CrowdStrike Falcon
Integration version: 35.0
CrowdStrike Events
Events are pieces of information gathered by the Falcon sensors on your hosts. There are four types of events in CrowdStrike:
- Detection summary events: These are events that are generated when threats are detected on endpoints.
- Remote Response Session End Event: These are events that are generated from remote sessions on endpoints.
- User Activity Audit events: These events are generated to monitor activities carried out by active users on endpoints.
- Auth Activity Audit events: These are events generated every time authorization is requested, given and ended on endpoints.
Expected Outcome
- The connector pulls events into Google Security Operations SOAR to create alerts as well as enrich cases with event data.
- The users can select what kind of events they want to ingest into Google Security Operations SOAR, all event types or selected ones.
Configure CrowdStrike Falcon to work with Google Security Operations SOAR
API Client
To define a CrowdStrike API client, you need to have a Falcon Administrator role in order to view, create, or modify API clients or keys.
- In the Falcon UI, navigate to Support >API Clients and Keys. From there you are able to view existing clients, add new API clients, or view the audit log.
- Click Add new API Client, enter a descriptive name and select the appropriate API scopes.
- After you save it, you will be presented with the Client ID and Client Secret. The secret is only shown once and should be stored in a secure place.
For more details regarding access to the CrowdStrike API, see the Getting Access to the CrowdStrike API article available on the CrowdStrike blog.
Prerequisites
For the integration to function properly, make sure to configure the minimal permissions for every integration item. Refer to Action permissions and Connector permissions before proceeding with the integration configuration.
Configure CrowdStrike Falcon integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| Client ID | String | N/A | Yes | Client ID for CrowdStrike API. Example: 8465cf0cbe8b4ea4bbd96c7154adb9c9 |
| Client Secret | String | N/A | Yes | Client Secret for CrowdStrike API. Example: 8eKzpEkfXGmNPjbI90Y7hWdLRnDg42JwvOQ315u6 |
| Verify SSL | Checkbox | Unchecked | No | Use this checkbox, if your CrowdStrike Falcon connection requires an SSL verification. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Use Cases
An exe file process tries to execute in a host managed by CrowdStrike and tries to access the Falcon credentials store. This shows an attempt to try to steal credentials. Falcon detects this and blocks the attempt and creates a detection event about the incident. Its event is recorded.
Actions
Action permissions
Refer to the minimal permissions for actions, as listed in the following table:
| Action | Required permissions |
|---|---|
| Add Comment to Detection | Detections.ReadDetection.Write |
| Add Identity Protection Detection Comment | Alerts.ReadAlerts.Write |
| Add Incident Comment | Incidents.Write |
| Close Detection | Detections.ReadDetection.Write |
| Contain Endpoint | Hosts.ReadHosts.Write |
| Delete IOC | IOC Management.ReadIOC Management.Write |
| Download File | Hosts.ReadReal time response.ReadReal time response.Write |
| Execute Command | Hosts.ReadReal time response.ReadReal time response.WriteReal time response (admin).Write* for full privilege commands. |
| Get Event Offset | Event streams.Read |
| Get Hosts by IOC | N/A: Deprecated |
| Get Host Information | Hosts.Read |
| Get Process Name By IOC | N/A: Deprecated |
| Lift Contained Endpoint | Hosts.ReadHosts.Write |
| List Hosts | Hosts.Read |
| List Host Vulnerabilities | Hosts.ReadSpotlight vulnerabilities.Read |
| List Uploaded IOCs | IOC Management.Read |
| Ping | Hosts.Read |
| Submit File | Reports (Falcon Intelligence).ReadSandbox (Falcon Intelligence).ReadSandbox (Falcon Intelligence).Write |
| Submit URL | Reports (Falcon Intelligence).ReadSandbox (Falcon Intelligence).ReadSandbox (Falcon Intelligence).Write |
| Update Detection | Detections.ReadDetection.WriteUser management.Read |
| Update Identity Protection Detection | Alerts.ReadAlerts.Write |
| Update Incident | Incidents.Write |
| Update IOC Information | IOC Management.ReadIOC Management.Write |
| Upload IOCs | IOC Management.ReadIOC Management.Write |
Add Comment to Detection
Description
Add a comment to the detection in CrowdStrike Falcon.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Detection ID | String | N/A | Yes | Specify the ID of the detection to which you want to add a comment. |
| Comment | String | N/A | Yes | Specify the comment that needs to be added to the detection. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Entity Insights
N/A
Add Identity Protection Detection Comment
Add a comment to identity protection detection in CrowdStrike.
Entities
The action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
| Detection ID | Required
Specifies the ID of the detection to update. |
| Comment | Required
Specifies the comment for the detection. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully added comment to the identity protection detection with ID DETECTION_ID in CrowdStrike |
Action is successful. |
Error executing action "Add Identity Protection Detection Comment". Reason: ERROR_REASON |
The action returned an error. Check connection to the server, input parameters, or credentials. |
Error executing action "Add Identity Protection Detection Comment". Reason: identity protection detection with ID DETECTION_ID wasn't found in CrowdStrike. Please check the spelling. |
The action returned an error. Check the spelling. |
Add Incident Comment
Add comment to an incident in CrowdStrike.
Entities
The action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
| Incident ID | Required
Specifies the ID of the incident to update. |
| Comment | Required
Specifies the comment for the incident. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully added comment to the incident INCIDENT_ID in CrowdStrike |
Action is successful. |
Error executing action "Add Incident Comment". Reason: ERROR_REASON |
The action returned an error. Check connection to the server, input parameters, or credentials. |
Error executing action "Add Incident Comment". Reason: incident with ID INCIDENT_ID wasn't found in CrowdStrike. Please check the spelling. |
The action returned an error. Check the spelling. |
Close Detection
Description
Close a CrowdStrike Falcon detection.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Detection ID | String | N/A | Yes | Specify the ID of the detection that needs to be closed. |
| Hide Detection | Checkbox | Checked | No | If enabled, the action hides the detection in the UI. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Entity Insights
N/A
Contain Endpoint
Description
Contain endpoint in CrowdStrike Falcon. Supported entities: Hostname and IP Address.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Fail If Timeout | Checkbox | Checked | Yes | If enabled, the action is failed, if not all of the endpoints are contained. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"EntityResult":
{
"status": "contained",
"modified_timestamp": "2019-06-24T07:47:37Z",
"major_version": "6",
"policies":
[{
"applied": "True",
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": ""
}],
"config_id_platform": "3",
"bios_manufacturer": "American Megatrends Inc.",
"system_manufacturer": "Microsoft Corporation",
"device_policies":
{
"global_config":
{
"applied": "True",
"applied_date": "2019-06-03T23:24:04.893780991Z",
"settings_hash": "a75911b0",
"policy_type": "globalconfig",
"assigned_date": "2019-06-03T23:23:17.184432743Z",
"policy_id": ""
},
"Sensor_update":
{
"applied": "True",
"applied_date": "2019-05-30T23:13:55.23597658Z",
"settings_hash": "65994753|3|2|automatic;101",
"uninstall_protection": "ENABLED",
"policy_type": "sensor-update",
"assigned_date": "2019-05-30T23:04:31.485311459Z",
"policy_id": ""
},
"prevention":
{
"applied": "True",
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": ""
},
"device_control":
{
"applied": "True",
"applied_date": "2019-06-03T23:14:29.800434222Z",
"policy_type": "device-control",
"assigned_date": "2019-06-03T23:05:17.425127539Z",
"policy_id": ""
},
"remote_response":
{
"applied": "True",
"applied_date": "2019-04-29T07:40:04.469808388Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-04-29T07:39:55.218642441Z",
"policy_id": ""
}
},
"meta":
{
"Version":"12765"
},
"pointer_size": "8",
"last_seen": "2019-06-24T07:45:34Z",
"agent_local_time": "2019-06-18T12:17:06.259Z",
"first_seen": "2019-04-29T07:39:45Z",
"service_pack_major": "0",
"slow_changing_modified_timestamp": "2019-06-23T11:20:42Z",
"service_pack_minor": "0",
"system_product_name": "Virtual Machine",
"product_type_desc": "Server",
"build_number": "9600",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"local_ip": "x.x.x.x",
"external_ip": "y.y.y.y",
"hostname": "",
"config_id_build": "xxxx",
"minor_version": "3",
"platform_id": "x",
"os_version": "Windows Server 2012 R2",
"config_id_base": "xxxxxxxxx",
"provision_status": "Provisioned",
"mac_address": "xxxxxxxxx",
"bios_version": "090007 ",
"platform_name": "Windows",
"Agent_load_flags":"1",
"device_id": "",
"product_type": "3",
"agent_version": "5.10.9106.0"
},
"Entity": "x.x.x.x"
}
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| status | Returns if it exists in JSON result |
| modified_timestamp | Returns if it exists in JSON result |
| major_version | Returns if it exists in JSON result |
| policies | Returns if it exists in JSON result |
| config_id_platform | Returns if it exists in JSON result |
| bios_manufacturer | Returns if it exists in JSON result |
| system_manufacturer | Returns if it exists in JSON result |
| device_policies | Returns if it exists in JSON result |
| meta | Returns if it exists in JSON result |
| pointer_size | Returns if it exists in JSON result |
| last_seen | Returns if it exists in JSON result |
| agent_local_time | Returns if it exists in JSON result |
| first_seen | Returns if it exists in JSON result |
| service_pack_major | Returns if it exists in JSON result |
| slow_changing_modified_timestamp | Returns if it exists in JSON result |
| service_pack_minor | Returns if it exists in JSON result |
| system_product_name | Returns if it exists in JSON result |
| product_type_desc | Returns if it exists in JSON result |
| build_number | Returns if it exists in JSON result |
| cid | Returns if it exists in JSON result |
| local_ip | Returns if it exists in JSON result |
| external_ip | Returns if it exists in JSON result |
| hostname | Returns if it exists in JSON result |
| config_id_build | Returns if it exists in JSON result |
| minor_version | Returns if it exists in JSON result |
| platform_id | Returns if it exists in JSON result |
| os_version | Returns if it exists in JSON result |
| config_id_base | Returns if it exists in JSON result |
| provision_status | Returns if it exists in JSON result |
| mac_address | Returns if it exists in JSON result |
| bios_version | Returns if it exists in JSON result |
| platform_name | Returns if it exists in JSON result |
| Agent_load_flags | Returns if it exists in JSON result |
| device_id | Returns if it exists in JSON result |
| product_type | Returns if it exists in JSON result |
| agent_version | Returns if it exists in JSON result |
Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successfully contained at least one endpoint (is_success=true): "Successfully contained the following endpoints in CrowdStrike Falcon: {entity.identifier}." If some endpoints already are contained (is_success=true): "The following endpoints were already contained in CrowdStrike Falcon: {entity.identifier}." If ran into a timeout and some endpoints still have the"containment_pending" status and the "Fail If Timeout" parameter is disabled (is_success=false): "The following endpoints initiated containment, but were not able to finish it during action execution: {entity.identifier}." Async Message: "Waiting for containment to finish for the following endpoints: {entity.identifier}." If some endpoints are not found (is_success=true): "The following endpoints were not found in CrowdStrike Falcon: {entity.identifier}." If no endpoints are found (is_success=false): "None of the provided endpoints were found in CrowdStrike Falcon." The action should fail and stop a playbook execution: If a critical error is reported (fail): "Error executing action "{action name}". Reason: {error traceback}." If ran into a timeout and some endpoints still have the "containment_pending" status and the "Fail If Timeout" parameter is enabled: "Error executing action "{action name}". Reason: the following endpoints initiated containment, but were not able to finish it during action execution: {entity.identifier}." |
General |
Delete IOC
Description
Delete custom IOCs in CrowdStrike Falcon. Supported entities: Hostname, URL, IP address and Hash.
Parameters
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
- URL
- Hash
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successfully deleted IOCs (is_success=true): "Successfully deleted the following custom IOCs in CrowdStrike Falcon: {entity.identifier}." If some IOCs don't exist or hash is in invalid format (is_success=true): "The following custom IOCs were not a part of CrowdStrike Falcon instance: {entity.identifier}" If all IOCs don't exist or hash is in invalid format (is_success=true): "All of the provided IOCs were not a part of CrowdStrike Falcon instance." The action should fail and stop a playbook execution: If a critical error is reported: "Error executing action "{action parameter name}". Reason: {traceback}." |
General |
Get Host Information
Description
Retrieve information about the hostname from CrowdStrike Falcon. Supported entities: Hostname, IP Address.
Parameters
| Parameter Name | Type | Default | Is Mandatory | Description |
|---|---|---|---|---|
| Create Insight | Checkbox | Checked | No | If enabled, the action creates insights containing information regarding entities. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": [
{
"modified_timestamp": "2019-01-17T13: 44: 57Z",
"major_version": "10",
"site_name": "Default-First-Site-Name",
"platform_id": "0",
"config_id_platform": "3",
"system_manufacturer": "DellInc.",
"meta": {
"version": "1111"
},
"first_seen": "2018-04-22T13: 06: 53Z",
"service_pack_minor": "0",
"product_type_desc": "Workstation",
"build_number": "111",
"hostname": "name",
"config_id_build": "8104",
"minor_version": "0",
"os_version": "Windows10",
"provision_status": "Provisioned",
"mac_address": "64-00-6a-2a-43-3f",
"bios_version": "1.2.1",
"agent_load_flags": "1",
"status": "normal",
"bios_manufacturer": "DellInc.",
"machine_domain": "Domain name",
"agent_local_time": "2019-01-14T19: 41: 09.738Z",
"slow_changing_modified_timestamp": "2019-01-14T17: 44: 40Z",
"service_pack_major": "0",
"device_id": "2653595a063e4566519ef4fc813xxxx",
"system_product_name": "OptiPlex7040",
"product_type": "1",
"local_ip": "1.1.x.x",
"external_ip": "1.1.x.x",
"cid": "27fe4e476ca3490b8476b2b66xxxx",
"platform_name": "Windows",
"config_id_base": "65994753",
"last_seen": "2019-01-17T13: 44: 46Z",
"pointer_size": "8",
"agent_version": "4.18.8104.0",
"recent_logins": [
{
"user_name": "test",
"login_time": "2022-08-10T07:36:38Z"
},
{
"user_name": "test",
"login_time": "2022-08-10T07:36:35Z"
}
],
"online_status": "offline"
}
],
"Entity": "1.1.x.x"
}
]
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| modified_timestamp | Returns if it exists in JSON result |
| major_version | Returns if it exists in JSON result |
| site_name | Returns if it exists in JSON result |
| platform_id | Returns if it exists in JSON result |
| config_id_platform | Returns if it exists in JSON result |
| system_manufacturer | Returns if it exists in JSON result |
| meta | Returns if it exists in JSON result |
| first_seen | Returns if it exists in JSON result |
| service_pack_minor | Returns if it exists in JSON result |
| product_type_desc | Returns if it exists in JSON result |
| build_number | Returns if it exists in JSON result |
| hostname | Returns if it exists in JSON result |
| config_id_build | Returns if it exists in JSON result |
| minor_version | Returns if it exists in JSON result |
| os_version | Returns if it exists in JSON result |
| provision_status | Returns if it exists in JSON result |
| mac_address | Returns if it exists in JSON result |
| bios_version | Returns if it exists in JSON result |
| agent_load_flags | Returns if it exists in JSON result |
| status | Returns if it exists in JSON result |
| bios_manufacturer | Returns if it exists in JSON result |
| machine_domain | Returns if it exists in JSON result |
| agent_local_time | Returns if it exists in JSON result |
| slow_changing_modified_timestamp | Returns if it exists in JSON result |
| service_pack_major | Returns if it exists in JSON result |
| device_id | Returns if it exists in JSON result |
| system_product_name | Returns if it exists in JSON result |
| product_type | Returns if it exists in JSON result |
| local_ip | Returns if it exists in JSON result |
| external_ip | Returns if it exists in JSON result |
| cid | Returns if it exists in JSON result |
| platform_name | Returns if it exists in JSON result |
| config_id_base | Returns if it exists in JSON result |
| last_seen | Returns if it exists in JSON result |
| pointer_size | Returns if it exists in JSON result |
| agent_version | Returns if it exists in JSON result |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful for at least one entity (is_success=true): "Successfully enriched the following entities using CrowdStrike Falcon: {entity.identifier}" If not successful for one entity (is_success=true): "Action wasn't able to enrich the following entities using CrowdStrike Falcon: {entity.identifier}." If not successful for all entities (is_success=false): "No entities were enriched." The action should fail and stop a playbook execution: If a critical error is reported (fail): "Error executing action "Get Host Information". Reason: {traceback}." |
General |
Get Hosts by IOC - Deprecated
Description
List hosts related to the IOCs in CrowdStrike Falcon. Supported entities: Hostname, URL, IP Address and Hash.
