CrowdstrikeFalcon#
README
CrowdStrike Falcon Responders#
This documentation covers the setup and usage of CrowdStrike Falcon responders for performing various actions on hosts, managing Indicators of Compromise (IoCs), and synchronizing alerts and incidents from TheHive to CrowdStrike Falcon.
Pre-requisites#
- CrowdStrike Falcon Setup:
- Log in to your CrowdStrike Falcon tenant.
- Navigate to Support and resources > Resources and tools > API clients and keys.
-
Create an API Client with the required permissions based on the responder:
- Hosts: Read, Write (for
CrowdstrikeFalcon_Hosts). - IOC: Read, Write (for
CrowdstrikeFalcon_IOC). - Alerts: Read, Write (for
CrowdstrikeFalcon_Sync). - Incidents: Read, Write (for
CrowdstrikeFalcon_Sync).
- Hosts: Read, Write (for
-
TheHive Setup (for
CrowdstrikeFalcon_Sync): - Log in to TheHive.
- Navigate to Admin organization > Entities Management > Custom fields.
- Create the following custom fields:
csfalcon-alert-id(type: string) – to store CrowdStrike Falcon alert IDs.csfalcon-incident-id(type: string) – to store CrowdStrike Falcon incident IDs.
Responders Overview#
1. CrowdstrikeFalcon_Hosts Responder#
- Description: This responder provides multiple response actions on CrowdStrike Falcon hosts, including:
- Contain host
- Lift containment
- Suppress detections
- Unsuppress detections
- Hide host
- Unhide host
- Permissions Required:
Hosts: Read, Write
Available Responders#
Responder Configuration#
Result#
Provides execution details for host actions, such as containment status or detection suppression results.
2. CrowdstrikeFalcon_IOC Responder#
- Description: This responder allows for the addition or removal of Indicators of Compromise (IoCs) in the CrowdStrike Falcon IoC Management section. Supported IoC types include:
- Hashes:
sha256md5sha1
- IP Addresses:
IPv4IPv6
- Domains:
- Domains or URLs (automatically extracts the domain from URLs).
- Permissions Required:
IOC: Read, Write
Available Responders#
Responder Configuration#
Result#
Provides execution details for IoC management actions, such as successful addition or removal of IoCs.
3. CrowdstrikeFalcon_Sync Responder#
- Description: This responder performs one-way status synchronization from TheHive to CrowdStrike Falcon. It supports execution on both alerts and cases in TheHive.
The synchronization relies on custom fields in TheHive containing: csfalcon-alert-id– for CrowdStrike Falcon Alert IDs.-
csfalcon-incident-id– for CrowdStrike Falcon Incident IDs. -
Permissions Required:
Alerts: Read, WriteIncidents: Read, Write
Responder Configuration#
Result#
Provides synchronization success/failure from TheHive to CrowdStrike Falcon.
Resources#
For more information on the relevant CrowdStrike Falcon APIs, refer to the following resources: - CrowdStrike Falcon Hosts API - CrowdStrike Falcon IoC Management API - CrowdStrike Falcon Alerts API - CrowdStrike Falcon Incidents API
CrowdStrikeFalcon_Sync#
Author: nusantara-self, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
- thehive:alert
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Sync TheHive status back to CS Alerts or Incidents
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| custom_field_name_alert_id | Custom field in TheHive containing the CSFalcon Alert ID |
|---|---|
| Default value if not configured | csfalcon-alert-id |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| custom_field_name_incident_id | Custom field in TheHive containing the CSFalcon Incident ID |
|---|---|
| Default value if not configured | csfalcon-incident-id |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
CrowdStrikeFalcon_LiftContainmentHost#
Author: nusantara-self, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
This action lifts containment on the host, which returns its network communications to normal
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
CrowdStrikeFalcon_HostContainment#
Author: nusantara-self, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
CrowdStrikeFalcon_unhideHost#
Author: nusantara-self, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
This action will restore a host. Detection reporting will resume after the host is restored
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
CrowdStrikeFalcon_unsuppressDetections#
Author: nusantara-self, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Allow detections for the host.
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
CrowdStrikeFalcon_hideHost#
Author: nusantara-self, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
This action will delete a host. After the host is deleted, no new detections for that host will be reported via UI or APIs
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
CrowdStrikeFalcon_suppressDetections#
Author: nusantara-self, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Supress detections for the host.
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
CrowdStrikeFalcon_AddIOC#
Author: nusantara-self, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
Add IOC to IoC Management on Crowdstrike - supports domain, url, IPs & different kind of hashes
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| severity | Severity linked to the IoC - informational, low, medium, high, critical |
|---|---|
| Default value if not configured | informational |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| action | Action policy to do - no_action, detect, allow, prevent. Prevent & Allow only works with hashes. In case of other types, prevent will default to detect. |
|---|---|
| Default value if not configured | prevent |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| expiration_days | Expiration date of the IoC -- None if not filled. |
|---|---|
| Default value if not configured | 0 |
| Type of the configuration item | number |
| The configuration item can contain multiple values | False |
| Is required | False |
| platform_list | List of Platforms |
|---|---|
| Default value if not configured | ['windows', 'mac', 'linux'] |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| host_groups_list | Applies Detection to all Hosts if left empty. Else, provide host group IDs |
|---|---|
| Default value if not configured | ['all'] |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
| retrodetect_flag | Flag to indicate whether to submit retrodetects. |
|---|---|
| Default value if not configured | False |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | False |
| tags_list | Tags added to IOC when TheHive pushes the IoC |
|---|---|
| Default value if not configured | [] |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
CrowdStrikeFalcon_RemoveIOC#
Author: nusantara-self, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description#
remove IOC from IoC Management on Crowdstrike
Configuration#
| client_id | Crowdstrike client ID key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Crowdstrike client secret key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |