CrowdStrike Falcon 3.0.0
- 22 Dec 2022
- 2 Minutes to read
- DarkLight
- PDF
CrowdStrike Falcon 3.0.0
- Updated on 22 Dec 2022
- 2 Minutes to read
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
tags: Python | EDR | Automation | Enrichment
Description
Integration with CrowdStrike Falcon EDR supports CDC users by providing enrichment consisting of host, user, hash, IP, and vulnerability details. This enables CDC users to make informed decisions on incident response.
Falcon is a CrowdStrike platform purpose-built to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks — including malware and much more.
CyberProof uses customized adaptive cards to display host, user, hash, IP, and vulnerabilities-related information in a meaningful intuitive GUI. This helps facilitate easy understanding of the data received from CrowdStrike Falcon.
We provide CLI commands to enrich basic host information, user information, hash, IP, and vulnerabilities-related information available on CrowdStrike Falcon. For more complex queries and prevent actions, we make use of the query framework.
| Integration Type: | EPP/ EDR |
| Information read: | Host, User, IP, Vulnerability information |
| API Supported: | API V1, V2 |
| Input: | Host ID/ Host Name/ IP/ Hash for enrichment |
| Output: | Detailed enrichment consisting of host/user/IP/Hash/ Vulnerability information and detections, which lead to the creation of alerts and observable in the CDC. |
Customer Configuration
No Customer Configuration
CDC Command Lines
* **get_detection_detail_cli**
The CLI of the CDC to get detection details of a given detection ID.
| Option | Type | Description | Required |
|---|---|---|---|
| detection_id | string | detection id from CrowdStrike Falcon | True |
* **get_host_details_by_ioc_cli**
The CLI of the CDC to get host details related to a custom IOC. Note that the value can either be of type md5, sha256, ipv4 or ipv6.
| Option | Type | Description | Required |
|---|---|---|---|
| value | string | The string representation of the indicator. | True |
* **get_host_details_by_ip_cli**
The CLI of the CDC to retrieve the host details connected to a local IP.
| Option | Type | Description | Required |
|---|---|---|---|
| local_ip | string | Parameters to filter host details from CrowdStrike Falcon. | True |
* **get_host_detail_cli**
The CLI of the CDC to get details on a host, by providing the host ID.
| Option | Type | Description | Required |
|---|---|---|---|
| host_id | string | host id from CrowdStrike Falcon | True |
* **get_process_id_detail_cli**
The CLI of the CDC to get process details for a given process ID (PID).
| Option | Type | Description | Required |
|---|---|---|---|
| process_id | string | Process ID from CrowdStrike Falcon. | True |
* **get_vulnerabilities_detail_cli**
The CLI of the CDC to retrieve vulnerability details related to a host.
| Option | Type | Description | Required |
|---|---|---|---|
| host_name | string | Parameters for vulnerability details from CrowdStrike Falcon. | True |
Workflows
* **automate_alert_closing**
Closing crowd_strike_falcon alerts.
* **get_vulnerabilities**
Get vulnerabilites workflow.
* **host_details_by_ioc**
Host details by IOC workflow.
* **inject_csf_alert_to_cdc**
Converting CrowdStrike Falcon detection into a CDC alert.
* **investigate_host_by_ip**
Get host details by IP workflow.
Rules
* **close_cdc_alert_in_crowd_strike_falcon**
Close alerts in crowd_strike_falcon.
* **cdc_new_alert_from_crowdstrike_falcon**
Triggering inject new alert to the CDC workflow when a new alert is created in CrowdStrike.
Sensors
* **CrowdStrikeFalconSensor**
Sensor to pull reported detections from CrowdStrike Falcon.
Poll interval - 30s
Triggers
No triggers
Known Issues
No known issues
Was this article helpful?