Publisher: Splunk
Connector Version: 4.1.0
Product Vendor: CrowdStrike
Product Name: CrowdStrike
Product Version Supported (regex): ".*"
Minimum Product Version: 6.1.0

This app integrates with CrowdStrike OAuth2 authentication standard to implement querying of endpoint security data

• In Falcon UI, Go to menubar on the left, From Support and resources section, Select API clients and keys.
• Click on Create API client.
• Add Client name, Description(optional) and Scopes (defined below).
• Click on Create to obtain the Client ID and Client secret.

The user can add a script file in the configuration parameter [ Script with functions to preprocess containers and artifacts ]. The script must contain a function with the name preprocess_container (to pre-process the containers and the artifacts) or else, it will throw an error.

• Optionally, you can specify an App ID to be used with the Crowdstrike OAuth API used in the on poll action. If one isn't set, it will default to the asset ID.
• It is recommended to have a unique App ID for each connection to the Crowdstrike OAuth API. That is to say, if you are planning on having multiple assets using the Crowdstrike OAuth API at once, you should give them unique App IDs.

• Common points for both manual and scheduled interval polling
  • Default parameters of the On Poll action are ignored in the app. i.e. start_time, end_time, container_count, artifact_count
  • The app will fetch all the events based on the value specified in the configuration parameters [Maximum events to get while POLL NOW] (default 2000 if not specified) and [Maximum events to get while scheduled and interval polling] (default 10,000 if not specified). For ingestion, the events are fetched after filtering them based on the event type - DetectionSummaryEvent . The app will exit from the polling cycle in the below-mentioned 2 cases whichever is earlier.
    • If the total DetectionSummaryEvents fetched equals the value provided in the [Maximum events to get while POLL NOW] (for manual polling) or [Maximum events to get while scheduled and interval polling] (for scheduled | interval polling) parameters
    • If the total number of continuous blank lines encountered while streaming the data equals the value provided in the [Maximum allowed continuous blank lines] (default 50 if not specified) asset configuration parameter
  • The default behavior of the app is that each event will be placed in its container. By checking the configuration parameter [Merge containers for Hostname and Eventname] as well as specifying an interval in the configuration parameter [Merge same containers within specified seconds], all events which are of the same type and on the same host will be put into one container, as long as the time between those two events is less than the interval.
  • The [Maximum allowed continuous blank lines] asset configuration parameter will be used to indicate the allowed number of continuous blank lines while fetching DetectionSummaryEvents . For example, of the entire data of the DetectionSummaryEvents, some of the 'DetectionSummaryEvents' exists after 100 continuous blank lines and if you've set the [Maximum allowed continues blank lines] parameter value to 500, it will keep on ingesting all the 'DetectionSummaryEvents' until the code gets 500 continuous blank lines and hence, it will be able to cover the DetectionSummaryEvents successfully even after the 100 blank lines. If you set it to 50, it will break after the 50th blank line is encountered. Hence, it won't be able to ingest the events which exist after the 100 continuous blank lines because the code considers that after the configured value in the [Maximum allowed continuous blank lines] configuration parameter (here 50), there is no data available for the 'DetectionSummaryEvents'.
• Manual Polling
  • During manual poll now, the app starts from the first event that it can query up to the value configured in the configuration parameter [Maximum events to get while POLL NOW] and creates artifacts for all the fetched DetectionSummaryEvents. The last queried event's offset ID will not be remembered in Manual POLL NOW and it fetches everything every time from the beginning.
• Scheduled | Interval Polling
  • During scheduled | interval polling, the app starts from the first event that it can query up to the value configured in the configuration parameter [Maximum events to get while scheduled and interval polling] and creates artifacts for all the fetched DetectionSummaryEvents. Then, it remembers the last event's offset ID and stores it in the state file against the key [last_offset_id]. In the next scheduled poll run, it will start from the stored offset ID in the state file and will fetch the maximum events as configured in the [Maximum events to get while scheduled and interval polling] parameter.

The DetectionSummaryEvent is parsed to extract the following values into an Artifact.

The app also parses the following sub-events into their own artifacts.

• Documents Accessed
• Executables Written
• Network Access
• Scan Result
• Quarantine Files
• DNS Requests

Each of the sub-events has a CEF key called parentSdi which stands for Parent Source Data Identifier. This is the value of the SDI of the main event that the sub-events were generated from.

This is different from Falcon Sandbox.

• Action - File Reputation, Url reputation

• Report of the resource will be fetched if it has been detonated previously on the CrowdStrike Server otherwise no data found message will be displayed to the user.

• Action - Download Report

• This action will download the resource report based on the provided artifact ID. Currently, we support the following Strict IOC CSV, Strict IOC JSON, Strict IOC STIX2.1, Strict IOC MAEC5.0, Broad IOC CSV, Broad IOC JSON, Broad IOC STIX2.1, Broad IOC MAEC5.0, Memory Strings, Icon, Screenshot artifact IDs.

