CrowdstrikeFalcon#
README
CrowdStrike Falcon Analyzers#
This documentation covers the setup and usage of CrowdStrike Falcon analyzers for retrieving device information, vulnerabilities and alerts linked to a given hostname observable, as well as performing file analysis using the CrowdStrike Falcon Sandbox.
Pre-requisites#
To use these analyzers, you must have the following configured in your CrowdStrike Falcon tenant:
- CrowdStrike Falcon Setup:
- Log in to your CrowdStrike Falcon tenant.
- Navigate to Support and resources > Resources and tools > API clients and keys.
- Create an API Client with the required permissions:
- Hosts: Read (for
getDeviceDetailsandgetDeviceVulnerabilities). - Vulnerabilities: Read (for
getDeviceVulnerabilities). - Alerts: Read (for
getDeviceAlerts). - Sandbox (Falcon Intelligence): Read, Write (for
Falcon Sandbox).
- Hosts: Read (for
Analyzers Overview#
1. getDeviceDetails Analyzer#
- Description: Retrieves and displays detailed device information based on a given hostname observable.
- Permissions Required:
Hosts: Read
Available Configuration#
Short Report#
Displays basic details such as: - Vendor - OS version - Agent status - Last user logged in
Long Report#
Provides detailed information about the device.
2. getDeviceVulnerabilities Analyzer#
- Description: Retrieves and displays vulnerabilities linked to a hostname observable.
- Permissions Required:
Hosts: Read,Vulnerabilities: Read
Available Configuration#
Short Report#
Displays the number of vulnerabilities linked to the hostname.
Long Report#
Provides a detailed list of vulnerabilities with contextual information.
3. getDeviceAlerts Analyzer#
- Description: Retrieves and displays alerts linked to a hostname observable for the past X days.
- Permissions Required:
Alerts: Read
Available Configuration#
Short Report#
Displays the number of alerts linked to the hostname.
Long Report#
Provides a detailed list of alerts with contextual information.
4. Falcon Sandbox Analyzer#
- Description: Sends a file observable to the CrowdStrike Falcon Sandbox for analysis. Once the analysis is complete, the results are displayed in a report.
- Permissions Required:
Sandbox (Falcon Intelligence): Read, Write
Available Configuration#
-
List of analyzers:
-
Configuration interface:
Short Report#
Displays whether the analyzed file is considered: - Safe (green) - Suspicious (orange) - Malicious (red)
Long Report#
Provides a detailed analysis of the file.
Resources#
For more information on the relevant CrowdStrike Falcon APIs, refer to the following resources: - CrowdStrike Falcon Hosts API - CrowdStrike Falcon Vulnerabilities API - CrowdStrike Falcon Alerts API - CrowdStrike Falcon Sample Uploads API - CrowdStrike Falcon Sandbox API
CrowdstrikeFalcon_Sandbox_Win7#
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Send a file to CrowdstrikeFalcon Sandbox
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| base_url | Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
|---|---|
| Default value if not configured | https://api.crowdstrike.com |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| network_settings | Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline |
|---|---|
| Default value if not configured | default |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| action_script | Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles |
|---|---|
| Default value if not configured | default |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
Templates samples for TheHive#
CrowdstrikeFalcon_Sandbox_Win7_64#
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Send a file to CrowdstrikeFalcon Sandbox
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| base_url | Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
|---|---|
| Default value if not configured | https://api.crowdstrike.com |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| network_settings | Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline |
|---|---|
| Default value if not configured | default |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| action_script | Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles |
|---|---|
| Default value if not configured | default |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
Templates samples for TheHive#
CrowdstrikeFalcon_getDeviceAlerts#
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- hostname
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Get Device alerts from Crowdstrike Falcon
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| base_url | Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
|---|---|
| Default value if not configured | https://api.crowdstrike.com |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| alert_fields | Fields to return for each invidividual alerts |
|---|---|
| Default value if not configured | ['timestamp', 'description', 'status', 'user_name', 'severity', 'severity_name', 'scenario', 'filename', 'filepath', 'confidence', 'cmdline'] |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| days_before | Only query alerts from the past X days. |
|---|---|
| Default value if not configured | 30 |
| Type of the configuration item | number |
| The configuration item can contain multiple values | False |
| Is required | True |
Templates samples for TheHive#
CrowdstrikeFalcon_Sandbox_Android#
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Send a file to CrowdstrikeFalcon Sandbox
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| base_url | Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
|---|---|
| Default value if not configured | https://api.crowdstrike.com |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| network_settings | Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline |
|---|---|
| Default value if not configured | default |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| action_script | Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles |
|---|---|
| Default value if not configured | default |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
Templates samples for TheHive#
CrowdstrikeFalcon_Sandbox_MacOS#
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Send a file to CrowdstrikeFalcon Sandbox
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| base_url | Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
|---|---|
| Default value if not configured | https://api.crowdstrike.com |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| network_settings | Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline |
|---|---|
| Default value if not configured | default |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| action_script | Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles |
|---|---|
| Default value if not configured | default |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
Templates samples for TheHive#
CrowdstrikeFalcon_Sandbox_Win11#
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Send a file to CrowdstrikeFalcon Sandbox
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| base_url | Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
|---|---|
| Default value if not configured | https://api.crowdstrike.com |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| network_settings | Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline |
|---|---|
| Default value if not configured | default |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| action_script | Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles |
|---|---|
| Default value if not configured | default |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
Templates samples for TheHive#
CrowdstrikeFalcon_GetDeviceVulnerabilities#
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- hostname
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Get device vulnerabilities from hostname
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| base_url | Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
|---|---|
| Default value if not configured | https://api.crowdstrike.com |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| vuln_fields | Specific field values to keep in resulting payload for vulnerabilities |
|---|---|
| Default value if not configured | ['vulnerability_id', 'status', 'created_timestamp', 'updated_timestamp', 'apps.product_name_version', 'confidence', 'cve', 'host_info.asset_criticality', 'host_info.internet_exposure', 'remediation.entities.action'] |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
Templates samples for TheHive#
CrowdstrikeFalcon_ThreatIntel#
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- hash
- domain
- ip
- url
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Query threat intelligence indicators from Crowdstrike Falcon Intelligence
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| base_url | Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
|---|---|
| Default value if not configured | https://api.crowdstrike.com |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| include_deleted | Include both published and deleted indicators in the response |
|---|---|
| Default value if not configured | False |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | False |
| limit | Maximum number of indicators to return (Max: 5000) |
|---|---|
| Default value if not configured | 100 |
| Type of the configuration item | number |
| The configuration item can contain multiple values | False |
| Is required | False |
Templates samples for TheHive#
CrowdstrikeFalcon_Sandbox_Win10#
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Send a file to CrowdstrikeFalcon Sandbox
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| base_url | Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
|---|---|
| Default value if not configured | https://api.crowdstrike.com |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| network_settings | Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline |
|---|---|
| Default value if not configured | default |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| action_script | Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles |
|---|---|
| Default value if not configured | default |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
Templates samples for TheHive#
CrowdstrikeFalcon_getDeviceDetails#
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- hostname
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Get device information from Crowdstrike Falcon
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| base_url | Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
|---|---|
| Default value if not configured | https://api.crowdstrike.com |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
Templates samples for TheHive#
CrowdstrikeFalcon_Sandbox_Linux#
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Send a file to CrowdstrikeFalcon Sandbox
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| base_url | Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
|---|---|
| Default value if not configured | https://api.crowdstrike.com |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| network_settings | Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline |
|---|---|
| Default value if not configured | default |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| action_script | Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles |
|---|---|
| Default value if not configured | default |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
Templates samples for TheHive#