Parameters
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
- URL
- Hash
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"hash":
[{
"modified_timestamp": "2019-01-17T13: 44: 57Z",
"major_version": "10",
"site_name": "Default-First-Site-Name",
"platform_id": "x",
"config_id_platform": "3",
"system_manufacturer": "DellInc.",
"meta": {"version": "49622"},
"first_seen": "2018-04-22T13: 06: 53Z",
"service_pack_minor": "0",
"product_type_desc": "Workstation",
"build_number": "14393",
"hostname": "name",
"config_id_build": "xxxx",
"minor_version": "0",
"os_version": "Windows10",
"provision_status": "Provisioned",
"mac_address": "xxxxxxxx",
"bios_version": "1.2.1",
"agent_load_flags": "1",
"status": "normal",
"bios_manufacturer": "DellInc.",
"machine_domain": "xxxxxx xxxxx",
"Device_policies":
{
"sensor_update":
{
"applied": true,
"applied_date": "2018-12-11T23: 09: 18.071417837Z",
"settings_hash": "65994753|3|2|automatic",
"policy_type": "sensor-update",
"assigned_date": "2018-12-11T23: 08: 38.16990705Z",
"policy_id": "xxxxxxxxxx"
}
},
"agent_local_time": "2019-01-14T19: 41: 09.738Z",
"slow_changing_modified_timestamp": "2019-01-14T17: 44: 40Z",
"service_pack_major": "0", "device_id": "2653595a063e4566519ef4fc813fcc56",
"system_product_name": "OptiPlex7040",
"product_type": "1",
"local_ip": "x.x.x.x",
"external_ip": "x.x.x.x",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"platform_name": "Windows",
"config_id_base": "xxxxxxx",
"policies":
[{
"applied": true,
"applied_date": "2019-01-02T22: 45: 21.315392338Z",
"settings_hash": "18db1203",
"policy_type": "prevention",
"assigned_date": "2019-01-02T22: 45: 11.214774996Z",
"policy_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}],
"last_seen": "2019-01-17T13: 44: 46Z",
"pointer_size": "8",
"agent_version": "4.18.8104.0"
}]
}
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| modified_timestamp | Returns if it exists in JSON result |
| major_version | Returns if it exists in JSON result |
| site_name | Returns if it exists in JSON result |
| platform_id | Returns if it exists in JSON result |
| config_id_platform | Returns if it exists in JSON result |
| system_manufacturer | Returns if it exists in JSON result |
| meta | Returns if it exists in JSON result |
| first_seen | Returns if it exists in JSON result |
| service_pack_minor | Returns if it exists in JSON result |
| product_type_desc | Returns if it exists in JSON result |
| build_number | Returns if it exists in JSON result |
| hostname | Returns if it exists in JSON result |
| config_id_build | Returns if it exists in JSON result |
| minor_version | Returns if it exists in JSON result |
| os_version | Returns if it exists in JSON result |
| provision_status | Returns if it exists in JSON result |
| mac_address | Returns if it exists in JSON result |
| bios_version | Returns if it exists in JSON result |
| agent_load_flags | Returns if it exists in JSON result |
| status | Returns if it exists in JSON result |
| bios_manufacturer | Returns if it exists in JSON result |
| machine_domain | Returns if it exists in JSON result |
| Device_policies | Returns if it exists in JSON result |
| agent_local_time | Returns if it exists in JSON result |
| slow_changing_modified_timestamp | Returns if it exists in JSON result |
| service_pack_major | Returns if it exists in JSON result |
| system_product_name | Returns if it exists in JSON result |
| product_type | Returns if it exists in JSON result |
| local_ip | Returns if it exists in JSON result |
| external_ip | Returns if it exists in JSON result |
| cid | Returns if it exists in JSON result |
| platform_name | Returns if it exists in JSON result |
| config_id_base | Returns if it exists in JSON result |
| policies | Returns if it exists in JSON result |
| last_seen | Returns if it exists in JSON result |
| pointer_size | Returns if it exists in JSON result |
| agent_version | Returns if it exists in JSON result |
Entity Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and at least one host related to the provided IOCs is found (is_success=true): "Successfully retrieved hosts related to the provided IOCs in CrowdStrike Falcon." If no related hosts are found (is_success=false): "No hosts were related to the provided IOCs in CrowdStrike Falcon." The action should fail and stop a playbook execution: If a critical error is reported: "Error executing action "{action name}". Reason: {traceback}." |
General |
Get Process Name by IOC - Deprecated
Description
Retrieve processes related to the IOCs and provided devices in CrowdStrike Falcon. Supported entities: Hostname, URL, IP Address and Hash.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Devices Names | 11 | N/A | Yes | Specify a comma-separated list of devices for which you want to retrieve processes related to entities. |
Run On
This action runs on the following entities:
- Hostname
- URL
- Hash
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"EntityResult":
[{
"Process Name": "xxxxx.exe",
"Indicator": "986a4715113359b527b15efe1ee09306", "Host Name": "xx-xxxxx"
},{
"Process Name": "xxxxx.exe",
"Indicator": "986a4715113359b527b15efe1ee09306",
"Host Name": "xx-xxxxxx"
},{
"Process Name": "xxxxx.exe",
"Indicator": "986a4715113359b527b15efe1ee09306",
"Host Name": "xx-xxxxxx"
}],
"Entity": "xxxxxxxxxxxxxxxxxxxxxxxxxx"
}
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Process Name | Returns if it exists in JSON result |
| Indicator | Returns if it exists in JSON result |
| Host Name | Returns if it exists in JSON result |
Entity Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If found processes related to entities for at least one endpoint (is_success=true): "Successfully retrieved processes related to the IOCs on the following endpoints in CrowdStrike Falcon: {device name}." If no processes are found for at least one endpoint or the device is not found (is_success=true): "No related processes were found on the following endpoints in CrowdStrike Falcon: {device name}." If no processes are found for all endpoints or none of the devices are found (is_success=false): "No related processes were found on the provided endpoints in CrowdStrike Falcon. The action should fail and stop a playbook execution: If a critical error is reported: "Error executing "{action name}". Reason: {trace back}." |
General |
Get Vertex Details
Description
List all the properties associated with a particular indicator.
