CrowdstrikeFalcon
README
CrowdStrike Falcon Responders
This documentation covers the setup and usage of CrowdStrike Falcon responders for performing various actions on hosts , managing Indicators of Compromise (IoCs) , and synchronizing alerts and incidents from TheHive to CrowdStrike Falcon.
Pre-requisites
CrowdStrike Falcon Setup :
Log in to your CrowdStrike Falcon tenant.
Navigate to Support and resources > Resources and tools > API clients and keys .
Create an API Client with the required permissions based on the responder:
Hosts : Read, Write (for CrowdstrikeFalcon_Hosts
).
IOC : Read, Write (for CrowdstrikeFalcon_IOC
).
Alerts : Read, Write (for CrowdstrikeFalcon_Sync
).
Incidents : Read, Write (for CrowdstrikeFalcon_Sync
).
TheHive Setup (for CrowdstrikeFalcon_Sync
):
Log in to TheHive.
Navigate to Admin organization > Entities Management > Custom fields .
Create the following custom fields :
csfalcon-alert-id
(type: string ) – to store CrowdStrike Falcon alert IDs.
csfalcon-incident-id
(type: string ) – to store CrowdStrike Falcon incident IDs.
Responders Overview
1. CrowdstrikeFalcon_Hosts Responder
Description : This responder provides multiple response actions on CrowdStrike Falcon hosts, including:
Contain host
Lift containment
Suppress detections
Unsuppress detections
Hide host
Unhide host
Permissions Required : Hosts: Read, Write
Available Responders
Responder Configuration
Result
Provides execution details for host actions, such as containment status or detection suppression results.
2. CrowdstrikeFalcon_IOC Responder
Description : This responder allows for the addition or removal of Indicators of Compromise (IoCs) in the CrowdStrike Falcon IoC Management section. Supported IoC types include:
Hashes :
IP Addresses :
Domains :
Domains or URLs (automatically extracts the domain from URLs).
Permissions Required : IOC: Read, Write
Available Responders
Responder Configuration
Result
Provides execution details for IoC management actions, such as successful addition or removal of IoCs.
3. CrowdstrikeFalcon_Sync Responder
Responder Configuration
Result
Provides synchronization success/failure from TheHive to CrowdStrike Falcon.
Resources
For more information on the relevant CrowdStrike Falcon APIs, refer to the following resources:
- CrowdStrike Falcon Hosts API
- CrowdStrike Falcon IoC Management API
- CrowdStrike Falcon Alerts API
- CrowdStrike Falcon Incidents API
CrowdStrikeFalcon_unhideHost
Author : nusantara-self, StrangeBee
License : AGPL-V3
Version : 1.0
Supported data types :
- thehive:case_artifact
Registration required : True
Subscription required : True
Free subscription : False
Third party service : https://www.crowdstrike.com
Description
This action will restore a host. Detection reporting will resume after the host is restored
Configuration
client_id
Crowdstrike client ID key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
client_secret
Crowdstrike client secret key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
base_url
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured
https://api.crowdstrike.com
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
CrowdStrikeFalcon_AddIOC
Author : nusantara-self, StrangeBee
License : AGPL-V3
Version : 1.0
Supported data types :
- thehive:case_artifact
Registration required : True
Subscription required : True
Free subscription : False
Third party service : https://www.crowdstrike.com
Description
Add IOC to IoC Management on Crowdstrike - supports domain, url, IPs & different kind of hashes
Configuration
client_id
Crowdstrike client ID key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
client_secret
Crowdstrike client secret key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
base_url
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured
https://api.crowdstrike.com
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
severity
Severity linked to the IoC - informational, low, medium, high, critical
Default value if not configured
informational
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
action
Action policy to do - no_action, detect, allow, prevent. Prevent & Allow only works with hashes. In case of other types, prevent will default to detect.
Default value if not configured
prevent
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
expiration_days
Expiration date of the IoC -- None if not filled.
Default value if not configured
0
Type of the configuration item
number
The configuration item can contain multiple values
False
Is required
False
platform_list
List of Platforms
Default value if not configured
['windows', 'mac', 'linux']
Type of the configuration item
string
The configuration item can contain multiple values
True
Is required
True
host_groups_list
Applies Detection to all Hosts if left empty. Else, provide host group IDs
Default value if not configured
['all']
Type of the configuration item
string
The configuration item can contain multiple values
True
Is required
False
retrodetect_flag
Flag to indicate whether to submit retrodetects.
