IBM Security QRadar SOAR

To IBM SOAR community,

I'm trying to call Crowdstrike API using Utility functions SOAP to request OAUTH2 token.
Using the following script:
inputs.rest_method = "POST"
inputs.rest_url = "https://api.*.crowdstrike.com/oauth2/token"
inputs.rest_body = '{"client_id": "xxxx", "client_secret": "xxxx"}'

inputs.rest_headers = """
Accept: application/json
Content-Type: application/x-www-form-urlencoded
"""
inputs.rest_verify = True

I got the following error:
Traceback (most recent call last):
File "/opt/app-root/lib/python3.6/site-packages/resilient_lib/components/requests_common.py", line 197, in execute
response.raise_for_status()
File "/opt/app-root/lib/python3.6/site-packages/requests/models.py", line 960, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://api*.crowdstrike.com/oauth2/token

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/app-root/lib/python3.6/site-packages/fn_utilities/components/utilities_call_rest_api.py", line 58, in _call_rest_api_function
headers_dict, cookies_dict, rest_body, rest_verify, rest_timeout)
File "/opt/app-root/lib/python3.6/site-packages/fn_utilities/components/utilities_call_rest_api.py", line 116, in make_rest_call
timeout=rest_timeout)
File "/opt/app-root/lib/python3.6/site-packages/resilient_lib/components/requests_common.py", line 205, in execute
raise IntegrationError(msg)
resilient_lib.components.integration_errors.IntegrationError: '400 Client Error: Bad Request for url: https://api*.crowdstrike.com/oauth2/token'

When I manually generate the Crowdstrike token and make API requests with GET method, it works. But I cannot request CS token using this script.

Can you please tell me what's the error in my script? and if the body input format is correct.

This is the curl request that works with Crowdstrike:
curl -X POST "https://api*.crowdstrike.com/oauth2/token" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=xxxx&client_secret=xxxx"

Thank you so much.

------------------------------
Meryam Harraz
------------------------------

Hi, its a bit off topic question, but still related ;), have You tried CrowdStrike Falcon app with AppHost ?
IBM Security App Exchange - CrowdStrike Falcon Insight and Threat Intel (ibmcloud.com)

Thanks

------------------------------
Paulius Roslekas
------------------------------

Original Message:
Sent: Mon January 16, 2023 04:48 AM
From: MER HAZ
Subject: Corwdsrike Oauth2 in Utility Functions SOAP

To IBM SOAR community,

I'm trying to call Crowdstrike API using Utility functions SOAP to request OAUTH2 token.
Using the following script:
inputs.rest_method = "POST"
inputs.rest_url = "https://api.*.crowdstrike.com/oauth2/token"
inputs.rest_body = '{"client_id": "xxxx", "client_secret": "xxxx"}'

inputs.rest_headers = """
Accept: application/json
Content-Type: application/x-www-form-urlencoded
"""
inputs.rest_verify = True

I got the following error:
Traceback (most recent call last):
File "/opt/app-root/lib/python3.6/site-packages/resilient_lib/components/requests_common.py", line 197, in execute
response.raise_for_status()
File "/opt/app-root/lib/python3.6/site-packages/requests/models.py", line 960, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://api*.crowdstrike.com/oauth2/token

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/app-root/lib/python3.6/site-packages/fn_utilities/components/utilities_call_rest_api.py", line 58, in _call_rest_api_function
headers_dict, cookies_dict, rest_body, rest_verify, rest_timeout)
File "/opt/app-root/lib/python3.6/site-packages/fn_utilities/components/utilities_call_rest_api.py", line 116, in make_rest_call
timeout=rest_timeout)
File "/opt/app-root/lib/python3.6/site-packages/resilient_lib/components/requests_common.py", line 205, in execute
raise IntegrationError(msg)
resilient_lib.components.integration_errors.IntegrationError: '400 Client Error: Bad Request for url: https://api*.crowdstrike.com/oauth2/token'

When I manually generate the Crowdstrike token and make API requests with GET method, it works. But I cannot request CS token using this script.

Can you please tell me what's the error in my script? and if the body input format is correct.

This is the curl request that works with Crowdstrike:
curl -X POST "https://api*.crowdstrike.com/oauth2/token" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=xxxx&client_secret=xxxx"

Thank you so much.

------------------------------
Meryam Harraz
------------------------------

If you are trying to use features that are not yet in the Crowdstrike app, like searching for a MAC address in your environment to get Host Information, I recently created a playbook that does this using the REST API Function. Only things that you will need to do to get these to run is go into the REST API app.config file and create 2 variables with your correlating key and secret, cs_key_id and cs_secret. Once those is set you should be good to go to use it.

What is the playbook doing:

1. REST API Function to get the Oauth Token
2. If it gets a token, it does the lookup of the MAC address artifact using the auth token to gather the device ID
3. Last if the Device ID was found, then it looks up the device information using the last REST API Function.

This might not be exactly what you are trying to do, but if you are trying to understand how to gather the Oauth Token and use it to automate within Crowdstrike, it should get you moving!

------------------------------
Nick Mumaw, GPEN, GPYC
Cyber Security Specialist - SOAR
IBM - Security
------------------------------

Original Message:
Sent: Mon January 16, 2023 04:48 AM
From: MER HAZ
Subject: Corwdsrike Oauth2 in Utility Functions SOAP

To IBM SOAR community,

I'm trying to call Crowdstrike API using Utility functions SOAP to request OAUTH2 token.
Using the following script:
inputs.rest_method = "POST"
inputs.rest_url = "https://api.*.crowdstrike.com/oauth2/token"
inputs.rest_body = '{"client_id": "xxxx", "client_secret": "xxxx"}'

inputs.rest_headers = """
Accept: application/json
Content-Type: application/x-www-form-urlencoded
"""
inputs.rest_verify = True

I got the following error:
Traceback (most recent call last):
File "/opt/app-root/lib/python3.6/site-packages/resilient_lib/components/requests_common.py", line 197, in execute
response.raise_for_status()
File "/opt/app-root/lib/python3.6/site-packages/requests/models.py", line 960, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://api*.crowdstrike.com/oauth2/token

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/app-root/lib/python3.6/site-packages/fn_utilities/components/utilities_call_rest_api.py", line 58, in _call_rest_api_function
headers_dict, cookies_dict, rest_body, rest_verify, rest_timeout)
File "/opt/app-root/lib/python3.6/site-packages/fn_utilities/components/utilities_call_rest_api.py", line 116, in make_rest_call
timeout=rest_timeout)
File "/opt/app-root/lib/python3.6/site-packages/resilient_lib/components/requests_common.py", line 205, in execute
raise IntegrationError(msg)
resilient_lib.components.integration_errors.IntegrationError: '400 Client Error: Bad Request for url: https://api*.crowdstrike.com/oauth2/token'

When I manually generate the Crowdstrike token and make API requests with GET method, it works. But I cannot request CS token using this script.

Can you please tell me what's the error in my script? and if the body input format is correct.

This is the curl request that works with Crowdstrike:
curl -X POST "https://api*.crowdstrike.com/oauth2/token" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=xxxx&client_secret=xxxx"

Thank you so much.

------------------------------
Meryam Harraz
------------------------------