Parameters
N/A
Run On
This action runs on the following entities:
- Hostname
- URL
- Hash
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[{
"EntityResult":
[{
"vertex_type": "module",
"timestamp": "2019-01-17T10: 52: 40Z",
"object_id":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"properties":
{
"SHA256HashData": "7afb56dd48565c3c9804f683c80ef47e5333f847f2d3211ec11ed13ad36061e1",
"MD5HashData": "54cb91395cdaad9d47882533c21fc0e9",
"SHA1HashData": "3b1333f826e5fe36395042fe0f1b895f4a373f1b"
},
"edges":
{
"primary_module":
[{
"direction": "in",
"timestamp": "2019-01-13T10: 58: 51Z",
"object_id": "xxxxxxxxxxxxx",
"id": "pid: cb4493e4af2742b068efd16cb48b7260: 3738513791849",
"edge_type": "primary_module",
"path": "https: //falconapi.crowdstrike.com/threatgraph/combined/processes/summary/v1?ids=pid%3Acb4493e4af2742b068efd16cb48b7260%3A3738513791849&scope=device",
"scope": "device",
"properties": {},
"device_id": "cb4493e4af2742b068efd16cb48b7260"
}]
},
"scope": "device",
"customer_id": "27fe4e476ca3490b8476b2b6650e5a74",
"id": "mod: cb4493e4af2742b068efd16cb48b7260: 7afb56dd48565c3c9804f683c80ef47e5333f847f2d3211ec11ed13ad36061e1",
"device_id": "cb4493e4af2742b068efd16cb48b7260"
}],
"Entity": "xxxxxxxxxxxxxxxxxxxxxx"
}]
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| vertex_type | Returns if it exists in JSON result |
| timestamp | Returns if it exists in JSON result |
| object_id | Returns if it exists in JSON resulttags |
| properties | Returns if it exists in JSON result |
| edges | Returns if it exists in JSON result |
| scope | Returns if it exists in JSON result |
| customer_id | Returns if it exists in JSON result |
| id | Returns if it exists in JSON result |
| device_id | Returns if it exists in JSON result |
Entity Insights
N/A
Lift Contained Endpoint
Description
Lift endpoint containment in CrowdStrike Falcon. Supported entities: Hostname and IP Address.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Fail If Timeout | Checkbox | Checked | Yes |
If enabled, the action is failed, if containment was not lifted on all endpoints. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"EntityResult":
{
"status": "contained",
"modified_timestamp": "2019-06-24T07:47:37Z",
"major_version": "6", "policies":
[{
"applied": "True",
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": ""
}],
"config_id_platform": "x",
"bios_manufacturer": "American Megatrends Inc.",
"system_manufacturer": "Microsoft Corporation",
"Device_policies":
{
"global_config":
{
"applied": "True",
"applied_date": "2019-06-03T23:24:04.893780991Z",
"settings_hash": "a75911b0",
"policy_type": "globalconfig",
"assigned_date": "2019-06-03T23:23:17.184432743Z",
"policy_id": ""
},
"Sensor_update":
{
"applied": "True",
"applied_date": "2019-05-30T23:13:55.23597658Z",
"settings_hash": "65994753|3|2|automatic;101",
"uninstall_protection": "ENABLED",
"policy_type": "sensor-update",
"assigned_date": "2019-05-30T23:04:31.485311459Z",
"policy_id": "9d1e405846de4ebdb63f674866d390dc"
},
"Prevention":
{
"applied": "True",
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": ""
},
"device_control":
{
"applied": "True",
"applied_date": "2019-06-03T23:14:29.800434222Z",
"policy_type": "device-control",
"assigned_date": "2019-06-03T23:05:17.425127539Z",
"policy_id": ""
},
"Remote_response":
{
"applied": "True",
"applied_date": "2019-04-29T07:40:04.469808388Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-04-29T07:39:55.218642441Z",
"policy_id": ""
}
},
"meta":
{"version": "12765"},
"pointer_size": "8",
"last_seen": "2019-06-24T07:45:34Z",
"agent_local_time": "2019-06-18T12:17:06.259Z",
"first_seen": "2019-04-29T07:39:45Z",
"service_pack_major": "0",
"slow_changing_modified_timestamp": "2019-06-23T11:20:42Z",
"service_pack_minor": "0",
"system_product_name":"Virtual Machine",
"product_type_desc": "Server",
"build_number": "9600",
"cid": "",
"local_ip": "x.x.x.x",
"external_ip": "y.y.y.y",
"hostname": "xxxxxxxx",
"config_id_build": "9106",
"minor_version": "3",
"platform_id": "0",
"os_version": "Windows Server 2012 R2",
"config_id_base": "xxxxxxxx",
"provision_status": "Provisioned",
"mac_address": "00-09-0f-aa-00-01",
"bios_version": "090007 ",
"platform_name": "xxxxxx",
"agent_load_flags": "1",
"device_id": "",
"product_type": "3",
"agent_version": "5.10.9106.0"
},
"Entity": "x.x.x.x"
}
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| status | Returns if it exists in JSON result |
| modified_timestamp | Returns if it exists in JSON result |
| major_version | Returns if it exists in JSON result |
| config_id_platform | Returns if it exists in JSON result |
| system_manufacturer | Returns if it exists in JSON result |
| Device_policies | Returns if it exists in JSON result |
| meta | Returns if it exists in JSON result |
| pointer_size | Returns if it exists in JSON result |
| last_seen | Returns if it exists in JSON result |
| agent_local_time | Returns if it exists in JSON result |
| first_seen | Returns if it exists in JSON result |
| service_pack_major | Returns if it exists in JSON result |
| slow_changing_modified_timestamp | Returns if it exists in JSON result |
| service_pack_minor | Returns if it exists in JSON result |
| system_product_name | Returns if it exists in JSON result |
| product_type_desc | Returns if it exists in JSON result |
| build_number | Returns if it exists in JSON result |
| cid | Returns if it exists in JSON result |
| local_ip | Returns if it exists in JSON result |
| external_ip | Returns if it exists in JSON result |
| hostname | Returns if it exists in JSON result |
| config_id_build | Returns if it exists in JSON result |
| minor_version | Returns if it exists in JSON result |
| platform_id | Returns if it exists in JSON result |
| os_version | Returns if it exists in JSON result |
| config_id_base | Returns if it exists in JSON result |
| provision_status | Returns if it exists in JSON result |
| mac_address | Returns if it exists in JSON result |
| bios_version | Returns if it exists in JSON result |
| platform_name | Returns if it exists in JSON result |
| agent_load_flags | Returns if it exists in JSON result |
| device_id | Returns if it exists in JSON result |
| product_type | Returns if it exists in JSON result |
| agent_version | Returns if it exists in JSON result |
Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successfully contained at least one endpoint (is_success=true): "Successfully lifted containment on the following endpoints in CrowdStrike Falcon: {entity.identifier}." If some endpoints are already contained (is_success=true): "The following endpoints were not contained in CrowdStrike Falcon: {entity.identifier}." If ran into a timeout and some endpoints still have the "lift_containment_pending" status and the "Fail If Timeout" parameter is disabled (is_success=false): "The following endpoints initiated containment lift, but were not able to finish it during action execution: {entity.identifier}." Async Message: "Waiting for containment lift to finish for the following endpoints: {entity.identifier}." If some endpoints are not found (is_success=true): "The following endpoints were not found in CrowdStrike Falcon: {entity.identifier}." If no endpoints are found (is_success=false): "None of the provided endpoints were found in CrowdStrike Falcon." The action should fail and stop a playbook execution: If a critical error is reported (fail): "Error executing action "{action name}". Reason: {error traceback}." If ran into a timeout and some endpoints still have the "lift_containment_pending" status and the "Fail If Timeout" parameter is enabled: "Error executing action "{action name}". Reason: the following endpoints initiated containment lift, but were not able to finish it during action execution: {entity.identifier}." |
General |
List Hosts
Description
List available hosts in CrowdStrike Falcon.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Filter Logic | DDL | Equals Possible values:
|
No | Specify the logic that should be used, when searching for hosts. |
| Filter Value | String | N/A | No | Specify the value that should be used to filter hosts. |
| Max Hosts To Return | Integer | 50 | No | Specify the number of hosts to return. Maximum: 1000 |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| hosts_count | N/A | N/A |
JSON Result
[{
"modified_timestamp": "2019-05-15T15:03:12Z",
"platform_id": "0",
"config_id_platform": "3",
"system_manufacturer": "Microsoft Corporation",
"meta": {"version": "4067"},
"first_seen": "2019-04-29T07:39:45Z",
