falconpy: [ BUG ] Returning empty Body ("body": {"message": "No content returned", "resources": []})

I am using the below code to pull the information, it was working fine yesterday but it is not returning any content in json’s body.

Can you please help ?

import json
from argparse import ArgumentParser, RawTextHelpFormatter
from falconpy import ReportExecutions
import os

def consume_arguments():
    """Consume our required command line arguments."""
    parser = ArgumentParser(description=__doc__, formatter_class=RawTextHelpFormatter)
    required = parser.add_argument_group("required_arguments")
    required.add_argument("-k", "--falcon_client_id",
                        help="CrowdStrike API Client ID",
                        required=True
                        )
    required.add_argument("-s", "--falcon_client_secret",
                        help="CrowdStrike API Client Secret",
                        required=True
                        )
    required.add_argument("-r", "--report", help="ID of the report to retrieve", required=True)
    return parser.parse_args()


def retrieve_report_executions(sdk: ReportExecutions, rptid: str):
    """Retrieve the list of execution IDs that match this report ID."""
    print(f"🔍 Searching for executions of {rptid}")
    execution_id_lookup = sdk.reports_executions_query(filter=f"scheduled_report_id:'{rptid}'")
    if not execution_id_lookup["status_code"] == 200:
        raise SystemExit("⛔ Unable to retrieve report executions from "
                         "the CrowdStrike API, check API key permissions."
                         )

    # Give the SDK back so we can feed our results to the next method easily
    return sdk, execution_id_lookup["body"]["resources"]


def get_report_execution_runs(sdk: ReportExecutions, id_list: list):
    """Retrieve the list of execution runs for each execution ID."""
    print(f"✅ Found {len(id_list)} executions of this report available.")
    # Retrieve the status of these IDs
    exec_status_lookup = sdk.report_executions_get(id_list)
    if not exec_status_lookup["status_code"] == 200:
        raise SystemExit("⛔ Unable to retrieve execution statuses from the CrowdStrike API.")
    print(f"⚠️  This execution has run {len(exec_status_lookup['body']['resources'])} times.")

    # Give the SDK back as well so we can easily feed it to our next method call
    return sdk, exec_status_lookup["body"]["resources"]


def process_executions(sdk: ReportExecutions, run_list: list):
    """Process the results of the executions, this solution only handles completed runs."""
    saved = 0
    for exec_status in run_list:
        status = exec_status["status"]
        exec_id = exec_status["id"]
        rpt_id = exec_status["scheduled_report_id"]
        if status.upper() == "DONE":
            report_detail = sdk.get_download(exec_id)
            if report_detail:
                if isinstance(report_detail, dict):
                    try:
                        with open(f"{rpt_id}_{exec_id}.rpt", "w", encoding="utf-8") as json_output:
                            json.dump(report_detail, json_output)
                        saved += 1
                        print(f"📥 {exec_id} successfully saved to {rpt_id}_{exec_id}.rpt")
                    except json.JSONDecodeError:
                        print(f"❗ Unable to decode results of report run {exec_id} for ")
                else:
                    with open(f"{rpt_id}_{exec_id}.rpt", "wb") as csv_output:
                        csv_output.write(report_detail)
                    saved += 1
            else:
                print(f"⛔ Unable to retrieve report for execution {exec_id} of {rpt_id}.")
        else:
            print(f"⏩ Skipping {exec_id} as not yet finished.")
    # Return back the number of successful saves
    return saved


if __name__ == "__main__":
    # Consume any provided command line arguments
    cmdline = consume_arguments()
    # Create an instance of the ReportExecutions Service Class
    falcon = ReportExecutions(client_id=os.getenv("CLIENT_ID"),
                              client_secret=cmdline.falcon_client_secret
                              )
    # Retrieve our report executions, and process them, saving any that
    # have completed successfully to individual files (JSON format).
    # Let's be fancy and leverage list expansion to provide arguments from
    # one method to the subsequent one. It's like inception for Python. ♜
    SUCCESSFUL = process_executions(
        *get_report_execution_runs(*retrieve_report_executions(falcon, cmdline.report))
        )
    # Inform the user of the result
    print(f"🏁 Retrieval complete, {SUCCESSFUL} report results were downloaded.")

About this issue

Original URL
State: closed
Created 10 months ago
Comments: 29 (10 by maintainers)

Commits related to this issue

Handle list response on report_executions_download_get. Closes #1033. — committed to CrowdStrike/falconpy by jshcodes 10 months ago
Handle list response on report_executions_download_get. Closes #1033. — committed to CrowdStrike/falconpy by jshcodes 10 months ago
Handle list response on report_executions_download_get. Closes #1033. — committed to CrowdStrike/falconpy by jshcodes 10 months ago
Handle list response on report_executions_download_get. Closes #1033. — committed to CrowdStrike/falconpy by jshcodes 10 months ago
Handle list response on report_executions_download_get. Closes #1033. — committed to CrowdStrike/falconpy by jshcodes 10 months ago
Handle list response on report_executions_download_get. Closes #1033. — committed to CrowdStrike/falconpy by jshcodes 10 months ago
Handle list response on report_executions_download_get. Closes #1033. — committed to CrowdStrike/falconpy by jshcodes 10 months ago

Most upvoted comments

if it is configured to CSV, it is working but not with JSON. CSV is good for me. Thank you

Kish26 on Sep 1, 2023

once report size is 1KB and payload is

{“status_code”: 500, “headers”: {}, “body”: {“errors”: [{“message”: “‘ascii’ codec can’t decode byte 0xc2 in position 1508426: ordinal not in range(128)”, “code”: 500}], “resources”: []}}

Kish26 on Sep 1, 2023

installed patches -->last ran successfully was 31st of July Vulnerabilities --> last ran successfully was 30th of August

Kish26 on Aug 31, 2023

Installed patches and Vulnerabilities aren’t working

Kish26 on Aug 31, 2023

Scheduled Report --> Host…payload still works.

Kish26 on Aug 31, 2023

I am adding some debug lines to see if I can get more info next time it fails.

@cvjbrooks -

Are you able to update to FalconPy v1.3.0? Then you can take advantage of Debug Logging.

I enabled debug logging and tested at least 15 times and it worked each time, so whatever problem it was seems to be better now. No issues with rate limits or anything. 🤷 .

To correct an error in my original reply, I was already on 1.3.0 but mistakenly saw 1.2.12 in requirements.txt. I just switched to using pyproject.toml recently and had ^1.2.12 set. If it happens again, i’ll post logs here if needed.

cvjbrooks on Aug 31, 2023

Version 1.2.12

From: Joshua Hiller @.> Sent: 31 August 2023 16:23 To: CrowdStrike/falconpy @.> Cc: Kish26 @.>; Mention @.> Subject: Re: [CrowdStrike/falconpy] [ BUG ] Returning empty Body (“body”: {“message”: “No content returned”, “resources”: []}) (Issue #1033)

what command I need to run to find a version please ? Thanks -Siva

If you’ve installed FalconPy for all users you should be able to see it with pip show requests (or pip3 show requests). If you’re in a virtual environment, it would be something like pipenv graph.

You can also ask FalconPy by checking the value of the _VERSION constant.

from falconpy import _VERSION print(_VERSION)

— Reply to this email directly, view it on GitHubhttps://github.com/CrowdStrike/falconpy/issues/1033#issuecomment-1701254779, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ANBWPLTSKA43BC5P2ULIVR3XYCUAFANCNFSM6AAAAAA4FWJFX4. You are receiving this because you were mentioned.Message ID: @.***>

Kish26 on Aug 31, 2023