Update _ioc.py #311
Update _ioc.py #311
Conversation
Remove explicit ids={} from endpoint. Fixes issue blocking FQL filter use.
There was a problem hiding this comment.
Do you have a code example where this change resolves an issue? I ask because this text is stripped from the endpoint before it is used in Service Classes.
falconpy/src/falconpy/_util.py
Line 380 in 5c70b6a
(Trying to determine if there is an issue with this functionality.) If we remove this from the endpoint at this point in time, it will negatively impact the Uber class.
|
Let me do some additional testing. I'm actually using the Uber class. |
Oh! Then we definitely still need that. 😁 Leaving this PR open while you test. |
|
Here's my test code: .. creds json, etc..
falcon = Uber(creds=crowdstrike_creds)
def delete_expired_iocs():
# https://github.com/CrowdStrike/falconpy/wiki/IOCs#queryiocs
expiration_date = date.today() - timedelta(days=14)
log.debug(expiration_date)
log.info(f"Deleting IOCs which expired on or before {expiration_date}")
PARAMS = {
'filter': f"""source:'"IOC Automation*"'+(expiration:<'{expiration_date}')""",
'comment': "Deleted by crowdstrike-ioc-sync 14 days after expiration"
}
response = falcon.command('indicator_delete_v1', parameters=PARAMS)
if response["status_code"] == 200:
number_deleted = response['body']['meta']['pagination']['total']
log.info(f"Deleted {number_deleted} expired IOCs")
else:
log.error(f"CrowdStrike API error: {response}")
remain = 0
delete_expired_iocs()I'm using my fork for my testing. When 192 = "/iocs/entities/indicators/v1": When 192 = "/iocs/entities/indicators/v1?ids={}": |
This is perfect, thank you! I'm looking into this now. We just received a question regarding this as well, also using the Uber class. I'm going to convert that discussion post to an issue so we have tracking. |
|
Ultimately the fix you are proposing is what will happen, in every endpoint module that references an ids parameter, but there is some minor work that needs to occur in the Uber class before that can happen. In the interim, I propose we perform a replacement immediately after the Uber class URL is calculated. (Here: https://github.com/CrowdStrike/falconpy/blob/main/src/falconpy/_util.py#L325) This will work similarly to the replacement occurring in process_service_request (that Service Classes use) but should only impact calls where the endpoint still contains an ids array that is empty (versus one that is populated because our user is using the ids parameter). The ver_0.6.2 branch contains a working example of this solution. Could I get you to test it for me with your code? |
|
Your patch appears to have resolved this issue. Semi-related: I see references to |
Excellent! I'll put together a PR for this now.
Correct, but still allowed / maintained for now. This is primarily related to the Service Classes previously using this imported value as the name of the method. Some of the operation IDs as defined in swagger are just completely unacceptable Python syntax (not just to the linters), and had to be changed. |
|
Superseded by #315. |
jshcodes
added
bug 🐛
Remove explicit ids={} from endpoint. Fixes issue blocking FQL filter use.
Remove ids={} from IOC DELETE endpoint