[ENH] Add Functionality for Unmanaged/Unsupported Assets to be updated via Discover #1303
Description
At current state (1.4.6 and 1.4.7) External Assets and Unmanged Assets appear to fall under Hosts but are largely hidden from being easily accessed.
You can get to them using the Discover.query_hosts; for example:
# Get Unmanaged Assets that are not reviewed
query = (
f"entity_type:'unmanaged'"
f"+triage.status:!'reviewed'"
)
discover = Discover(client_id=id, client_key=key)
discover.query_hosts(filter=query, limit=100, ooffset=0)However, since these are not under External Assets, trying to mark them as reviewed can't be done with https://www.falconpy.io/Service-Collections/Exposure-Management.html#patch_external_assets as it will return ID is not found.
If you go into the UI and manually mark them as reviewed, it will fire off a PATCH request to api2/discover/entities/hosts/v1 containing the same triage details that are needed for external assets.
Two potential proposals to toss out:
- Modify external assets to patch to parse unmanaged assets ids; though looking at internals this may cause other downstream errors as if I followed the code correctly the unmanaged assets are segmented so if an agent is installed they can migrate/fall under Managed Assets
- Add a Update/Patch to the Discover API. This seems to be doable but I know quite a bit appears under discover so I can understand hesitance. Maybe there is a way to limit the patch/post to something like
patch_unmanaged_assetto better ensure it isn't allowing a PATCH attempt for all items that Discover can return?