• Action - Detonate File

• This action will upload the given file to the CrowdStrike sandbox and will submit it for analysis with the entered environment details. If the report of the given file is already present with the same environment, it will fetch the result and the file won't be submitted again.
• If the analysis is in progress and reaches the time entered in the detonate_timeout parameter, then this action will return the resource_id of the submitted file using which the submission status can be checked.
• If the submitted file will be analyzed within the entered time in the detonate_timeout parameter, its report will be fetched. Currently, these file types are supported .exe, .scr, .pif, .dll, .com, .cpl, etc., .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub, .pdf, Executable JAR, .sct, .lnk, .chm, .hta, .wsf, .js, .vbs, .vbe, .swf, pl, .ps1, .psd1, .psm1, .svg, .py, Linux ELF executables, .eml, .msg.

• Action - Detonate Url

• This action will submit the given URL for analysis with the entered environment details. If the report of the given URL is already present with the same environment, it will fetch the result and the url won't be submitted again.
• If the analysis is in progress and it reaches the time entered in the detonate_timeout parameter, then this action will return the resource_id of the submitted URL using which the status of the submission can be checked. If the analysis status is running then do not re-run the detonate URL action, otherwise, the URL will be again submitted for the analysis.
• If the submitted URL will be analyzed within the entered time in the detonate_timeout parameter, its report will be fetched. Currently, 3 domains of URL are supported http, https, and ftp.

• Action - Check Status

• This action will return the status of the given resource_id in case of timeout in detonate file and detonate URL actions.

• Action - List Groups

• The filter parameter values follow the FQL Syntax .

• The sort parameter value has to be provided in the format property_name.asc for ascending and property_name.desc for descending order.

• Action - Query Device

• Both the filter and sort parameters follow the same concepts as mentioned above for the list groups action.

• Action - Assign Hosts, Remove Hosts, Quarantine Device, and Unquarantine Device

• The devices will be fetched based on the values provided in both the device_id and hostname parameters.
• If an incorrect value is provided in both the device_id and hostname parameters each, then, the action will fail with an appropriate error message.

• Action - List Session Files, Get Session File

• To add [session id] to the action parameters of these actions, a session with the Create Session action needs to be created. Also, the user can delete the session using the Delete Session action.

• Action - Run Command

• This action can run the below-mentioned RTR commands on the host:
  • cat
  • cd
  • env
  • eventlog
  • filehash
  • getsid
  • ipconfig
  • ls
  • mount
  • netstat
  • ps
  • reg query
• To add [session id] to the action parameters of these actions, a session with the Create Session action needs to be created. Also, the user can delete the session using the Delete Session action.
• Example action run: If "cd C:\some_directory" command needs to be run using this action, valid [device_id] and [session_id] parameters should be provided by the user. The user should select "cd" from the [command] dropdown parameter and provide "C:\some_directory" input in the [data] parameter.

• Action - Run Admin Command

• This action can run the below-mentioned RTR administrator commands on the host:
  • cat
  • cd
  • cp
  • encrypt
  • env
  • eventlog
  • filehash
  • get
  • getsid
  • ipconfig
  • kill
  • ls
  • map
  • memdump
  • mkdir
  • mount
  • mv
  • netstat
  • ps
  • put
  • reg query
  • reg set
  • reg delete
  • reg load
  • reg unload
  • restart
  • rm
  • run
  • runscript
  • shutdown
  • unmap
  • xmemdump
  • zip
• To add [session id] to the action parameters of these actions, a session with the Create Session action needs to be created. Also, the user can delete the session using the Delete Session action.
• Example action run: If "cd C:\some_directory" command needs to be run using this action, valid [device_id] and [session_id] parameters should be provided by the user. The user should select "cd" from the [command] dropdown parameter and provide "C:\some_directory" input in the [data] parameter.

The app uses HTTP/HTTPS protocol for communicating with the Crowdstrike Server. Below are the default ports used by Splunk SOAR.

• The output data-paths have been updated in the below-existing action. Hence, it is requested to update existing playbooks created in the earlier versions of the app by re-inserting | modifying | deleting the corresponding action blocks.

  • list users - Below output data-paths have been updated.

    • Updated name from 'customer' to 'cid'
    • Updated name from 'firstName' to 'first_name'
    • Updated name from 'lastName' to 'last_name'

The below configuration variables are required for this Connector to operate. These variables are specified when configuring a CrowdStrike asset in SOAR.

