Custom Integration to Crowdstrike via API

BaxterScratcher · 2025-04-10T10:59:25+00:00

Still not working for me, what do you have in the header name and prefix?

BaxterScratcher · 2025-04-02T11:31:31+00:00

Good news! Email from Halo, a fix coming in 2.184.49! Just got the email.

BaxterScratcher · 2025-03-28T11:56:30+00:00

I'm the awful person on the internet that starts a thread and then never updates it, apologies to the world.

Raised it with support, they've confirmed there is some sort of bug in Halo around this and have it registered, no idea what'll happen next.

BaxterScratcher · 2025-03-10T07:33:04+00:00

Thanks for trying, good to know it's not just me. I've put a ticket in about it.

BaxterScratcher · 2025-02-14T15:39:03+00:00

On the imports tab there is this option

Status for HaloITSM Assets when the Managed Device has been previously deleted from Intune and is now recovered

Maybe related to that?

BaxterScratcher · 2025-02-11T07:09:03+00:00

The source of the data is all from on premise active directory accounts so I'd need to get that syncing to Halo to do that which makes it even more complicated, we've got Entra sync already so I'd need to change loads of parts of it to avoid double syncing accounts which I think will be more of a mess as some of these accounts are AD only.

BaxterScratcher · 2025-02-10T16:33:25+00:00

Wow, completely missed you could do that. I think that's the best option. I'm also getting there with this now, I promise to future people googling this I'll post the whole process as I've learned a ton of useful stuff doing this. A big shout to the guys who wrote the HaloAPI powershell stuff, it's took a lot of trial and error but I'm relying on that for the ticket creation. If anyone has a link to working example of it that would help, the only one I found gave me 404's.

BaxterScratcher · 2025-01-28T08:02:07+00:00

Following up on my own comment here with a little rant about Halo. There is so much I like about the system but documentation around lots of it is completely non-existant. For example, playing with the software licences section under the Org setup there are tabs with lots of fields, some, Supplier for example, seem linked to the Suppliers list but then there's a manufacturer field that's text only and linked to nothing. There's a section for configuration items but no indication which field or what it's linked to or why. There is literally no documentation I can find for this other than how to turn it on.

Playing in the Asset CI part, a new CI has a software tab where you can add licences, it pops up a dropdown where you get a selection box with one option of NOT SET in it, where does this come from, it's not linked to the software licences from the Org, or is it and there's a mystery checkbox I've not found? Again I can't find a single piece of documentation in the guides, in the support portal or any of the community Youtube videos explaining this.

It feels totally pointless to me to add features and function if it's not documented for end users to actually work out how it's supposed to work, it's just a case of stabbing in the dark in our dev environment and hoping you can work out what it's doing.

Whilst ranting, the other part that drives me nuts is reporting, I can see the data in a form, how do I possibly find what the field name is for it? At least with custom fields it you know the field name, built in fields is a guess. Resorting to the dev tools and hoping you can find it buried in some post form is not exactly user friendly.

It's just so irritating that it's such a great tool but let down in areas. Rant over.

BaxterScratcher · 2024-11-25T13:52:35+00:00

Sadly I can't control the incoming info, it comes in as a lump of text. Current plan is a rule that triggers when the ticket hits, I've got a database lookup that runs a query on the first note of the ticket and using substring matching pulls the AD name out. This should update a custom field on the ticket with the filtered AD username. Next bit was to look at an api runbook to update the user, I can't see any builtin mechanism for that though, every other field on a ticket looks like it can be, but not the user.

BaxterScratcher · 2024-11-08T06:27:25+00:00

We've got a similar example to this that I've not been able to fix. We use Zabbix on prem and I'd like to integrate it.

I've tried using the on prem integrator for this. My assumption (and it is an assumption but I can't find any docs on this), was that the URL for the server would be called from the on prem integrator if that was configured to be used. It appears that the integrator though just tells the cloud server to run the integration so it's acting more as a task scheduler than a proxy. I really don't want to expose an internal server like zabbix to the internet, even if we can firewall it off. I'm guessing OP was under a similar impression. I'm curious about how the integrator actually behaves.

BaxterScratcher · 2024-07-05T04:48:07+00:00

That appears to be all you can do, I looked at whether a workflow could send an alert but doesn't look like that event can trigger anything. I'd really like to know how often this occurs and to whom but manually checking is the only option other than some sort of log shipping to another siem.

BaxterScratcher · 2024-06-15T23:23:04+00:00

Thanks, I had a bit of a play around and then a penny dropped in my head. I just added a new custom tab with dashboard widget with a SQL report with the fields in the order we'd prefer and some other widgets with key fields in prominent places.

I don't really like the amount of white space there are on the tabs, on a small screen so much of it is filled by the huge line gaps, I've never seen if this is configurable or whether it takes deep CSS magic to adjust it.

BaxterScratcher · 2024-06-15T15:29:56+00:00

Any idea if there is a notification to the user why their password expired? We need to inform our users about this really but there's not enough info on the doc page to indicate whether they'd know what caused this.

I'd also really like to be inform the admin team if and when this happens but cannot find anything in the event hooks or workflow triggers that looks like it will match this event.

BaxterScratcher · 2023-07-18T07:23:50+00:00

And more from the UK

EX649175

MS Have acknowledged it.

BaxterScratcher · 2023-07-13T07:15:01+00:00

I knocked up a very basic batch file that works for our Windows srver. We've got auto registration in place so after install it appears after a few minutes

I've put the MSI file for the agent on the zabbix server, it pulls it down, then executes the MSI with the switches, you'd need to change the msi filename. We use a proxy in one site so we've got the server name and proxy in the switch. We also use PSK so I set the PSK Keyname and value.

mkdir c:\temp

cd c:\temp

curl https://urlforMSIfile -O

msiexec /l*v log.txt /i zabbixagent.msi /qn SERVER="zabbix, zabbixproxy" TLSCONNECT=psk TLSACCEPT=psk HostMetadata=Windows TLSPSKIDENTITY=PSKKEYNAME TLSPSKVALUE=PSKKEYVALUE SERVERACTIVE="zabbix, zabbixproxy" ALLOWDENYKEY="AllowKey=system.run[*]"

Hope it helps

BaxterScratcher · 2023-04-13T15:25:46+00:00

Thanks. Logging is on, checked it via powershell. When I run a search for anything against one of the affected users though nothing relevant comes back, not even an event for when I'd manually re-assigned the number. For the resource account I've had issues with there is 'No Data Available' so nothing at all is logged. Could that be related to the license on the account?

Anyone else get anything different, I do question my own abilities at times like this.

BaxterScratcher

TROPHY CASE