"service_pack_minor": "0",
"product_type_desc": "Server",
"build_number": "9600",
"hostname": "xxxx-xxxx",
"config_id_build": "8904",
"minor_version": "3",
"os_version": "Windows Server 2012 R2",
"provision_status": "Provisioned",
"mac_address": "xxxxxxxxxxxxxxxxx",
"bios_version": "090007 ",
"agent_load_flags": "0",
"status": "normal",
"bios_manufacturer": "American Megatrends Inc.",
"device_policies":
{
"Sensor_update":
{
"applied": true,
"applied_date": "2019-05-02T22:05:09.577000651Z",
"settings_hash": "65994753|3|2|automatic",
"policy_type": "sensor-update",
"assigned_date": "2019-05-02T22:03:36.804382667Z",
"policy_id": "9d1e405846de4ebdb63f674866d390dc"
},
"remote_response":
{
"applied": true,
"applied_date": "2019-04-29T07:40:04.469808388Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-04-29T07:39:55.218642441Z",
"policy_id": "21e4fb4dedd74c6fb0bcd6a348aa046c"
},
"device_control":
{
"applied": true,
"applied_date": "2019-04-29T07:40:06.896362608Z",
"assigned_date": "2019-04-29T07:39:55.218637999Z",
"policy_type": "device-control",
"policy_id": "c360df7193364b23aa4fc47f0238c899"
},
"prevention":
{
"applied": true,
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
},
"global_config":
{
"applied": true,
"applied_date": "2019-04-29T07:45:18.94807838Z",
"settings_hash": "3d78f9ab",
"policy_type": "globalconfig",
"assigned_date": "2019-04-29T07:45:08.165941325Z",
"policy_id": "985b1a25afcb489ea442d2d1430b1679"
}
},
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_local_time": "2019-05-02T22:05:00.015Z",
"slow_changing_modified_timestamp": "2019-05-02T22:05:09Z",
"service_pack_major": "0",
"device_id": "0ab8bc6d968b473b72a5d11a41a24c21",
"system_product_name": "Virtual Machine",
"product_type": "3",
"local_ip": "x.x.x.x",
"external_ip": "x.x.x.x",
"major_version": "6",
"platform_name": "Windows",
"config_id_base": "65994753",
"policies":
[{
"applied": true,
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
}],
"agent_version": "4.26.8904.0",
"pointer_size": "8",
"last_seen": "2019-05-15T15:01:23Z"
},
{
"modified_timestamp": "2019-05-13T07:24:36Z",
"site_name": "Default-First-Site-Name",
"config_id_platform": "3",
"system_manufacturer": "Dell Inc.",
"meta": {"version": "14706"},
"first_seen": "2018-04-17T11:02:20Z",
"platform_name": "Windows",
"service_pack_minor": "0",
"product_type_desc": "Workstation",
"build_number": "17134",
"hostname": "xx-xxxxxx",
"config_id_build": "8904",
"minor_version": "0",
"os_version": "Windows 10",
"provision_status": "Provisioned",
"mac_address": "xxxxxxxxxxxxxxxx",
"bios_version": "1.6.5",
"agent_load_flags": "0",
"status": "normal",
"bios_manufacturer": "Dell Inc.",
"machine_domain": "xxxxxxxx.xxxxx",
"device_policies":
{
"sensor_update":
{
"applied": true,
"applied_date": "2019-05-05T12:52:23.121596885Z",
"settings_hash": "65994753|3|2|automatic",
"policy_type": "sensor-update",
"assigned_date": "2019-05-05T12:51:37.544605747Z",
"policy_id": "9d1e405846de4ebdb63f674866d390dc"
},
"Remote_response":
{
"applied": true,
"applied_date": "2019-02-10T07:57:59.064362539Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-02-10T07:57:50.610924385Z",
"policy_id": "21e4fb4dedd74c6fb0bcd6a348aa046c"
},
"device_control":
{
"applied": true,
"applied_date": "2019-03-25T15:01:28.51681072Z",
"assigned_date": "2019-03-25T15:00:22.442519168Z",
"policy_type": "device-control",
"policy_id": "c360df7193364b23aa4fc47f0238c899"
},
"Prevention":
{
"applied": true,
"applied_date": "2019-04-04T06:54:06.909774295Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-04T06:53:57.135897343Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
},
"global_config":
{
"applied": true,
"applied_date": "2019-02-10T07:57:53.70275875Z",
"settings_hash": "3d78f9ab",
"policy_type": "globalconfig",
"assigned_date": "2019-02-10T07:57:50.610917888Z",
"policy_id": "985b1a25afcb489ea442d2d1430b1679"
}
},
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_local_time": "2019-05-05T15:52:08.172Z",
"slow_changing_modified_timestamp": "2019-05-12T12:37:35Z",
"service_pack_major": "0",
"device_id": "cb4493e4af2742b068efd16cb48b7260",
"system_product_name": "xxxxxx xxxx",
"product_type": "1",
"local_ip": "x.x.x.x",
"external_ip": "x.x.x.x",
"major_version": "10",
"platform_id": "0",
"config_id_base": "65994753",
"policies":
[{
"applied": true,
"applied_date": "2019-04-04T06:54:06.909774295Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-04T06:53:57.135897343Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
}],
"agent_version": "4.26.8904.0",
"pointer_size": "8",
"last_seen": "2019-05-13T07:21:30Z"
},
{
"modified_timestamp": "2019-05-09T14:22:50Z",
"site_name": "Default-First-Site-Name",
"config_id_platform": "3",
"system_manufacturer": "Dell Inc.",
"meta": {"version": "77747"},
"first_seen": "2018-07-01T12:19:23Z",
"platform_name": "Windows",
"service_pack_minor": "0",
"product_type_desc": "Workstation",
"build_number": "17134",
"hostname":"xx-xxxxx",
"config_id_build": "8904",
"minor_version": "0",
"os_version": "Windows 10",
"provision_status": "Provisioned",
"mac_address": "xxxxxxxxxxxxxxxxxxx",
"bios_version": "1.2.1",
"agent_load_flags": "0",
"status": "normal",
"bios_manufacturer": "Dell Inc.",
"machine_domain": "xxxxxxx.xxxxx",
"device_policies":
{
"sensor_update":
{
"applied": true,
"applied_date": "2019-05-02T22:10:50.336101107Z",
"settings_hash": "65994753|3|2|automatic",
"policy_type": "sensor-update",
"assigned_date": "2019-05-02T22:10:50.336100731Z",
"policy_id": "9d1e405846de4ebdb63f674866d390dc"
},
"remote_response":
{
"applied": true,
"applied_date": "2019-02-08T02:46:31.919442939Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-02-08T02:46:22.219718098Z",
"policy_id": "21e4fb4dedd74c6fb0bcd6a348aa046c"
},
"device_control":
{
"applied": true,
"applied_date": "2019-03-24T16:43:31.777981725Z",
"assigned_date": "2019-03-24T16:42:21.395540493Z",
"policy_type": "device-control",
"policy_id": "c360df7193364b23aa4fc47f0238c899"
},
"prevention":
{
"applied": true,
"applied_date": "2019-04-03T23:58:50.870694195Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-03T23:57:22.534513932Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
},
"global_config":
{
"applied": true,
"applied_date": "2019-02-08T01:14:14.810607774Z",
"settings_hash": "3d78f9ab",
"policy_type": "globalconfig",
"assigned_date": "2019-02-08T01:14:05.585922067Z",
"policy_id": "985b1a25afcb489ea442d2d1430b1679"
}
},
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_local_time": "2019-05-03T01:10:29.340Z",
"slow_changing_modified_timestamp": "2019-05-02T22:10:46Z",
"service_pack_major": "0",
"device_id": "1c2f1a7f88f8457f532f1c615f07617b",
"system_product_name": "OptiPlex 7040",
"product_type": "1",
"local_ip": "x.x.x.x",
"external_ip": "x.x.x.x",
"major_version": "10",
"platform_id": "0",
"config_id_base": "65994753",
"policies":
[{
"applied": true,
"applied_date": "2019-04-03T23:58:50.870694195Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-03T23:57:22.534513932Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
}],
"agent_version": "4.26.8904.0",
"pointer_size": "8",
"last_seen": "2019-05-09T14:20:53Z"
}]
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and one endpoint is found (is_success=true): "Successfully retrieved available hosts based on the provided criteria." If no endpoints are found (is_success=false): "No hosts were found for the provided criteria." |
General |
List Uploaded IOCs
Description
List available custom IOCs in CrowdStrike Falcon.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| IOC Type Filter | CSV | ipv4,ipv6,md5,sha1,sha256,domain | No | Specify a comma-separated list of IOC types that should be returned. If nothing is provided, action returns IOCs from all types. Possible values: ipv4,ipv6,md5,sha1,sha256,domain. |
| Value Filter Logic | DDL | Equal Possible values:
|
No | Specify the value filter logic. If "Equal" is selected, action tries to find the exact match among IOCs. If "Contains" is selected, action tries to find IOCs that contain the selected substring. |
| Value Filter String | String | N/A | No | Specify the string that should be searched among IOCs. |
| Max IOCs To Return | Integer | 50 | No | Specify the number of IOCs to return. Maximum: 500 |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| iocs_count | N/A | N/A |
JSON Result
{
"id": "fbe8c2739f3c6df95e62e0ae54569974437b2d9306eaf6740134ccf1a05e23d3",
"type": "sha256",
"value": "8a86c4eecf12446ff273afc03e1b3a09a911d0b7981db1af58cb45c439161295",
