CrowdStrike / falcon-orchestrator

CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities
GNU Affero General Public License v3.0
186 stars 54 forks source link

Adding an existing DB field to Detection Notification Email #43

Closed tmitchell5280 closed 7 years ago

tmitchell5280 commented 7 years ago

Hello,

Has anyone added a new field to the Detection Notification email that is sent by Falcon Orchestrator.

I'd like to add an exiting SQL Database field to my emailed report.

If so what are the steps to making this happen.

Thanks,

-Troy

mr-burnse commented 7 years ago

Hey Troy, which field are you after? Currently the email template supports the fields outlined here https://github.com/CrowdStrike/falcon-orchestrator/wiki/Installation-&-Deployment#templates. Will need some code changes to support any other fields. If the one you're after is in the list, simply update the template html file in web app's App_Data\templates directory.

tmitchell5280 commented 7 years ago

No it is not on the list. I'd like to add the Command-Line Field to my Detection Notification Email.

Thanks,

-Troy

mr-burnse commented 7 years ago

Okay, you'll want to download the source for FalconOrchestrator.Client module and modify the Rules.cs file (https://github.com/CrowdStrike/falcon-orchestrator/blob/master/FalconOrchestrator.Client/Rules.cs) in the section lines 121-147 is where the fields are specified. You can add the new CommandLine field in there then compile and replace the FalconOrchestrator.Client.exe file with your new one. Once that's done, you'll need to update the alert_template.html file and include the new {{CommandLine}} variable in there. Hope that helps. If you need further clarification, feel free to ping me on slack.

tmitchell5280 commented 7 years ago

Awesome. Sounds like a plan. Thank Evan.

-Troy

mr-burnse commented 7 years ago

Hey @tmitchell5280 did you get what you need here? I'm going to close out this ticket, just ping me on slack if you need some more help with this.