IBM Security QRadar SOAR

 View Only
  • 1.  Corwdsrike Oauth2 in Utility Functions SOAP

    Posted Mon January 16, 2023 12:46 PM
    Edited by Wendy Batten Tue January 17, 2023 08:35 AM
    To IBM SOAR community,

    I'm trying to call Crowdstrike API using Utility functions SOAP to request OAUTH2 token.
    Using the following script:
    inputs.rest_method = "POST"
    inputs.rest_url = "https://api.*"
    inputs.rest_body = '{"client_id": "xxxx", "client_secret": "xxxx"}'

    inputs.rest_headers = """
    Accept: application/json
    Content-Type: application/x-www-form-urlencoded
    inputs.rest_verify = True

    I got the following error:
    Traceback (most recent call last):
    File "/opt/app-root/lib/python3.6/site-packages/resilient_lib/components/", line 197, in execute
    File "/opt/app-root/lib/python3.6/site-packages/requests/", line 960, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
    requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://api*

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
    File "/opt/app-root/lib/python3.6/site-packages/fn_utilities/components/", line 58, in _call_rest_api_function
    headers_dict, cookies_dict, rest_body, rest_verify, rest_timeout)
    File "/opt/app-root/lib/python3.6/site-packages/fn_utilities/components/", line 116, in make_rest_call
    File "/opt/app-root/lib/python3.6/site-packages/resilient_lib/components/", line 205, in execute
    raise IntegrationError(msg)
    resilient_lib.components.integration_errors.IntegrationError: '400 Client Error: Bad Request for url: https://api*'

    When I manually generate the Crowdstrike token and make API requests with GET method, it works. But I cannot request CS token using this script.

    Can you please tell me what's the error in my script? and if the body input format is correct.

    This is the curl request that works with Crowdstrike:
    curl -X POST "https://api*" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=xxxx&client_secret=xxxx"

    Thank you so much.

    Meryam Harraz

  • 2.  RE: Corwdsrike Oauth2 in Utility Functions SOAP

    Posted Mon November 20, 2023 08:11 AM

    Hi, its a bit off topic question, but still related ;), have You tried CrowdStrike Falcon app with AppHost ?
    IBM Security App Exchange - CrowdStrike Falcon Insight and Threat Intel (


    Paulius Roslekas

  • 3.  RE: Corwdsrike Oauth2 in Utility Functions SOAP

    Posted Tue November 21, 2023 04:23 PM
      |   view attached

    If you are trying to use features that are not yet in the Crowdstrike app, like searching for a MAC address in your environment to get Host Information, I recently created a playbook that does this using the REST API Function. Only things that you will need to do to get these to run is go into the REST API app.config file and create 2 variables with your correlating key and secret, cs_key_id and cs_secret. Once those is set you should be good to go to use it.

    What is the playbook doing:

    1. REST API Function to get the Oauth Token
    2. If it gets a token, it does the lookup of the MAC address artifact using the auth token to gather the device ID
    3. Last if the Device ID was found, then it looks up the device information using the last REST API Function.

    This might not be exactly what you are trying to do, but if you are trying to understand how to gather the Oauth Token and use it to automate within Crowdstrike, it should get you moving!

    Nick Mumaw, GPEN, GPYC
    Cyber Security Specialist - SOAR
    IBM - Security