"action": "no_action",
"severity": "",
"metadata": {
"signed": false,
"av_hits": -1
},
"platforms": [
"windows"
],
"tags": [
"Hashes 22.Nov.20 15:29 (Windows)"
],
"expired": false,
"deleted": false,
"applied_globally": true,
"from_parent": false,
"created_on": "2021-04-22T03:54:09.235120463Z",
"created_by": "internal@crowdstrike.com",
"modified_on": "2021-04-22T03:54:09.235120463Z",
"modified_by": "internal@crowdstrike.com"
}
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and one IOC is found (is_success=true): "Successfully found custom IOCs for the provided criteria in CrowdStrike Falcon." If no IOCs are found (is_success=false): "No custom IOCs were found for the provided criteria in CrowdStrike Falcon." The action should fail and stop a playbook execution: If a critical error is reported (fail): "Error executing action "{action name}". Reason: {traceback}." If the "IOC Type Filter" parameter contains an invalid value (fail): "Error executing action "{action name}". Reason: "IOC Type Filter" contains an invalid value. Please check the spelling. Possible values: ipv4, ipv6, md5, sha1, sha256, domain." |
General |
| Case Wall Table | Table Columns:
|
Ping
Description
Test connectivity to the CrowdStrike Falcon with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Update Detection
Description
Update detection in CrowdStrike Falcon.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Detection ID | String | N/A | Yes | Specify the ID of the detection that needs to be updated. |
| Status | List | new | Yes | Specify the new status for the detection. |
| Assign Detection to | String | N/A | No | Specify the email address of the CrowdStrike Falcon user, who needs to be assigned to this detection. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successfully updated (is_success=true): "Successfully updated detection {detection id} in CrowdStrike Falcon." The action should fail and stop a playbook execution: If the 404 or 400 status code is reported (fail): "Error executing action "{action name}". Reason: {errors/message}." If critical error is reported (fail): "Error executing action "{action name}". Reason: {trace back}. If "Status"=="Select One" and the "Assign Detection To" parameter is empty (fail): "Error executing action "{action name}". Reason: Either "Status" or "Assign Detection To" should have a proper value." |
General |
Update Incident
Update an incident in CrowdStrike.
Entities
The action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
| Incident ID | Required
Specifies the ID of the incident to update. |
| Status | Optional
Specifies the status for the incident. Possible values are:
|
| Assign to | Optional
Specifies the name or email of the assigned analyst. If |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"data_type": "Incident"
"incident_id": "inc:fee8a6ef0cb3412e9a781dcae0287c85:9dfa480ae6214309bff0c8dc2ad8af7c",
"incident_type": 1,
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"host_ids": [
"fee8a6ef0cb3412e9a781dcae0287c85"
],
"hosts": [
{
"device_id": "fee8a6ef0cb3412e9a781dcae0287c85",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_load_flags": "1",
"agent_local_time": "2023-01-09T11:28:59.170Z",
"agent_version": "6.48.16207.0",
"bios_manufacturer": "Example Inc.",
"bios_version": "1.20.0",
"config_id_base": "65994753",
"config_id_build": "16207",
"config_id_platform": "3",
"external_ip": "198.51.100.1",
"hostname": "DESKTOP-EXAMPLE",
"first_seen": "2022-09-26T09:56:42Z",
"last_seen": "2023-01-09T12:11:35Z",
"local_ip": "192.0.2.1",
"mac_address": "00-15-5d-65-39-86",
"major_version": "10",
"minor_version": "0",
"os_version": "ExampleOS 01",
"platform_id": "0",
"platform_name": "Example",
"product_type": "1",
"product_type_desc": "Workstation",
"status": "contained",
"system_manufacturer": "Example Inc.",
"system_product_name": "G5 5500",
"modified_timestamp": "2023-01-09T12:11:48Z"
}
],
"created": "2023-01-09T12:12:51Z",
"start": "2023-01-09T11:23:27Z",
"end": "2023-01-09T12:52:01Z",
"state": "closed",
"status": 20,
"tactics": [
"Defense Evasion",
"Privilege Escalation",
"Credential Access"
],
"techniques": [
"Disable or Modify Tools",
"Access Token Manipulation",
"Input Capture",
"Bypass User Account Control"
],
"objectives": [
"Keep Access",
"Gain Access"
],
"users": [
"DESKTOP-EXAMPLE$",
"EXAMPLE"
],
"fine_score": 21
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully Successfully updated incident with ID INCIDENT_ID in CrowdStrike |
Action is successful. |
Error executing action "Update Incident". Reason: ERROR_REASON |
The action returned an error. Check connection to the server, input parameters, or credentials. |
Error executing action "Update Incident". Reason: incident with ID |
The action returned an error. Check the spelling. |
Error executing action "Update Incident". Reason: user |
The action returned an error. Check the spelling. |
| Error executing action "Update Incident". Reason: at least one of the "Status" or "Assign To" parameters should have a value. | The action returned an error. Check input parameters. |
Update IOC Information
Description
Update information about custom IOCs in CrowdStrike Falcon. Supported entities: Hostname, URL, IP Address and Hash.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Description | String | N/A | No | Specify the new description for custom IOCs. |
| Source | String | N/A | No | Specify the source for custom IOCs. |
| Expiration days | String | N/A | No | Specify the number of days till expiration. Note: This parameter only affects the URL, IP Address and Hostname entities. |
| Detect policy | Checkbox | Checked | No | If enabled, IOCs that have been identified, send a notification. In other case, no action is taken. |
Run On
This action runs on the following entities:
- Hostname
- URL
- IP Address
- Hash
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"id": "563df6a812f2e7020a17f77ccd809176ca3209cf7c9447ee36c86b4215860856",
"type": "md5",
"value": "7e4b0f81078f27fde4aeb87b78b6214c",
"source": "testSource",
"action": "detect",
"severity": "high",
"description": "test description update",
"platforms": [
"windows"
],
"tags": [
"Hashes 17.Apr.18 12:20 (Windows)"
],
"expiration": "2022-05-01T12:00:00Z",
"expired": false,
"deleted": false,
"applied_globally": true,
"from_parent": false,
"created_on": "2021-04-22T03:54:09.235120463Z",
"created_by": "internal@crowdstrike.com",
"modified_on": "2021-09-16T10:09:07.755804336Z",
"modified_by": "c16fd3a055eb46eda81e064fa6dd43de"
}
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful for one entity (is_success=true): "Successfully updated the following entities in CrowdStrike Falcon: {entitiy.identifier}." If not successful for one entity (is_success=true): "Action wasn't able to update the following entities in CrowdStrike Falcon: {entity.identifier}." If no entities are updated (is_success=false): "No entities were updated in CrowdStrike Falcon." The action should fail and stop a playbook execution: If a critical error is reported (fail): "Error executing action "{action name}". Reason: {traceback}" |
General |
Upload IOCs
Description
Add custom IOCs in CrowdStrike Falcon. Supported entities: Hostname, URL, IP Address and Hash.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Platform | CSV | Windows,Linux,Mac | Yes | Specify the comma-separated list of the platforms related to the IOC. Possible values: Windows, Linux, Mac. |
| Severity | DDL | Medium Possible values:
|
Yes | Specify the severity for the IOC. |
| Comment | String | N/A | No | Specify the comment with more context related to the IOC. |
| Host Group Name | String | N/A | Yes | Specify the name of the host group. |
| Action | DDL | N/A | No | Specify the action for the uploaded IOCs. The Block action can only be applied to MD5 hashes. The action always applies the Detect policy to all other IOC types. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
- URL
- Hash
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successfully added IOCs (is_success=true): "Successfully added the following custom IOCs in CrowdStrike Falcon: {entity.identifier}" If some IOCs already exist: "The following custom IOCs were already a part of CrowdStrike Falcon instance: {entity.identifier}." If some IOCs are not added or hash is in invalid format (is_success=true): "Action wasn't able to add the following custom IOCs in CrowdStrike Falcon: {entity.identifier}." If none of the IOCs are added (is_success=false): "None of the custom IOCs were added in CrowdStrike Falcon." The action should fail and stop a playbook execution: If a critical error is reported: "Error executing action "{action parameter name}". Reason: {traceback}" If the host group is not found (fail): "Error executing action "{action parameter name}". Host group "{name of the group}" was not found. Please check the spelling." If an invalid value is provided in the "Platform" parameter (fail): "Error executing action "{action parameter name}". Invalid value provided for the parameter "Platform". Possible values: Windows, Linux, Mac." |
