We’ve implemented auto quarantine to Cisco ISE via a trigger firing off the DETECTION_UPDATE event. We’ve had some devices quarantined due to false positive detections, so before quaranting a device I’d like to determine if the device is running the Crowdstrike agent. If the device is running the agent, we’d skip the auto-quarantine and rather send a MS Teams WebHook notification to a security oriented Teams channel so someone can investigate further. This logic will allow other security tools to do their intended job when the agent is found and for the devices that don’t have the agent, they’d be quarantined. So I started looking into whether it was possible to determine if the agent was running via the trigger api. I found a REST API endpoint to query the list of software observed on a devices so I thought I could make an outbound RX360 REST API query from the trigger to get that list. However, I’ve run into a problem determining the “REST API ID” which is required to query the REST API and unfortunately that ID is different from the device ID on the sensor. Is there a way to get the REST API ID via the trigger interface if all you have is the device ID? Better yet, is there a way to determine the software list for a device via the trigger API and skip the REST API altogether? Thanks.
Hi Aaron @obera - My suggestion is to query CrowdStrike falcon, prior to querying Cisco ISE, to see if the device is currently running the CRWD sensor, then on the REMOTE_REPONSE fork the logic for if it continues to ISE, or if you send a notification to teams.
Hi Girard! @girardo That’s a good idea and possibly a solution to my challenge. I don’t currently have access to the Crowdstrike environment, but can ask our security team for API access. The REMOTE_RESPONSE event in the trigger is definitely a game changer when it comes to implementing conditions based on external data in the trigger api. It would be nice to have a way to determine the REST API object ID in the trigger, so based on your response I’m guessing you’re not aware of any way to get the REST API ID in the trigger itself? Thanks again for the response and hope you are doing well! Please say Hi to the team for me. -Aaron
Thinking this though, I could disable the trigger on RX360 and run it locally on each sensor. This way the REST API ID = Device ID, which is included in the detection participants object. The only bummer is pushing this out to all our sensors initially and when there is an update to the logic, but it could be done as well.
I’ll try to get API access to Crowdstrike first but if that fails, I’ve got a plan (B above).
Thanks!
Aaron