Default value if not configured
False
Type of the configuration item
boolean
The configuration item can contain multiple values
False
Is required
False
tags_list
Tags added to IOC when TheHive pushes the IoC
Default value if not configured
[]
Type of the configuration item
string
The configuration item can contain multiple values
True
Is required
False
CrowdStrikeFalcon_suppressDetections
Author : nusantara-self, StrangeBee
License : AGPL-V3
Version : 1.0
Supported data types :
- thehive:case_artifact
Registration required : True
Subscription required : True
Free subscription : False
Third party service : https://www.crowdstrike.com
Description
Supress detections for the host.
Configuration
client_id
Crowdstrike client ID key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
client_secret
Crowdstrike client secret key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
base_url
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured
https://api.crowdstrike.com
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
CrowdStrikeFalcon_hideHost
Author : nusantara-self, StrangeBee
License : AGPL-V3
Version : 1.0
Supported data types :
- thehive:case_artifact
Registration required : True
Subscription required : True
Free subscription : False
Third party service : https://www.crowdstrike.com
Description
This action will delete a host. After the host is deleted, no new detections for that host will be reported via UI or APIs
Configuration
client_id
Crowdstrike client ID key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
client_secret
Crowdstrike client secret key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
base_url
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured
https://api.crowdstrike.com
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
CrowdStrikeFalcon_HostContainment
Author : nusantara-self, StrangeBee
License : AGPL-V3
Version : 1.0
Supported data types :
- thehive:case_artifact
Registration required : True
Subscription required : True
Free subscription : False
Third party service : https://www.crowdstrike.com
Description
This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy
Configuration
client_id
Crowdstrike client ID key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
client_secret
Crowdstrike client secret key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
base_url
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured
https://api.crowdstrike.com
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
CrowdStrikeFalcon_RemoveIOC
Author : nusantara-self, StrangeBee
License : AGPL-V3
Version : 1.0
Supported data types :
- thehive:case_artifact
Registration required : True
Subscription required : True
Free subscription : False
Third party service : https://www.crowdstrike.com
Description
remove IOC from IoC Management on Crowdstrike
Configuration
client_id
Crowdstrike client ID key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
client_secret
Crowdstrike client secret key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
base_url
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured
https://api.crowdstrike.com
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
CrowdStrikeFalcon_Sync
Author : nusantara-self, StrangeBee
License : AGPL-V3
Version : 1.0
Supported data types :
- thehive:case
- thehive:alert
Registration required : True
Subscription required : True
Free subscription : False
Third party service : https://www.crowdstrike.com
Description
Sync TheHive status back to CS Alerts or Incidents
Configuration
client_id
Crowdstrike client ID key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
client_secret
Crowdstrike client secret key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
base_url
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured
https://api.crowdstrike.com
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
custom_field_name_alert_id
Custom field in TheHive containing the CSFalcon Alert ID
Default value if not configured
csfalcon-alert-id
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
custom_field_name_incident_id
Custom field in TheHive containing the CSFalcon Incident ID
Default value if not configured
csfalcon-incident-id
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
CrowdStrikeFalcon_LiftContainmentHost
Author : nusantara-self, StrangeBee
License : AGPL-V3
Version : 1.0
Supported data types :
- thehive:case_artifact
Registration required : True
Subscription required : True
Free subscription : False
Third party service : https://www.crowdstrike.com
Description
This action lifts containment on the host, which returns its network communications to normal
Configuration
client_id
Crowdstrike client ID key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
client_secret
Crowdstrike client secret key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
base_url
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured
https://api.crowdstrike.com
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
CrowdStrikeFalcon_unsuppressDetections
Author : nusantara-self, StrangeBee
License : AGPL-V3
Version : 1.0
Supported data types :
- thehive:case_artifact
Registration required : True
Subscription required : True
Free subscription : False
Third party service : https://www.crowdstrike.com
Description
Allow detections for the host.
Configuration
client_id
Crowdstrike client ID key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
client_secret
Crowdstrike client secret key
Default value if not configured
__
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
base_url
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values
Default value if not configured
https://api.crowdstrike.com
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
February 7, 2025 02:13:55