_seen":"2023-06-08T10:00:19Z",
599+
"group_hash":"b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77",
600+
"groups":[
601+
"182388a8dbea4c44b5e019cfd32c2695"
602+
],
603+
"hostname":"CLM101-131.local",
604+
"kernel_version":"22.6.0",
605+
"last_seen":"2023-11-07T10:25:24Z",
606+
"local_ip":"81.2.69.142",
607+
"mac_address":"14-7d-da-ad-ac-71",
608+
"machine_domain":"SYS",
609+
"major_version":"22",
610+
"meta":{
611+
"version":"6002",
612+
"version_string":"7:43570272778"
613+
},
614+
"minor_version":"6",
615+
"modified_timestamp":"2023-11-07T10:26:53Z",
616+
"os_build":"22G120",
617+
"os_version":"Ventura(13)",
618+
"platform_id":"1",
619+
"platform_name":"Mac",
620+
"policies":[
621+
{
622+
"applied":true,
623+
"applied_date":"2023-06-08T10:04:47.643357971Z",
624+
"assigned_date":"2023-06-08T10:03:49.505180252Z",
625+
"policy_id":"1024fac1b279424fa7300b8ac2d56be5",
626+
"policy_type":"prevention",
627+
"rule_groups":[],
628+
"settings_hash":"f7a54ca1"
629+
}
630+
],
631+
"product_type_desc":"Workstation",
632+
"provision_status":"Provisioned",
633+
"reduced_functionality_mode":"no",
634+
"serial_number":"FVFDH73HMNHX",
635+
"site_name":"Default-First-Site-Name",
636+
"status":"normal",
637+
"system_manufacturer":"ABCInc.",
638+
"system_product_name":"Air,1",
639+
"tags":[
640+
"tags"
641+
]
642+
}
643+
]
644+
}
645+
- path: /devices/entities/devices/v2
646+
methods: ['POST']
647+
request_body: /.*"def"*/
648+
responses:
649+
- status_code: 200
650+
headers:
651+
Content-Type:
652+
- application/json
653+
body: |-
654+
{
655+
"resources":[
656+
{
657+
"agent_load_flags":"0",
658+
"agent_local_time":"2023-11-07T04:51:16.678Z",
659+
"agent_version":"7.05.17603.0",
660+
"bios_manufacturer":"ABCInc.",
661+
"bios_version":"2020.0.1.0.0(iBridge:22.11.000.0.0,0)",
662+
"chassis_type":"9",
663+
"chassis_type_desc":"Laptop",
664+
"cid":"92012896127c4948236ba7601b886b0",
665+
"config_id_base":"6594763",
666+
"config_id_build":"1703",
667+
"config_id_platform":"4",
668+
"connection_ip":"81.2.69.192",
669+
"cpu_signature":"460517",
670+
"device_id":"3114433dbce478ca48d9a828b9b34be",
671+
"device_policies":{
672+
"device_control":{
673+
"applied":true,
674+
"applied_date":"2023-06-20T08:45:26.341093915Z",
675+
"assigned_date":"2023-06-20T08:43:47.736146738Z",
676+
"policy_id":"3f88daf0177f467dae69262a5ce71775",
677+
"policy_type":"device-control"
678+
},
679+
"firewall":{
680+
"applied":true,
681+
"applied_date":"2023-09-11T10:33:44.174488832Z",
682+
"assigned_date":"2023-09-11T10:32:47.853976945Z",
683+
"policy_id":"1ee301f7e3e24e96ad6a23c73aaac1e3",
684+
"policy_type":"firewall",
685+
"rule_set_id":"1ee301f7e3e24e96ad6a23c73aaac1e3"
686+
},
687+
"global_config":{
688+
"applied":true,
689+
"applied_date":"2023-11-07T04:52:59.515775409Z",
690+
"assigned_date":"2023-11-07T04:51:18.94671252Z",
691+
"policy_id":"7e3078b60976486cac5dc998808d9135",
692+
"policy_type":"globalconfig",
693+