test connectivity - Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
query device - Fetch the device details based on the provided query
list groups - Fetch the details of the host groups
quarantine device - Block the device
unquarantine device - Unblock the device
assign hosts - Assign one or more hosts to the static host group
remove hosts - Remove one or more hosts from the static host group
create session - Initialize a new session with the Real Time Response cloud
delete session - Deletes a Real Time Response session
list detections - Get a list of detections
get detections details - Get a list of detections details by providing detection IDs
update detections - Update detections in crowdstrike host
list alerts - Get a list of alerts
list sessions - Lists Real Time Response sessions
run command - Execute an active responder command on a single host
run admin command - Execute an RTR Admin command on a single host
get command details - Retrieve results of an active responder command executed on a single host
list session files - Get a list of files for the specified RTR session
get incident behaviors - Get details on behaviors by providing behavior IDs
update incident - Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
list users - Get information about all users in your Customer ID
get user roles - Gets the roles that are assigned to the user
list roles - Get information about all user roles from your Customer ID
get role - Get information about all user roles from your Customer ID
list crowdscores - Query environment wide CrowdScore and return the entity data
get incident details - Get details on incidents by providing incident IDs
list incident behaviors - Search for behaviors by providing an FQL filter, sorting, and paging details
list incidents - Search for incidents by providing an FQL filter, sorting, and paging details
get session file - Get RTR extracted file contents for the specified session and sha256 and add it to the vault
set status - Set the state of a detection in Crowdstrike Host
get system info - Get details of a device, given the device ID
get process detail - Retrieve the details of a process that is running or that previously ran, given a process ID
hunt file - Hunt for a file on the network by querying for the hash
hunt domain - Get a list of device IDs on which the domain was matched
hunt ip - Get a list of device IDs on which the ip was matched
upload put file - Upload a new put-file to use for the RTR put command
get indicator - Get the full definition of one or more indicators that are being watched
list custom indicators - Queries for custom indicators in your customer account
list put files - Queries for files uploaded to Crowdstrike for use with the RTR put command
on poll - Callback action for the on_poll ingest functionality
list processes - List processes that have recently used the IOC on a particular device
upload indicator - Upload indicator that you want CrowdStrike to watch
delete indicator - Delete an indicator that is being watched
update indicator - Update an indicator that has been uploaded
file reputation - Queries CrowdStrike for the file info given a vault ID or a SHA256 hash, vault ID has higher priority than SHA256 hash if both are provided
url reputation - Queries CrowdStrike for the url info
download report - To download the report of the provided artifact id
detonate file - Upload a file to CrowdStrike and retrieve the analysis results
detonate url - Upload an url to CrowdStrike and retrieve the analysis results
check status - To check detonation status of the provided resource id
get device scroll - Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
get zta data - Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID)

Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials

Type: test
Read only: True

No parameters are required for this action

No Output

Fetch the device details based on the provided query

Type: investigate
Read only: True

Fetch the details of the host groups

Type: investigate
Read only: True

Block the device

Type: contain
Read only: False

This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in the user's containment policy.

Unblock the device

Type: correct
Read only: False

This action lifts containment on the host, which returns its network communications to normal.

Assign one or more hosts to the static host group

Type: correct
Read only: False

Remove one or more hosts from the static host group

Type: contain
Read only: False

Initialize a new session with the Real Time Response cloud

Type: generic
Read only: False

Deletes a Real Time Response session

Type: generic
Read only: False

Get a list of detections

Type: investigate
Read only: True

This action supports filtering in order to retrieve a particular set of detections.

Get a list of detections details by providing detection IDs

Type: investigate
Read only: True

Update detections in crowdstrike host

Type: generic
Read only: False

Get a list of alerts

Type: investigate
Read only: True

This action supports filtering in order to retrieve a particular set of alerts.

Lists Real Time Response sessions

Type: investigate
Read only: True

This action supports filtering in order to retrieve a particular session.

Execute an active responder command on a single host

Type: generic
Read only: False

The API works by first creating a cloud request to execute the command, then the results need to be retrieved using a GET with the cloud_request_id. The action will attempt to retrieve the results, but in the event that a timeout occurs, execute a 'get command details' action.

Execute an RTR Admin command on a single host

Type: generic
Read only: False

This action requires a token with RTR Admin permissions.

Retrieve results of an active responder command executed on a single host

Type: investigate
Read only: True

Get a list of files for the specified RTR session

Type: investigate
Read only: True

Get details on behaviors by providing behavior IDs

Type: investigate
Read only: True

Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description

Type: generic
Read only: False

Get information about all users in your Customer ID

Type: investigate
Read only: True

No parameters are required for this action

Gets the roles that are assigned to the user

Type: investigate
Read only: True

Get information about all user roles from your Customer ID

Type: investigate
Read only: True

No parameters are required for this action

Get information about all user roles from your Customer ID

Type: investigate
Read only: True

Query environment wide CrowdScore and return the entity data

Type: investigate
Read only: True

This action fetches crowdscores using pagination logic.

Get details on incidents by providing incident IDs

Type: investigate
Read only: True

Search for behaviors by providing an FQL filter, sorting, and paging details

Type: investigate
Read only: True

This action fetches incident behaviors using pagination logic.

Search for incidents by providing an FQL filter, sorting, and paging details

Type: investigate
Read only: True

This action fetches incidents using pagination logic.

Get RTR extracted file contents for the specified session and sha256 and add it to the vault

Type: generic
Read only: False

Set the state of a detection in Crowdstrike Host

Type: generic
Read only: False

The detection id can be obtained from the Crowdstrike UI and its state can be set.

Get details of a device, given the device ID

Type: investigate
Read only: True

Retrieve the details of a process that is running or that previously ran, given a process ID

Type: investigate
Read only: True

Hunt for a file on the network by querying for the hash

Type: investigate
Read only: True

In case of count_only set to true, keep the limit value larger to fetch count of all the devices.