Skip to content

CrowdstrikeFalcon#

README

CrowdStrike Falcon Responders#

This documentation covers the setup and usage of CrowdStrike Falcon responders for performing various actions on hosts, managing Indicators of Compromise (IoCs), and synchronizing alerts and incidents from TheHive to CrowdStrike Falcon.

Pre-requisites#

  1. CrowdStrike Falcon Setup:
  2. Log in to your CrowdStrike Falcon tenant.
  3. Navigate to Support and resources > Resources and tools > API clients and keys.

  4. Create an API Client with the required permissions based on the responder:

    • Hosts: Read, Write (for CrowdstrikeFalcon_Hosts).
    • IOC: Read, Write (for CrowdstrikeFalcon_IOC).
    • Alerts: Read, Write (for CrowdstrikeFalcon_Sync).
    • Incidents: Read, Write (for CrowdstrikeFalcon_Sync).

  5. TheHive Setup (for CrowdstrikeFalcon_Sync):

  6. Log in to TheHive.
  7. Navigate to Admin organization > Entities Management > Custom fields.
  8. Create the following custom fields:
    • csfalcon-alert-id (type: string) – to store CrowdStrike Falcon alert IDs.
    • csfalcon-incident-id (type: string) – to store CrowdStrike Falcon incident IDs.

Responders Overview#

1. CrowdstrikeFalcon_Hosts Responder#

  • Description: This responder provides multiple response actions on CrowdStrike Falcon hosts, including:
  • Contain host
  • Lift containment
  • Suppress detections
  • Unsuppress detections
  • Hide host
  • Unhide host
  • Permissions Required: Hosts: Read, Write

Available Responders#

Responders List - Hosts

Responder Configuration#

Configuration - Host Actions

Result#

Provides execution details for host actions, such as containment status or detection suppression results.

Responder Report - Hosts

2. CrowdstrikeFalcon_IOC Responder#

  • Description: This responder allows for the addition or removal of Indicators of Compromise (IoCs) in the CrowdStrike Falcon IoC Management section. Supported IoC types include:
  • Hashes:
    • sha256
    • md5
    • sha1
  • IP Addresses:
    • IPv4
    • IPv6
  • Domains:
    • Domains or URLs (automatically extracts the domain from URLs).
  • Permissions Required: IOC: Read, Write

Available Responders#

Responders List - IoC

Responder Configuration#

Configuration - Add IoC

Result#

Provides execution details for IoC management actions, such as successful addition or removal of IoCs.

Responder Report - IoC 1 Responder Report - IoC 2

3. CrowdstrikeFalcon_Sync Responder#

  • Description: This responder performs one-way status synchronization from TheHive to CrowdStrike Falcon. It supports execution on both alerts and cases in TheHive.
    The synchronization relies on custom fields in TheHive containing:
  • csfalcon-alert-id – for CrowdStrike Falcon Alert IDs.

  • csfalcon-incident-id – for CrowdStrike Falcon Incident IDs.

  • Permissions Required:

  • Alerts: Read, Write
  • Incidents: Read, Write

Responder Configuration#

Configuration - Sync

Result#

Provides synchronization success/failure from TheHive to CrowdStrike Falcon.

Responder Report - Sync

Resources#

For more information on the relevant CrowdStrike Falcon APIs, refer to the following resources: - CrowdStrike Falcon Hosts API - CrowdStrike Falcon IoC Management API - CrowdStrike Falcon Alerts API - CrowdStrike Falcon Incidents API

CrowdStrikeFalcon_unhideHost#

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description#

This action will restore a host. Detection reporting will resume after the host is restored

Configuration#

client_id Crowdstrike client ID key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
client_secret Crowdstrike client secret key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
base_url Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured https://api.crowdstrike.com
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

CrowdStrikeFalcon_suppressDetections#

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description#

Supress detections for the host.

Configuration#

client_id Crowdstrike client ID key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
client_secret Crowdstrike client secret key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
base_url Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured https://api.crowdstrike.com
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

CrowdStrikeFalcon_HostContainment#

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description#

This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy

Configuration#

client_id Crowdstrike client ID key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
client_secret Crowdstrike client secret key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
base_url Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured https://api.crowdstrike.com
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

CrowdStrikeFalcon_hideHost#

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description#

This action will delete a host. After the host is deleted, no new detections for that host will be reported via UI or APIs

Configuration#

client_id Crowdstrike client ID key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
client_secret Crowdstrike client secret key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
base_url Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured https://api.crowdstrike.com
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

CrowdStrikeFalcon_LiftContainmentHost#

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description#

This action lifts containment on the host, which returns its network communications to normal

Configuration#

client_id Crowdstrike client ID key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
client_secret Crowdstrike client secret key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
base_url Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured https://api.crowdstrike.com
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

CrowdStrikeFalcon_Sync#

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
- thehive:alert
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description#

Sync TheHive status back to CS Alerts or Incidents

Configuration#

client_id Crowdstrike client ID key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
client_secret Crowdstrike client secret key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
base_url Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured https://api.crowdstrike.com
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
custom_field_name_alert_id Custom field in TheHive containing the CSFalcon Alert ID
Default value if not configured csfalcon-alert-id
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
custom_field_name_incident_id Custom field in TheHive containing the CSFalcon Incident ID
Default value if not configured csfalcon-incident-id
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

CrowdStrikeFalcon_AddIOC#

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description#

Add IOC to IoC Management on Crowdstrike - supports domain, url, IPs & different kind of hashes

Configuration#

client_id Crowdstrike client ID key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
client_secret Crowdstrike client secret key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
base_url Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured https://api.crowdstrike.com
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
severity Severity linked to the IoC - informational, low, medium, high, critical
Default value if not configured informational
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
action Action policy to do - no_action, detect, allow, prevent. Prevent & Allow only works with hashes. In case of other types, prevent will default to detect.
Default value if not configured prevent
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
expiration_days Expiration date of the IoC -- None if not filled.
Default value if not configured 0
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
platform_list List of Platforms
Default value if not configured ['windows', 'mac', 'linux']
Type of the configuration item string
The configuration item can contain multiple values True
Is required True
host_groups_list Applies Detection to all Hosts if left empty. Else, provide host group IDs
Default value if not configured ['all']
Type of the configuration item string
The configuration item can contain multiple values True
Is required False
retrodetect_flag Flag to indicate whether to submit retrodetects.
Default value if not configured False
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False
tags_list Tags added to IOC when TheHive pushes the IoC
Default value if not configured []
Type of the configuration item string
The configuration item can contain multiple values True
Is required False

CrowdStrikeFalcon_unsuppressDetections#

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description#

Allow detections for the host.

Configuration#

client_id Crowdstrike client ID key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
client_secret Crowdstrike client secret key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
base_url Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured https://api.crowdstrike.com
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

CrowdStrikeFalcon_RemoveIOC#

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com

Description#

remove IOC from IoC Management on Crowdstrike

Configuration#

client_id Crowdstrike client ID key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
client_secret Crowdstrike client secret key
Default value if not configured __
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
base_url Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured https://api.crowdstrike.com
Type of the configuration item string
The configuration item can contain multiple values False
Is required True