TracecatHQ/tracecat

[FEATURE REQUEST] Crowdstrike - Allow member CIDs to be specified in API calls

topher-lo opened this issue · 2 comments

topher-lo commented

Is your feature request related to a problem? Please describe.
From Discord thread:

You'll need to extend out your CrowdStrike implementations (eventually) to allow member_cid's to be specified. The reason being that for MSSP's who leverage Flight Control, you need to specify member_cid's for some functions within CS directly. i.e. Identity Protection or Spotlight or Discover.

Describe the solution you'd like
Some sample code:

def get_oauth2_token(client_id, client_secret):
    url = f"{EUROPE_BASE_URL}/oauth2/token"
    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    data = {"client_id": client_id, "client_secret": client_secret}
    response = requests.post(url, headers=headers, data=data)
    return response.json()["access_token"]


def get_cids(token):
    url = f"{EUROPE_BASE_URL}/mssp/entities/cid-group-members/v2?cid_group_ids=xxxxxxxxxxxxxxxxxxx"
    headers = {
        "Authorization": f"Bearer {token}",
        "Accept": "application/json",
        "Content-Type": "application/json"
    }

    response = requests.get(url, headers=headers)
    if response.status_code != 200:
        print(f"Error: Received status code {response.status_code} with message: {response.text}")
        return []
    data = response.json()
    cids = []
    if 'resources' in data and data['resources']:
        for resource in data['resources']:
            if 'cids' in resource and resource['cids']:
                cids.extend(resource['cids'])

    return cids


def get_tenant_token(client_id, client_secret, member_cid):
    url = f"{EUROPE_BASE_URL}/oauth2/token"
    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    data = {"client_id": client_id, "client_secret": client_secret, "member_cid": member_cid}
    response = requests.post(url, headers=headers, data=data)
    return response.json()["access_token"]
acumen-kevinr commented

You'll also likely want the option to choose a 'CID Group' which is configured on the CS side, but could be a group that is 'Spotlight CIDs' etc. - to make the code more efficient and just iterate over the specific CID's you want to in that group.

  • 👍1
topher-lo commented

Closed by #404