Contents x
      CrowdStrike Falcon 2.0.1
      • 22 May 2022
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Contents

      CrowdStrike Falcon 2.0.1

      • Updated on 22 May 2022
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Article summary

      tags: Python | EDR | Automation | Enrichment

      Description

      Integration with CrowdStrike Falcon EDR supports CDC users by providing enrichment consisting of host, user, hash, IP, and vulnerability details. This enables CDC users to make informed decisions on incident response.

      Falcon is a CrowdStrike platform purpose-built to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks — including malware and much more.

      CyberProof uses customized adaptive cards to display host, user, hash, IP, and vulnerabilities-related information in a meaningful intuitive GUI. This helps facilitate easy understanding of the data received from CrowdStrike Falcon.

      We provide CLI commands to enrich basic host information, user information, hash, IP, and vulnerabilities-related information available on CrowdStrike Falcon. For more complex queries and prevent actions, we make use of the query framework.

      Integration Type:Enrichment
      Information read:Host, user, IP, vulnerability information
      API Supported:API V1, V2
      Input:Host ID/ Host Name/ IP/Hash for enrichment
      Output:Detailed enrichment consisting of host/user/IP/hash/vulnerability information and detections that lead to the creation of alerts and observables in the CDC.
      Classification:Public

      CDC Command Lines

      • get_host_details_by_ioc_cli
        CLI of the CDC to get host details related to a custom IOC. It is important to note that the value can be of type md5, sha256, ipv4, or ipv6.
      OptionTypeDescriptionRequired
      valuestringThe string representation of the indicator.True
      • get_host_details_by_ip_cli
        CLI of the CDC to retrieve the host details connected to a local IP.
      OptionTypeDescriptionRequired
      local_ipstringParameters to filter host details from CrowdStrike FalconTrue
      • get_vulnerabilities_detail_cli
        CLI of the CDC to retrieve vulnerability details related to a host.
      OptionTypeDescriptionRequired
      host_namestringParameters for vulnerability details from CrowdStrike Falcon.True
      • get_detection_detail_cli
        CLI of the CDC to get detection details of a given detection ID.
      OptionTypeDescriptionRequired
      detection_idstringDetection ID from CrowdStrike Falcon.True
      • get_host_detail_cli
        CLI of the CDC to get details on a host, by providing the host ID.
      OptionTypeDescriptionRequired
      host_idstringHost ID from CrowdStrike Falcon.True
      • get_process_id_detail_cli
        CLI of the CDC to get process details for a given process ID (PID).
      OptionTypeDescriptionRequired
      process_idstringProcess ID from CrowdStrike Falcon.True

      Workflows

      • automate_alert_closing
        closing crowd_strike_falcon alerts

      • get_vulnerabilities
        Get vulnerabilites workflow.

      • host_details_by_ioc
        Host details by IOC workflow.

      • inject_csf_alert_to_cdc
        Converting a CrowdStrike Falcon detection into a CDC alert.

      • investigate_host_by_ip
        Get host details by IP workflow.

      • post_get_host_details_by_ioc
        Post get-host-details-by-ioc in the CDC, by the ID of the incident/message/channel.

      • post_get_host_details_by_ip
        Post get-host-details-by-ip in the CDC, by the ID of the incident/message/channel.

      • post_get_vulnerabilities_detail
        Post get-vulnerabilities-detail in the CDC, by the ID of the incident/message/channel.

      • post_get_detection_detail
        Post get-detection-detail in the CDC, by the ID of the incident/message/channel.

      • post_get_host_detail
        Post get-host-detail in the CDC, by the ID of the incident/message/channel.

      • post_get_process_id_detail
        Post get-process-id-detail in the CDC, by the ID of the incident/message/channel.

      Rules

      • close_cdc_alert_in_crowd_strike_falcon
        Close alerts in crowd_strike_falcon

      • cdc_new_alert_from_crowdstrike_falcon
        Triggering an inject new alert to the CDC workflow when a new alert is created in CrowdStrike.

      Sensors

      • CrowdStrikeFalconSensor
        Sensor to pull reported detections from CrowdStrike Falcon.

      Poll interval - 30s

      Triggers

      No triggers

      Known Issues

      No known issues

      Was this article helpful?
      What's Next