General |
List Host Vulnerabilities
Description
List vulnerabilities found on the host in CrowdStrike Falcon. Supported entities: IP Address and Hostname.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Severity Filter | CSV | N/A | No | Specify the comma-separated list of severities for vulnerabilities. If nothing is provided, the action ingests all related vulnerabilities. Possible values: Critical, High, Medium, Low, Unknown |
| Create Insight | Checkbox | Checked | No | If enabled, the action creates an insight per entity containing statistical information about related vulnerabilities. |
| Max Vulnerabilities To Return | Integer | 100 | No | Specify the number of vulnerabilities to return per host. If nothing is provided action processes all of the related vulnerabilities. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"statistics": {
"total": 123,
"severity": {
"critical": 1,
"high": 1,
"medium": 1,
"low": 1,
"unknown": 1
},
"status": {
"open": 1,
"reopened": 1
},
"has_remediation": 1
},
"details": [
{
"id": "74089e36ac3a4271ab14abc076ed18eb_fff6de34c1b7352babdf7c7d240749e7",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"aid": "74089e36ac3a4271ab14abc076ed18eb",
"created_timestamp": "2021-05-12T22:45:47Z",
"updated_timestamp": "2021-05-12T22:45:47Z",
"status": "open",
"cve": {
"id": "CVE-2021-28476",
"base_score": 9.9,
"severity": "CRITICAL",
"exploit_status": 0
},
"app": {
"product_name_version": "xxxxxxx xxxxxxx xx"
},
"apps": [
{
"product_name_version": "xxxxxxx xxxxxxx xx",
"sub_status": "open",
"remediation": {
"ids": [
"acc34cd461023ff8a966420fa8839365"
]
}
}
],
"host_info": {
"hostname": "xxxxxxxxxxx-xxx",
"local_ip": "x.x.x.x",
"machine_domain": "",
"os_version": "Windows 10",
"ou": "",
"site_name": "",
"system_manufacturer": "VMware, Inc.",
"groups": [],
"tags": [],
"platform": "Windows"
},
"remediation": [
{
"id": "acc34cd461023ff8a966420fa8839365",
"reference": "KB5003169",
"title": "Update Microsoft Windows 10 1909",
"action": "Install patch for Microsoft Windows 10 1909 x64 (Workstation): Security Update KB5003169",
"link": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5003169"
}
]
}
]
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
Output message* |
The action should not fail nor stop a playbook execution:
If no vulnerabilities are found for one entity (is_success=true): "No vulnerabilities were found for the following hosts: {entities}". If no vulnerabilities are found for all entities (is_success=false): "No vulnerabilities were found." The action should fail and stop a playbook execution:
If an invalid value of the "Severity Filter" parameter is provided: "Error executing action "{}". Reason: Invalid value provided in the "Severity Filter parameter. Possible values: Critical, High, Medium, Low, Unknown."".format(exception.stacktrace) |
General |
| Case Wall | Columns:
|
Entity |
Execute Command
Description
Execute commands on the hosts in CrowdStrike Falcon. Supported entities: IP Address and Hostname.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Command | String | N/A | Yes | Specify the command to execute on the hosts. |
| Admin Command | Boolean | False | No | If enabled, the action will execute commands with the admin level permissions.
This is necessary for certain commands like put. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for one endpoint: "Successfully executed command "{command}" on the following endpoints in CrowdStrike Falcon: {entity.id}." If command is not available on one endpoint: "Command "{command}" was not found on the following endpoints in CrowdStrike Falcon: {entity.id}" If data is not available for one endpoint and session or is not created: "Action wasn't able to execute command "{command}" on the following endpoints in CrowdStrike Falcon: {entity.id}." If some endpoints are not found: "The following endpoints were not found in CrowdStrike Falcon: {entity.id}." If command is not available on all endpoints: "Command "{command}" was not found on the provided endpoints in CrowdStrike Falcon." If no endpoints are found: "None of the provided endpoints were found in CrowdStrike Falcon." Async Message: "Waiting for results for the following entities: {entity.id}." The action should fail and stop a playbook execution: If a fatal error, like invalid credentials, API root, other is reported: "Error executing action "Execute Command". Reason: {error traceback}." |
General |
Download File
Description
Download files from the hosts in CrowdStrike Falcon. Supported entities: File Name, IP Address and Hostname.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Download Folder Path | String | N/A | Yes | Specify the path to the folder, where you want to store the threat file. |
| Overwrite | Checkbox | Unchecked | Yes | If enabled, the action overwrites the file with the same name. |
Run On
This action runs on the following entities:
- File name
- IP Address
- Host
Action Results
Entity table
| Name | Description |
|---|---|
| filepath | absolute path to the file |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"absolute_paths": ["/opt/file_1", "opt_file_2"]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for one endpoint: "Successfully downloaded file "{file}" from the following endpoints in CrowdStrike Falcon: {entity.identifier." If the file is not found on one endpoint: "Action wasn't able to download file from the following endpoints in CrowdStrike Falcon: {entity.identfier}." If can't start session on one of the endpoints: "Action wasn't able to create sessions for the following endpoints in CrowdStrike Falcon: {entity.identifier}." If endpoint is not found: "The following endpoints were not found in CrowdStrike Falcon." If no endpoints are found: "None of the provided endpoints were found in CrowdStrike Falcon." If can't download from all endpoints: "Action wasn't able to download files from the provided endpoints in CrowdStrike Falcon." If not enough entities in the scope: "Not enough entities in the scope of the action." If can't start session on all endpoints: "Action wasn't able to create sessions for provided endpoints in CrowdStrike Falcon." If the file is not found on all endpoints: "File {Filename} wasn't found on the provided endpoints in CrowdStrike Falcon." Async Message: "Waiting for results for the following entities: {entity.id}." The action should fail and stop a playbook execution: If a fatal error, like invalid credentials, API root, other is reported: "Error executing action "Download File". Reason: {error traceback}." If a file with the same name already exists, but "Overwrite" is set t false: "Error executing action "Download File". Reason: file with path {0} already exists. Please delete the file or set "Overwrite" to true." |
General |
Get Event Offset
Description
Action will retrieve the event offset that is used by the Event Streaming Connector.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Max Events To Process | Integer | 10000 | Yes | Specify the number of events the action needs to process starting from the offset from 30 days ago. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"offset": 100000
"timestamp": {event timestamp}
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
Output message* |
The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution:
|
General |
Update Identity Protection Detection
Description
Update an identity protection detection in CrowdStrike.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Detection ID | String | N/A | Yes | Specify the ID of the detection that needs to be updated. |
| Status | DDL | Select One Possible Values:
|
No | Specify the status for the detection. |
| Assign To | String | N/A | No | Specify the name of the analyst to whom the detection needs to be assigned. If Unassign is provided, the action removes assignment from the detection. If invalid value is provided, the action does not change the current assignment. |
Run On
This action doesn't run on entities.
