search

CrowdStrike / gofalcon

Golang-based SDK to CrowdStrike's APIs
MIT License
60 stars 43 forks source link

IOC IndicatorCreateV1 issue with Body #426

Closed ks2211 closed 6 months ago

ks2211 commented 7 months ago

Using version v0.6.0 with go version 1.22.1

I am attempting to create an IOC using the ioc.Client.IndicatorCreateV1 method but getting a 400 One or more indicators have a warning or invalid input error

This is the request body I use via cURL/Postman and I get a succesful 200 response (along with the id). 

{
    "comment": "Indicator Created by something for domain somedomain.com",
    "indicators": [
        {
            "type": "domain",
            "value": "somedomain.com",
            "applied_globally": true,
            "platforms": ["windows", "mac", "linux"],
            "action": "no_action",
            "tags": ["something"],
            "source": "something",
            "severity": "informational",
            "description": "URL Created by something"
        }
    ]
}

This is the equivalent go code but results in a 400 error. indicatorCreateV1BadRequest &{Errors:[{Code:400 Message:One or more indicators have a warning or invalid input}] Meta:PoweredBy:ioc-manager QueryTime:0.012351665 TraceID:<TRACE>}}

func boolPtr(v bool) *bool {
    return &v
}

const SeverityInformational = "informational"

&ioc.IndicatorCreateV1Params{
        Context: context.Background(), // also removed this with no luck
        Body: &models.APIIndicatorCreateReqsV1{
            Comment: fmt.Sprintf("Indicator Created by something for domain %s", "somedomain.com"),
            Indicators: []*models.APIIndicatorCreateReqV1{
                {
                    Type:            "domain",
                    Value:           "somedomain.com",
                    AppliedGlobally: boolPtr(true),
                    Platforms:       []string{"windows", "mac", "linux"},
                    Description:     fmt.Sprintf("Indicator Created by something for domain %s", "somedomain.com"),
                    Action:          "no_action",
                    Tags:            []string{"something"},
                    Source:          "something",
                    Severity:        SeverityInformational, //  informational, low, medium, high, and critical
                },
            },
        },
    }

Checking the generated source vs the json above, everything seems to match up(with the only exception being the bool pointer for the applied_globally field but marshalling usually handles that). It doesnt seem to fail validations either and makes it to the API which then returns the error and I can't see any differences between go vs the curl json blob.

Any suggestions?

ks2211 commented 7 months ago

Update: It looks like using the REST API via cURL/Postman, you don't need to specify the expiration field but with the SDK it's required otherwise it defaults to a 0 value strfmt.Time which results in an expiration needs to be in the future error (the SDK for some reason wasn't including this in the response, I used the API directly with go code and read the response to get this error out)

ffalor commented 7 months ago

hey @ks2211 can you check if 0.7.0-rc1 fixes this for you? It worked in my testing. Thanks!

ks2211 commented 6 months ago

@ffalor thanks! that seems to have fixed it for me. will wait for the v0.7.0 tag to be pushed

ks2211 commented 6 months ago

hey @ffalor I'm dealing with a slightly strange issue now --

I used the 0.7.0-rc1 on my local machine and everything seems to work with creating indicators. I deployed the code to our dev env in AWS and it gives me malformed input errors doing the same workflow as I do locally (and its the same exact code base). The weird thing is, I can get/update indicators from my dev but NOT create

Any ideas what could cause that issue?

EDIT: turns out it was a timezone issue and parsing on my remote servers, going to close this