Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]FalconCustomIOC Endpoint changed #1075

Closed
BITSDevops111 opened this issue Jan 11, 2022 · 1 comment
Closed

[Bug]FalconCustomIOC Endpoint changed #1075

BITSDevops111 opened this issue Jan 11, 2022 · 1 comment

Comments

@BITSDevops111
Copy link

BITSDevops111 commented Jan 11, 2022
edited
Loading

Describe the bug
Crowdstrike endpoint changed,so responder responders/FalconCustomIOC/FalconCustomIOCv2.py isn't working properly.I tested code. Passing the json value not happening. Authorization works fine.


import requests
import re
import json
import traceback

from cortexutils.responder import Responder
from requests.auth import HTTPBasicAuth
from FalconAuth import FalconAuth


 def cortexinputbug():
    import sys
    if len(sys.argv) > 1:
        try:
            sys.stdin = open(sys.argv[1]+"/input/input.json")
        except:
            with open("/tmp/responder_error", "w+") as e:
                e.write(traceback.format_exc())


class FalconCustomIOC(Responder):
    def __init__(self):
        Responder.__init__(self)
        self.falconapi_url = "https://api.eu-1.crowdstrike.com/iocs/entities/indicators/v1"
        self.clientid = self.get_param(
            'config.clientid', None, "Crowdstrike API oauth2 client id missing")
        self.clientsecret = self.get_param(
            'config.clientsecret', None, "Crowdstrike API oauth2 client secret missing")
        self.auth = FalconAuth(self.clientid, self.clientsecret)

    def run(self):
        try:
            Responder.run(self)
            ioctypes = {"hash": u"sha256", "sha256": u"sha256", "md5": u"md5", "sha1": u"sha1",
                        "ip": u"ipv4", "ip6": u"ipv6", "ipv6": u"ipv6", "domain": u"domain", "url": u"domain"}
            data_type = self.get_param('data.dataType')
            if not data_type in ioctypes:
                self.error("Unsupported IOC type")
                raise
            ioc = self.get_param('data.data', None, 'No IOC provided')
            if data_type == "url":
                match = re.match(
                    r"(http:\/\/|https:\/\/)?([\w\d\-\.]{0,256}).*", ioc)
                if match is None or match.group(2) is None:
                    self.error("Could not parse domain from URL")
                    raise
                else:
                    ioc = match.group(2)
            description = self.get_param(
                'data.case.title', None, "Can't get case title")
            description = u"{}".format(description.encode('utf-8')[:128])
            postdata = json.dumps([{"type": u"ipv4", "value": u"192.168.1.2", "action": u"no_action", "platforms": u"windows","expiration": u"2022-01-12T12:25:11.823Z"}])            
            response = requests.post(self.falconapi_url, data=postdata, headers={
                                     "Content-Type": "application/json", "Authorization": "Bearer {}".format(self.auth.getToken())})
            json_response = json.loads(response.text)
            if json_response["errors"]:
                self.error(str(json_response["errors"]))
                raise
            else:
                self.report(
                    {'message': ioc+" Submitted to Crowdstrike Falcon custom IOC api", "api_response": json_response})
        except Exception as ex:
            self.error(traceback.format_exc())

    def operations(self, raw):
        return [self.build_operation('AddTagToArtifact', tag='CrowdStrike:Custom IOC Uploaded')]


f __name__ == '__main__':
    cortexinputbug()
    FalconCustomIOC().run()

Error:
when value is passed in json says 'code': 400, 'message': 'Provided data does not match expected format'}]

  • Browse type and version:Chrome
  • Cortex version:Latest
  • Cortex Analyzer/Responder name:responders/FalconCustomIOC/FalconCustomIOCv2.py
  • Cortex Analyzer/Responder version:
@BITSDevops111
Copy link
Author

Solved.I just writing wrong data in json :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BITSDevops111