CrowdStrike Falcon 2.2.2

CrowdStrike Falcon - 2.2.2

tags: Python | EDR | Automation | Enrichment

Table of Contents

• Description
• Customer Configuration
• CDC Command Lines
• Workflows
• Rules
• Sensors
• Triggers
• Known Issues

Description

Integration with CrowdStrike Falcon EDR supports CDC users by providing enrichment consisting of host, user, hash, IP, and vulnerability details. This enables CDC users to make informed decisions on incident response.

Falcon is a CrowdStrike platform purpose-built to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks — including malware and much more.

CyberProof uses customized adaptive cards to display host, user, hash, IP, and vulnerabilities-related information in a meaningful intuitive GUI. This helps facilitate easy understanding of the data received from CrowdStrike Falcon.

We provide CLI commands to enrich basic host information, user information, hash, IP, and vulnerabilities-related information available on CrowdStrike Falcon. For more complex queries and prevent actions, we make use of the query framework.

Customer Configuration

No Customer Configuration

CDC Command Lines

* **get_host_details_by_ioc_cli**
CLI of the CDC to get host details related to a custom IOC. Important point to note : value can either be of type md5, sha256, ipv4 or ipv6.

* **get_host_details_by_ip_cli**
CLI of the CDC to retrieve the host details connected to a local IP.

* **get_vulnerabilities_detail_cli**
CLI of the CDC to retrieve vulnerability details related to a host.

* **get_detection_detail_cli**
CLI of the CDC to get detection details of a given detection ID.

* **get_host_detail_cli**
CLI of the CDC to get details on a host, by providing the host ID.

* **get_process_id_detail_cli**
CLI of the CDC to get process details for a given process ID (PID).

Workflows

* **automate_alert_closing**
closing crowd_strike_falcon alerts

* **get_vulnerabilities**
Get vulnerabilites workflow

* **host_details_by_ioc**
Host details by ioc workflow

* **inject_csf_alert_to_cdc**
converting CrowdStrike Falcon detection into CDC alert

* **investigate_host_by_ip**
Get host details by ip workflow

* **post_get_host_details_by_ioc**
Post get-host-details-by-ioc in the CDC, by the ID of the incident/message/channel.

* **post_get_host_details_by_ip**
Post get-host-details-by-ip in the CDC, by the ID of the incident/message/channel.

* **post_get_vulnerabilities_detail**
Post get-vulnerabilities-detail in the CDC, by the ID of the incident/message/channel.

* **post_get_detection_detail**
Post get-detection-detail in CDC by ID of incident/message/chanel.

* **post_get_host_detail**
Post get-host-detail in CDC by ID of incident/message/chanel.

* **post_get_process_id_detail**
Post get-process-id-detail in CDC by ID of incident/message/chanel.

Rules

* **close_cdc_alert_in_crowd_strike_falcon**
Close Alerts in crowd_strike_falcon

* **cdc_new_alert_from_crowdstrike_falcon**
Triggering inject new alert to CDC workflow when a new alert is created in Crowd Strike

Sensors

* **CrowdStrikeFalconSensor**
Sensor to pull reported detections from CrowdStrike Falcon

Poll interval - 30s

Triggers

No triggers

Known Issues

No issues