Contents x
      CrowdStrike Falcon 2.2.0
      • 20 Jul 2022
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Contents

      CrowdStrike Falcon 2.2.0

      • Updated on 20 Jul 2022
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Article summary

      tags: Python | EDR | Automation | Enrichment

      Description

      Integration with CrowdStrike Falcon EDR supports CDC users by providing enrichment consisting of host, user, hash, IP, and vulnerability details. This enables CDC users to make informed decisions on incident response.

      Falcon is a CrowdStrike platform purpose-built to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks — including malware and much more.

      CyberProof uses customized adaptive cards to display host, user, hash, IP, and vulnerabilities-related information in a meaningful intuitive GUI. This helps facilitate easy understanding of the data received from CrowdStrike Falcon.

      We provide CLI commands to enrich basic host information, user information, hash, IP, and vulnerabilities-related information available on CrowdStrike Falcon. For more complex queries and prevent actions, we make use of the query framework.

      Integration Type:EPP/ EDR
      Information read:Host, User, IP, Vulnerability information
      API Supported:API V1, V2
      Input:Host ID/ Host Name/ IP/ Hash for enrichment
      Output:Detailed enrichment consisting of host/user/IP/Hash/ Vulnerability information and detections, which lead to the creation of alerts and observable in the CDC.

      Customer Configuration

      No customer configuration

      CDC Command Lines

      * **get_vulnerabilities_detail_cli**
      The CLI of the CDC to retrieve vulnerability details related to a host.

      OptionTypeDescriptionRequired
      host_namestringParameters for vulnerability details from CrowdStrike Falcon.True

      * **get_host_details_by_ioc_cli**
      The CLI of the CDC to get host details related to a custom IOC. Note that value can either be of type md5, sha256, ipv4, or ipv6.

      OptionTypeDescriptionRequired
      valuestringThe string representation of the indicator.True

      * **get_detection_detail_cli**
      The CLI of the CDC to get detection details of a given detection ID.

      OptionTypeDescriptionRequired
      detection_idstringdetection ID from CrowdStrike Falcon.True

      * **get_process_id_detail_cli**
      The CLI of the CDC to get process details for a given process ID (PID).

      OptionTypeDescriptionRequired
      process_idstringProcess ID from CrowdStrike FalconTrue

      * **get_host_detail_cli**
      The CLI of the CDC to get details on a host, by providing the host ID.

      OptionTypeDescriptionRequired
      host_idstringhost ID from CrowdStrike Falcon.True

      * **get_host_details_by_ip_cli**
      The CLI of the CDC to retrieve the host details connected to a local IP.

      OptionTypeDescriptionRequired
      local_ipstringParameters to filter host details from CrowdStrike Falcon.True

      Workflows

      * **post_get_host_details_by_ip**
      Post get-host-details-by-ip in the CDC, by the ID of the incident/message/channel.

      * **post_get_host_detail**
      Post get-host-detail in the CDC, by the ID of incident/message/channel.

      * **post_get_vulnerabilities_detail**
      Post get-vulnerabilities-detail in the CDC, by the ID of the incident/message/channel.

      * **host_details_by_ioc**
      Host details by IOC workflow.

      * **post_get_host_details_by_ioc**
      Post get-host-details-by-ioc in the CDC, by the ID of the incident/message/channel.

      * **investigate_host_by_ip**
      Get host details by IP workflow.

      * **post_get_process_id_detail**
      Post get-process-id-detail in the CDC, by the ID of the incident/message/channel.

      * **inject_csf_alert_to_cdc**
      Converting CrowdStrike Falcon detection into a CDC alert.

      * **get_vulnerabilities**
      Get vulnerabilites workflow.

      * **automate_alert_closing**
      Closing crowd_strike_falcon alerts.

      * **post_get_detection_detail**
      Post get-detection-detail in the CDC, by the ID of the incident/message/channel.

      Rules

      * **cdc_new_alert_from_crowdstrike_falcon**
      Triggering inject new alert to the CDC workflow when a new alert is created in CrowdStrike.

      * **close_cdc_alert_in_crowd_strike_falcon**
      Close alerts in crowd_strike_falcon.

      Sensors

      * **CrowdStrikeFalconSensor**
      Sensor to pull reported detections from CrowdStrike Falcon.

      Poll interval - 30s

      Triggers

      No triggers

      Known Issues

      No known issues

      Was this article helpful?
      What's Next