CrowdstrikeFalcon

README

CrowdStrike Falcon Analyzers

This documentation covers the setup and usage of CrowdStrike Falcon analyzers for retrieving device information, vulnerabilities and alerts linked to a given hostname observable, as well as performing file analysis using the CrowdStrike Falcon Sandbox.

---

Pre-requisites

To use these analyzers, you must have the following configured in your CrowdStrike Falcon tenant:

1. CrowdStrike Falcon Setup:
2. Log in to your CrowdStrike Falcon tenant.
3. Navigate to Support and resources > Resources and tools > API clients and keys.
4. Create an API Client with the required permissions:
   • Hosts: Read (for getDeviceDetails and getDeviceVulnerabilities).
   • Vulnerabilities: Read (for getDeviceVulnerabilities).
   • Alerts: Read (for getDeviceAlerts).
   • Sandbox (Falcon Intelligence): Read, Write (for Falcon Sandbox).

---

Analyzers Overview

1. getDeviceDetails Analyzer

• Description: Retrieves and displays detailed device information based on a given hostname observable.
• Permissions Required: Hosts: Read

Available Configuration

Short Report

Displays basic details such as: - Vendor - OS version - Agent status - Last user logged in

Long Report

Provides detailed information about the device.

---

2. getDeviceVulnerabilities Analyzer

• Description: Retrieves and displays vulnerabilities linked to a hostname observable.
• Permissions Required: Hosts: Read, Vulnerabilities: Read

Available Configuration

Short Report

Displays the number of vulnerabilities linked to the hostname.

Long Report

Provides a detailed list of vulnerabilities with contextual information.

---

3. getDeviceAlerts Analyzer

• Description: Retrieves and displays alerts linked to a hostname observable for the past X days.
• Permissions Required: Alerts: Read

Available Configuration

Short Report

Displays the number of alerts linked to the hostname.

Long Report

Provides a detailed list of alerts with contextual information.

---

4. Falcon Sandbox Analyzer

• Description: Sends a file observable to the CrowdStrike Falcon Sandbox for analysis. Once the analysis is complete, the results are displayed in a report.
• Permissions Required: Sandbox (Falcon Intelligence): Read, Write

Available Configuration

• List of analyzers:
  

• Configuration interface:
  

Short Report

Displays whether the analyzed file is considered: - Safe (green) - Suspicious (orange) - Malicious (red)

Long Report

Provides a detailed analysis of the file.

---

Resources

For more information on the relevant CrowdStrike Falcon APIs, refer to the following resources: - CrowdStrike Falcon Hosts API - CrowdStrike Falcon Vulnerabilities API - CrowdStrike Falcon Alerts API - CrowdStrike Falcon Sample Uploads API - CrowdStrike Falcon Sandbox API

CrowdstrikeFalcon_Sandbox_Win7

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description

Send a file to CrowdstrikeFalcon Sandbox

Configuration

client_id	Crowdstrike client ID key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

client_secret	Crowdstrike client secret key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

base_url	Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured	https://api.crowdstrike.com
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

network_settings	Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline
Default value if not configured	default
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

action_script	Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles
Default value if not configured	default
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

Templates samples for TheHive

CrowdstrikeFalcon_Sandbox_Win7_64

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description

Send a file to CrowdstrikeFalcon Sandbox

Configuration

client_id	Crowdstrike client ID key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

client_secret	Crowdstrike client secret key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

base_url	Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured	https://api.crowdstrike.com
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

network_settings	Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline
Default value if not configured	default
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

action_script	Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles
Default value if not configured	default
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

Templates samples for TheHive

CrowdstrikeFalcon_getDeviceAlerts

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- hostname
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description

Get Device alerts from Crowdstrike Falcon

Configuration

client_id	Crowdstrike client ID key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

client_secret	Crowdstrike client secret key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

base_url	Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured	https://api.crowdstrike.com
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

alert_fields	Fields to return for each invidividual alerts
Default value if not configured	['timestamp', 'description', 'status', 'user_name', 'severity', 'severity_name', 'scenario', 'filename', 'filepath', 'confidence', 'cmdline']
Type of the configuration item	string
The configuration item can contain multiple values	True
Is required	True

days_before	Only query alerts from the past X days.
Default value if not configured	30
Type of the configuration item	number
The configuration item can contain multiple values	False
Is required	True

Templates samples for TheHive

CrowdstrikeFalcon_Sandbox_Android

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description

Send a file to CrowdstrikeFalcon Sandbox

Configuration

client_id	Crowdstrike client ID key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

client_secret	Crowdstrike client secret key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

base_url	Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured	https://api.crowdstrike.com
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

network_settings	Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline
Default value if not configured	default
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

action_script	Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles
Default value if not configured	default
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

Templates samples for TheHive

CrowdstrikeFalcon_Sandbox_MacOS

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description

Send a file to CrowdstrikeFalcon Sandbox

Configuration

client_id	Crowdstrike client ID key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

client_secret	Crowdstrike client secret key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

base_url	Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured	https://api.crowdstrike.com
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

network_settings	Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline
Default value if not configured	default
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

action_script	Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles
Default value if not configured	default
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

Templates samples for TheHive

CrowdstrikeFalcon_Sandbox_Win11

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description

Send a file to CrowdstrikeFalcon Sandbox

Configuration

client_id	Crowdstrike client ID key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

client_secret	Crowdstrike client secret key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

base_url	Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured	https://api.crowdstrike.com
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

network_settings	Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline
Default value if not configured	default
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

action_script	Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles
Default value if not configured	default
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

Templates samples for TheHive

CrowdstrikeFalcon_GetDeviceVulnerabilities

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- hostname
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description

Get device vulnerabilities from hostname

Configuration

client_id	Crowdstrike client ID key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

client_secret	Crowdstrike client secret key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

base_url	Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured	https://api.crowdstrike.com
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

vuln_fields	Specific field values to keep in resulting payload for vulnerabilities
Default value if not configured	['vulnerability_id', 'status', 'created_timestamp', 'updated_timestamp', 'apps.product_name_version', 'confidence', 'cve', 'host_info.asset_criticality', 'host_info.internet_exposure', 'remediation.entities.action']
Type of the configuration item	string
The configuration item can contain multiple values	True
Is required	True

Templates samples for TheHive

CrowdstrikeFalcon_Sandbox_Win10

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description

Send a file to CrowdstrikeFalcon Sandbox

Configuration

client_id	Crowdstrike client ID key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

client_secret	Crowdstrike client secret key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

base_url	Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured	https://api.crowdstrike.com
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

network_settings	Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline
Default value if not configured	default
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

action_script	Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles
Default value if not configured	default
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

Templates samples for TheHive

CrowdstrikeFalcon_getDeviceDetails

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- hostname
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description

Get device information from Crowdstrike Falcon

Configuration

client_id	Crowdstrike client ID key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

client_secret	Crowdstrike client secret key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

base_url	Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured	https://api.crowdstrike.com
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

Templates samples for TheHive

CrowdstrikeFalcon_Sandbox_Linux

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description

Send a file to CrowdstrikeFalcon Sandbox

Configuration

client_id	Crowdstrike client ID key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

client_secret	Crowdstrike client secret key
Default value if not configured	__
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

base_url	Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured	https://api.crowdstrike.com
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

network_settings	Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline
Default value if not configured	default
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

action_script	Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles
Default value if not configured	default
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

Templates samples for TheHive