"settings_hash":"f01def74"
694+
},
695+
"prevention":{
696+
"applied":true,
697+
"applied_date":"2023-06-08T10:04:47.643357971Z",
698+
"assigned_date":"2023-06-08T10:03:49.505180252Z",
699+
"policy_id":"1024fac1b279424fa7300b8ac2d56be5",
700+
"policy_type":"prevention",
701+
"rule_groups":[],
702+
"settings_hash":"f7a54ca1"
703+
},
704+
"remote_response":{
705+
"applied":true,
706+
"applied_date":"2023-06-08T10:04:47.01735027Z",
707+
"assigned_date":"2023-06-08T10:03:49.505163572Z",
708+
"policy_id":"dabb4def99034f11b9b3d52271584c9f",
709+
"policy_type":"remote-response",
710+
"settings_hash":"8a548e5e"
711+
},
712+
"sensor_update":{
713+
"applied":true,
714+
"applied_date":"2023-11-09T04:52:59.659583066Z",
715+
"assigned_date":"2023-11-09T04:47:43.342175341Z",
716+
"policy_id":"74bfa2bbcd4e46da92a66b107933da11",
717+
"policy_type":"sensor-update",
718+
"settings_hash":"tagged|18;101",
719+
"uninstall_protection":"ENABLED"
720+
}
721+
},
722+
"external_ip":"81.2.69.192",
723+
"first_seen":"2023-06-09T10:00:19Z",
724+
"group_hash":"c607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77",
725+
"groups":[
726+
"882388a8dbea4c44b5e019cfd32c2695"
727+
],
728+
"hostname":"CLM101-141.local",
729+
"kernel_version":"22.6.0",
730+
"last_seen":"2023-11-09T10:25:24Z",
731+
"local_ip":"81.2.69.142",
732+
"mac_address":"14-7d-da-ad-ac-71",
733+
"machine_domain":"SYS",
734+
"major_version":"22",
735+
"meta":{
736+
"version":"6002",
737+
"version_string":"7:43570272778"
738+
},
739+
"minor_version":"6",
740+
"modified_timestamp":"2023-11-09T10:26:53Z",
741+
"os_build":"22G120",
742+
"os_version":"Ventura(13)",
743+
"platform_id":"1",
744+
"platform_name":"Mac",
745+
"policies":[
746+
{
747+
"applied":true,
748+
"applied_date":"2023-06-09T10:04:47.643357971Z",
749+
"assigned_date":"2023-06-09T10:03:49.505180252Z",
750+
"policy_id":"2024fac1b279424fa7300b8ac2d56be5",
751+
"policy_type":"prevention",
752+
"rule_groups":[],
753+
"settings_hash":"m7a54ca1"
754+
}
755+
],
756+
"product_type_desc":"Workstation",
757+
"provision_status":"Provisioned",
758+
"reduced_functionality_mode":"no",
759+
"serial_number":"FVVDH73HMNHX",
760+
"site_name":"Default-First-Site-Name",
761+
"status":"normal",
762+
"system_manufacturer":"ABCInc.",
763+
"system_product_name":"Air,1",
764+
"tags":[
765+
"tags"
766+
]
767+
}
768+
]
769+
}

packages/crowdstrike/changelog.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,11 @@
11
# newer versions go on top
2+
- version: "2.10.0"
3+
changes:
4+
- description: >-
5+
Provide an alternate endpoint to query host data for GovCloud CIDs.
6+
The GovCloud CIDs must enable the `GovCloud` flag in the integration configuration to ensure the correct endpoint is used.
7+
type: enhancement
8+
link: https://github.com/elastic/integrations/pull/16007
29
- version: "2.9.0"
310
changes:
411
- description: Support handling FDR documents that encode numbers as strings.

0 commit comments

Comments
 (0)