unable to add a host group to a sensor update policy

[pk-actzero]

I'm attempting to add a host group using the uber class. I've tested with both updateSensorUpdatePolicies and the V2 version.
I get a 200 back but the groups item is an empty array. (I'm using the oauth credentials for that particular CID)
Do I need anything else in the body here?

Secondly, when I attempt to update a Sensor Update Policy that was created at the parent level, it also has an empty groups item but the CID of that policy gets changed to the client ID. This is visible in the console as it no longer shows "PRECEDENCE
FROM YOUR MSSP"

BODY = {
                    "resources": [
                        {
                            "id": "the_id_of_the_sensor_update_policy",
                            "groups": [{'id': "the_id_of_the_host_group"}]

                        }

                    ]
                }
response = falcon.command("updateSensorUpdatePolicies", body=BODY)

[jshcodes]

Hi @pk-actzero -

Adding a host group will need to be done using the performSensorUpdatePoliciesAction operation.

Since we're using the Uber class, we will not have the advantage of body payload abstraction (or action_parameter abstraction) so our syntax will be slightly more complex.

from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

BODY = {
    "action_parameters": [
        {
            "name": "group_id",
            "value": "HOST_GROUP_ID_HERE"
        }
    ],
    "ids": ['SENSOR_POLICY_ID_HERE']
}

response = falcon.command("performSensorUpdatePoliciesAction", action_name="add-host-group", body=BODY)
print(response)

Updated 06.21.22: You can only execute this operation against one Sensor Update Policy at a time. An issue has been spawned to track the update of this documentation example.

Regarding the second part of your question, I believe that updating the sensor policy (with an API key that has SensorUpdate:WRITE on the child.) is causing this but I need to recreate and confirm.

[jshcodes]

Can I have a little more detail regarding the steps you took to perform the update on the parent policy from the child key? I'm unable to recreate this (you cannot update a parent policy using a child API key, and should be receiving a 404).

At the moment, I am looking into the possibility of the update creating a new default policy at the child level (which could potentially look like what you've described. The "default" policy display would change to be the newly created one.)

Side note: I've updated the policy wonk sample to support MSSP scenarios as part of my researching this question. I'll get this update posted shortly.

[pk-actzero]

Thanks for the quick response.
I have a dictionary with the name of the sensor update policy and the name of desired host groups. e.g. we have a parent level policy called "Windows 7 Sensor Pin" and each CID has a host group called "Windows 7 Hosts"

• I call queryCombinedSensorUpdatePoliciesV2 and use filter_string = f"name.raw:'{name}'" to retrieve the policy id by name.
• I check to see if the host group in the dictionary matches the group attached to the policy.
• If it doesn't I call queryCombinedHostGroups and use filter_string = f"name:~'{host_group}'" to retrieve the group id by name.
• I then I'll call performSensorUpdatePoliciesAction to add the group using the policy id and group id.
  then loop through each CID to set the desired default.

presently getting a 500 but I'm wondering if that's because the repo I'm working with has falconpy pegged at <0.9

[jshcodes]

Hi @pk-actzero -

Were you authenticated to the child or to the parent (with or without the member_cid value) while attempting step 4 (assigning the host group ID using performSensorUpdatePoliciesAction)?

You should be fine to remain pinned to versions below v0.9 if that is your requirement. I have been researching this issue using the latest FalconPy version (v1.1.4), and version 0.8.11 to confirm.

I've made progress recreating what you've described in the second part of your original question, and will update you here once I have confirmed my suspicion as to the cause.

Side note: I've generated a lot of 500s today while researching this. All of them have been caused by my mishandling the payload format. Make sure ids is a list (of one string), and action_parameters is a list of dictionaries.

Example

{
    "ids": ["SENSOR_UPDATE_POLICY_ID_HERE"],
    "action_parameters": [
        {
            "name": "group_id",
            "value": "HOST_GROUP_ID_HERE"
        }
    ]
}

[pk-actzero]

Great, I'll confirm the payload is in the correct format.
To clarify, I retrieve the oauth creds for each CID and loop through them doing steps 1 - 4. I never authenticate using the parent creds.

[jshcodes]

Perfect. This is the scenario I am testing, but wanted to confirm that step's authentication specifically. 🙇‍♂️

[pk-actzero]

Can confirm this works with the correct payload format!