CrowdStrike Falcon - Implement TheHive custom user-agent across integrations

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py

@@ -19,8 +19,12 @@ def run(self):
         Analyzer.run(self)
         if self.data_type == 'hostname':
             try:
+                # Define the custom header
+                extra_headers = {
+                    "User-Agent": "strangebee-thehive/1.0"
+                }
                 auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
-                hosts = Hosts(auth_object=auth)
+                hosts = Hosts(auth_object=auth, ext_headers=extra_headers)
                 hostname = self.get_data()
 
                 # Search for the device ID using the hostname
@@ -35,7 +39,7 @@ def run(self):
                 if device_ids:
                     device_id = device_ids[0]
                     # Get detailed asset information using the device ID
-                spotlight = SpotlightVulnerabilities(auth_object=auth)
+                spotlight = SpotlightVulnerabilities(auth_object=auth, ext_headers=extra_headers)
                 host_vulns = spotlight.query_vulnerabilities_combined(parameters={"filter": f"aid:'{device_id}'+status:!'closed'"})
                 host_vulns = host_vulns["body"]["resources"]
                 #print(host_vulns)

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py

@@ -49,8 +49,12 @@ def run(self):
 
             with open(filepath, "rb") as sample:
                 auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
-                samples = SampleUploads(auth_object=auth)
-                sandbox = FalconXSandbox(auth_object=auth)
+                # Define the custom header
+                extra_headers = {
+                    "User-Agent": "strangebee-thehive/1.0"
+                }
+                samples = SampleUploads(auth_object=auth, ext_headers=extra_headers)
+                sandbox = FalconXSandbox(auth_object=auth, ext_headers=extra_headers)
                 response = samples.upload_sample(file_data=sample.read(),
                                 file_name=filename,
                                 comment=comment,

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.py

@@ -18,7 +18,11 @@ def run(self):
         if self.data_type == 'hostname':
             try:
                 auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
-                alerts = Alerts(auth_object=auth)
+                # Define the custom header
+                extra_headers = {
+                    "User-Agent": "strangebee-thehive/1.0"
+                }
+                alerts = Alerts(auth_object=auth, ext_headers=extra_headers)
                 hostname = self.get_data()
                 message = "No alerts found."
                 filtered_alert_list = []

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.py

@@ -17,7 +17,11 @@ def run(self):
         if self.data_type == 'hostname':
             try:
                 auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
-                hosts = Hosts(auth_object=auth)
+                # Define the custom header
+                extra_headers = {
+                    "User-Agent": "strangebee-thehive/1.0"
+                }
+                hosts = Hosts(auth_object=auth, ext_headers=extra_headers)
                 hostname = self.get_data()
 
                 # Search for the device ID using the hostname

responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py

@@ -14,8 +14,12 @@ def run(self):
         Responder.run(self)
         hostname = self.get_param("data.data", None)
         #self.report({'message': f"Host {device_name}"})
+        # Define the custom headers
+        extra_headers = {
+            "User-Agent": "strangebee-thehive/1.0"
+        }
         auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
-        hosts = Hosts(auth_object=auth)
+        hosts = Hosts(auth_object=auth, ext_headers=extra_headers)
 
         # Search for the device ID using the hostname
         if self.service == "unhide_host":
@@ -44,4 +48,4 @@ def operations(self, raw):
         return operations_list
 
 if __name__ == '__main__':
-    CrowdstrikeFalconHosts().run()
+    CrowdstrikeFalconHosts().run()

responders/CrowdstrikeFalcon/CrowdstrikeFalconIOC.py

@@ -78,8 +78,12 @@ def run(self):
             case_id = self.get_param("data.case.id", None, "Can't get case ID")
             description = f"Pushed from TheHive - {case_title} - {case_id}"
 
+            # Define the custom headers
+            extra_headers = {
+                "User-Agent": "strangebee-thehive/1.0"
+            }
             # Create the IOC service object
-            ioc = IOC(client_id=self.client_id, client_secret=self.client_secret)
+            ioc = IOC(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers)
 
             # Determine if the IOC applies globally or to specific host groups
             ioc_kwargs = {
@@ -117,7 +121,13 @@ def run(self):
 
             filter = f"_all:~'{ioc_value}'"
 
-            ioc = IOC(client_id=self.client_id, client_secret=self.client_secret)
+
+            # Define the custom headers
+            extra_headers = {
+                "User-Agent": "strangebee-thehive/1.0"
+            }
+            # Create the IOC service object
+            ioc = IOC(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers)
             # Search for the IOC by value
             response = ioc.indicator_search(filter=filter,offset=0, limit=200)
 
@@ -143,4 +153,4 @@ def run(self):
 
 
 if __name__ == '__main__':
-    CrowdstrikeFalconIOC().run()
+    CrowdstrikeFalconIOC().run()

responders/CrowdstrikeFalcon/CrowdstrikeFalconSync.py

@@ -11,11 +11,13 @@ def __init__(self):
         self.service = self.get_param("config.service", None)
         self.custom_field_name_alert_id = self.get_param("config.custom_field_name_alert_id")
         self.custom_field_name_incident_id = self.get_param("config.custom_field_name_incident_id")
-        self.alert_client = Alerts(client_id=self.client_id, client_secret=self.client_secret)
-        self.incident_client = Incidents(client_id=self.client_id, client_secret=self.client_secret)
 
     def run(self):
         if self.service == "sync":
+            # Define the custom headers
+            extra_headers = {
+                "User-Agent": "strangebee-thehive/1.0"
+            }
             #data = self.get_param("data", None, "Can't get case ID")
             current_stage = self.get_param("data.stage", None, "Can't get case or alert stage")
             detection_id = self.get_param(f"data.customFieldValues.{self.custom_field_name_alert_id}", None)
@@ -48,6 +50,7 @@ def run(self):
 
             # Update the CrowdStrike alert status
             if detection_id:
+                alert_client = Alerts(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers)
                 # Determine the corresponding CrowdStrike alert status
                 cs_status_alert = status_mapping_alert[current_stage]
                 if isinstance(detection_id,str):
@@ -62,11 +65,12 @@ def run(self):
                         }
                     ]
                 }
-                alert_response = self.alert_client.update_alerts_v3(body=alert_body)
+                alert_response = alert_client.update_alerts_v3(body=alert_body)
                 alert_status_code = alert_response.get('status_code', None)
 
 
             if incident_id:
+                incident_client = Incidents(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers)
                 # Determine the corresponding CrowdStrike incident status
                 cs_status_incident = status_mapping_incident[current_stage]
                 if isinstance(incident_id,str):
@@ -82,7 +86,7 @@ def run(self):
                     ]
                 }
 
-                incident_response = self.incident_client.perform_incident_action(body=incident_body)
+                incident_response = incident_client.perform_incident_action(body=incident_body)
                 incident_status_code = incident_response.get('status_code', None)
 
 
@@ -110,4 +114,4 @@ def run(self):
                 self.report({"message": final_message})
 
 if __name__ == '__main__':
-    CrowdstrikeFalconSync().run()
+    CrowdstrikeFalconSync().run()