Merge pull request #1310 from TheHive-Project/crowdstrike-base-url-su…

…pport Crowdstrike Falcon - Custom Base URL support
TheHive-Project · Jan 14, 2025 · 70e8067 · 70e8067
2 parents 825a01d + 746371f
commit 70e8067
Show file tree

Hide file tree

Showing 26 changed files with 175 additions and 12 deletions.
diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.json
@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "vuln_fields",
             "description": "Specific field values to keep in resulting payload for vulnerabilities",

diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py
@@ -12,7 +12,7 @@ def __init__(self):
         self.client_id = self.get_param("config.client_id")
         self.client_secret = self.get_param("config.client_secret")
         self.vuln_fields = self.get_param("config.vuln_fields", [])
-
+        self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com")
 
 
     def run(self):
@@ -23,7 +23,7 @@ def run(self):
                 extra_headers = {
                     "User-Agent": "strangebee-thehive/1.0"
                 }
-                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
+                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url)
                 hosts = Hosts(auth_object=auth, ext_headers=extra_headers)
                 hostname = self.get_data()
 

diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py
@@ -15,6 +15,7 @@ def __init__(self):
         self.filepath = self.getParam("file", None, "File is missing")
         self.client_id = self.get_param("config.client_id")
         self.client_secret = self.get_param("config.client_secret")
+        self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com")
         self.environment = self.get_param("config.service", 160)
         self.network_settings = self.get_param("config.network_settings", "default")
         self.action_script = self.get_param("config.action_script", "default")
@@ -48,7 +49,7 @@ def run(self):
             }
 
             with open(filepath, "rb") as sample:
-                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
+                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url)
                 # Define the custom header
                 extra_headers = {
                     "User-Agent": "strangebee-thehive/1.0"

diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Android.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Android.json
@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "network_settings",
             "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline",

diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Linux.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Linux.json
@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "network_settings",
             "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline",

diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_MacOS.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_MacOS.json
@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "network_settings",
             "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline",

diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win10.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win10.json
@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "network_settings",
             "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline",

diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win11.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win11.json
@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "network_settings",
             "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline",

diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7.json
@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "network_settings",
             "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline",

diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7_64.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7_64.json
@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "network_settings",
             "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline",

diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.json
@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "alert_fields",
             "description": "Fields to return for each invidividual alerts",

diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.py b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.py
@@ -10,14 +10,15 @@ def __init__(self):
         Analyzer.__init__(self)
         self.client_id = self.get_param("config.client_id")
         self.client_secret = self.get_param("config.client_secret")
+        self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com")
         self.alert_fields = self.get_param("config.alert_fields")
         self.days_before = self.get_param("config.days_before")
 
     def run(self):
         Analyzer.run(self)
         if self.data_type == 'hostname':
             try:
-                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
+                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url)
                 # Define the custom header
                 extra_headers = {
                     "User-Agent": "strangebee-thehive/1.0"

diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.json b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.json
@@ -31,6 +31,14 @@
             "multi": false,
             "required": true,
             "defaultValue": ""
+        },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
         }
     ],
     "registration_required": true,

diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.py b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.py
@@ -11,12 +11,14 @@ def __init__(self):
         Analyzer.__init__(self)
         self.client_id = self.get_param("config.client_id")
         self.client_secret = self.get_param("config.client_secret")
+        self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com")
+
 
     def run(self):
         Analyzer.run(self)
         if self.data_type == 'hostname':
             try:
-                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
+                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url)
                 # Define the custom header
                 extra_headers = {
                     "User-Agent": "strangebee-thehive/1.0"

diff --git a/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_AddIOC.json b/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_AddIOC.json
@@ -30,6 +30,14 @@
       "required": true,
       "defaultValue": ""
     },
+    {
+      "name": "base_url",
+      "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "https://api.crowdstrike.com"
+    },
     {
       "name": "severity",
       "description": "Severity linked to the IoC - informational, low, medium, high, critical",

diff --git a/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_Sync.json b/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_Sync.json
@@ -30,6 +30,14 @@
       "required": true,
       "defaultValue": ""
     },
+    {
+      "name": "base_url",
+      "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "https://api.crowdstrike.com"
+    },
     {
       "name": "custom_field_name_alert_id",
       "description": "Custom field in TheHive containing the CSFalcon Alert ID",

diff --git a/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_removeIOC.json b/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_removeIOC.json
@@ -29,6 +29,14 @@
       "multi": false,
       "required": true,
       "defaultValue": ""
+    },
+    {
+      "name": "base_url",
+      "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "https://api.crowdstrike.com"
     }
   ],
   "registration_required": true,

diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py b/responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py
@@ -9,6 +9,8 @@ def __init__(self):
         self.client_id = self.get_param("config.client_id")
         self.client_secret = self.get_param("config.client_secret")
         self.service = self.get_param("config.service", None)
+        self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com")
+
 
     def run(self):
         Responder.run(self)
@@ -18,7 +20,7 @@ def run(self):
         extra_headers = {
             "User-Agent": "strangebee-thehive/1.0"
         }
-        auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
+        auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url)
         hosts = Hosts(auth_object=auth, ext_headers=extra_headers)
 
         # Search for the device ID using the hostname

diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalconIOC.py b/responders/CrowdstrikeFalcon/CrowdstrikeFalconIOC.py
@@ -2,7 +2,7 @@
 
 from cortexutils.responder import Responder
 import requests
-from falconpy import IOC
+from falconpy import OAuth2, IOC
 from datetime import datetime, timedelta
 import re
 from urllib.parse import urlparse
@@ -12,6 +12,7 @@ def __init__(self):
         Responder.__init__(self)
         self.client_id = self.get_param("config.client_id")
         self.client_secret = self.get_param("config.client_secret")
+        self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com")
         self.service = self.get_param("config.service", None)
         self.platform_list = self.get_param("config.platform_list", [])
         self.host_groups_list = self.get_param("config.host_groups_list", [])
@@ -83,7 +84,8 @@ def run(self):
                 "User-Agent": "strangebee-thehive/1.0"
             }
             # Create the IOC service object
-            ioc = IOC(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers)
+            auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url)
+            ioc = IOC(auth_object=auth, ext_headers=extra_headers)
 
             # Determine if the IOC applies globally or to specific host groups
             ioc_kwargs = {
@@ -127,7 +129,8 @@ def run(self):
                 "User-Agent": "strangebee-thehive/1.0"
             }
             # Create the IOC service object
-            ioc = IOC(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers)
+            auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url)
+            ioc = IOC(auth_object=auth, ext_headers=extra_headers)
             # Search for the IOC by value
             response = ioc.indicator_search(filter=filter,offset=0, limit=200)
 

diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalconSync.py b/responders/CrowdstrikeFalcon/CrowdstrikeFalconSync.py
@@ -1,13 +1,14 @@
 #!/usr/bin/env python3
 
 from cortexutils.responder import Responder
-from falconpy import Alerts, Incidents
+from falconpy import OAuth2, Alerts, Incidents
 
 class CrowdstrikeFalconSync(Responder):
     def __init__(self):
         Responder.__init__(self)
         self.client_id = self.get_param("config.client_id")
         self.client_secret = self.get_param("config.client_secret")
+        self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com")
         self.service = self.get_param("config.service", None)
         self.custom_field_name_alert_id = self.get_param("config.custom_field_name_alert_id")
         self.custom_field_name_incident_id = self.get_param("config.custom_field_name_incident_id")
@@ -47,10 +48,11 @@ def run(self):
             if current_stage not in status_mapping_alert:
                 self.error(f"Unknown case status: {current_stage}")
 
+            auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url)
 
             # Update the CrowdStrike alert status
             if detection_id:
-                alert_client = Alerts(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers)
+                alert_client = Alerts(auth_object=auth, ext_headers=extra_headers)
                 # Determine the corresponding CrowdStrike alert status
                 cs_status_alert = status_mapping_alert[current_stage]
                 if isinstance(detection_id,str):
@@ -70,7 +72,7 @@ def run(self):
 
 
             if incident_id:
-                incident_client = Incidents(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers)
+                incident_client = Incidents(auth_object=auth, ext_headers=extra_headers)
                 # Determine the corresponding CrowdStrike incident status
                 cs_status_incident = status_mapping_incident[current_stage]
                 if isinstance(incident_id,str):

diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_containHost.json b/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_containHost.json
@@ -29,6 +29,14 @@
       "multi": false,
       "required": true,
       "defaultValue": ""
+    },
+    {
+      "name": "base_url",
+      "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "https://api.crowdstrike.com"
     }
   ],
   "registration_required": true,

diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_hideHost.json b/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_hideHost.json
@@ -29,6 +29,14 @@
       "multi": false,
       "required": true,
       "defaultValue": ""
+    },
+    {
+      "name": "base_url",
+      "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "https://api.crowdstrike.com"
     }
   ],
   "registration_required": true,