JSON Result
{
"added_privileges": [
"DomainAdminsRole"
],
"aggregate_id": "aggind:27fe4e476ca3490b8476b2b6650e5a74:70378936-3A00-400B-8136-4ED8DB047549",
"assigned_to_uid": "example@crowdstrike.com",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"composite_id": "27fe4e476ca3490b8476b2b6650e5a74:ind:27fe4e476ca3490b8476b2b6650e5a74:70378936-3A00-400B-8136-4ED8DB047549",
"confidence": 20,
"context_timestamp": "2022-11-15T12:58:15.629Z",
"crawl_edge_ids": {
"Sensor": [
"N6KIZ`%V`&d#&#sRaHNV[f3[CA4lr/C_N;.JnbglJpdg8TCCTqnr!9D\\['ALM&eNbPq?kt$#@]+01Ac[&th0-0]E'J8:]mFV?'g5HZ/$B.%BC29_`4U_?%a)_&#k>,G>:=E>%[7^<aLSVj=`UCMcRUH[a9/*^hO_7Ft(js#P<M<(eG3(B=I8rr",
"XNXnKK.mi:ckQ^2c7AGRMK^'rd:p[_JkD_5ZM$W:d'J8oN:42nj.Ho1-^E5D16b0VALJ`2cDEEJTVdY\\n.-WQ^_B[7$1pH[Glgm@go]-LB%M1,c#2F)nli-Ge#V<=[!c_jh8e3D8E-S0FheDm*BHh-P/s6q!!*'!",
"N6L*L\">LGfi/.a$IkpaFlWjT.YU#P@Gu8Qe6'0SK=M]ChI,FQXqo=*M(QR+@6c8@m1pIc)Dqs+WLXjbpom5@$T+oqC5RJk!9atPF/<mG'H`V9P0YII;!>C8YL)XS&ATORi>!U.7<Ds\"<dT/Mkp\\V%!U[RS_YC/Wrn[Z`S(^4NU,lV#X3/#pP7K*>g!<<'"
]
},
"crawl_vertex_ids": {
"Sensor": [
"aggind:27fe4e476ca3490b8476b2b6650e5a74:70378936-3A00-400B-8136-4ED8DB047549",
"idpind:27fe4e476ca3490b8476b2b6650e5a74:EEFC50A4-2641-3809-9F45-7C308193CD67",
"ind:27fe4e476ca3490b8476b2b6650e5a74:70378936-3A00-400B-8136-4ED8DB047549",
"uid:27fe4e476ca3490b8476b2b6650e5a74:S-1-5-21-3479765008-4256118348-3151044947-3595"
]
},
"crawled_timestamp": "2022-11-15T13:58:17.251061883Z",
"created_timestamp": "2022-11-15T12:59:17.239585706Z",
"description": "A user received new privileges",
"display_name": "Privilege escalation (user)",
"end_time": "2022-11-15T12:58:15.629Z",
"falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/27fe4e476ca3490b8476b2b6650e5a74:ind:27fe4e476ca3490b8476b2b6650e5a74:70378936-3A00-400B-8136-4ED8DB047549?cid=27fe4e476ca3490b8476b2b6650e5a74",
"id": "ind:27fe4e476ca3490b8476b2b6650e5a74:70378936-3A00-400B-8136-4ED8DB047549",
"name": "IdpEntityPrivilegeEscalationUser",
"objective": "Gain Access",
"pattern_id": 51113,
"previous_privileges": "0",
"privileges": "8321",
"product": "idp",
"scenario": "privilege_escalation",
"severity": 2,
"show_in_ui": true,
"source_account_domain": "EXLAB.LOCAL",
"source_account_name": "Mailbox438",
"source_account_object_sid": "S-1-5-21-3479765008-4256118348-3151044947-3595",
"start_time": "2022-11-15T12:58:15.629Z",
"status": "new",
"tactic": "Privilege Escalation",
"tactic_id": "TA0004",
"tags": [
"red_team"
],
"technique": "Valid Accounts",
"technique_id": "T1078",
"timestamp": "2022-11-15T12:58:17.239Z",
"type": "idp-user-endpoint-app-info",
"updated_timestamp": "2022-11-23T15:22:20.271100181Z"
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the action returned inforomation (is_success = true): "Successfully updated identity protection detection with ID {detection id} in CrowdStrike." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Alert". Reason: {0}''.format(error.Stacktrace) If the alert is not found: "Update Identity Protection Detection". Reason: identity protection detection with ID {detection id} wasn't found in CrowdStrike. Please check the spelling. If the Status parameter is set to Select One, and nothing is provided in the Assign To parameter: "Error executing action "Update Identity Protection Detection". Reason: at least one of the "Status" or "Assign To" parameters should have a value." |
General |
Submit File
Description
Submit files to a sandbox in CrowdStrike.
Supported File Formats
According to the CrowdStrike portal, the sandbox supports the following file formats:
- Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc.
- Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub
- PDF: .pdf
- APK: .apk
- Executable JAR: .jar
- Windows script component: .sct
- Windows shortcut: .lnk
- Windows help: .chm
- HTML application: .hta
- Windows script file: .wsf
- JavaScript: .js
- Visual Basic: .vbs, .vbe
- Shockwave Flash: .swf
- Perl: .pl
- Powershell: .ps1, .psd1, .psm1
- Scalable vector graphics: .svg
- Python: .py
- Linux ELF executables: .elf
Email files:
- MIME RFC 822: .eml
- Outlook: .msg
Supported Archive Formats
- .zip
- .7z
Parameters
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
| File Paths | CSV | N/A | Yes | Specify the file paths to the files that need to be submitted. Refer to the documentation portal for a list of the submitted file formats. |
| Sandbox Environment | DDL | Windows 10, 64-bit Possible Values:
|
No | Specify the sandbox environment for the analysis. |
| Network Environment | DDL | Default Possible values:
|
No | Specify the network environment for the analysis. |
| Archive Password | Secret | N/A | No | Specify the password that would need to be used, when working with archive files. |
| Document Password | Secret | N/A | No | Specify the password that would need to be used, when working with Adobe or Office files. Maximum: 32 characters. |
| Check Duplicate | Checkbox | Checked | No | If enabled, the action checks if the file was already submitted previously and returns the available report. Note: during the validation "Network Environment" and "Sandbox Environment" are not taken into consideration. |
| Comment | String | N/A | No | Specify the comment for the submission. |
| Confidential Submission | Checkbox | Unchecked | No | If enabled, the file is only shown to users within your customer account. |
Run On
This action doesn't run on entities.
Action Results
Script Results
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
Case Wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If enriched some (is_success=true): "Successfully returned details about the following files using CrowdStrike:\n".format(filepaths) If didn't enrich some (is_success=true): "Action wasn't able to return details about the following files using CrowdStrike:\n"format(filepaths) If didn't enrich all (is_success=false): "No details about the files were retrieved." If there is an unsupported file type for one: "Action wasn't able to submit the following samples, because file type is not supported: {not supported files}. Please refer to the doc portal for a list of supported files." If unsupported file type for all: "None of the samples were submitted, because file type is not supported. Please refer to the doc portal for a list of supported files." If unsupported file types for all in the extracted archive: "None of the samples in the archive were submitted, because file type is not supported. Please refer to the doc portal for a list of supported files." If archive wasn't extracted due to some error: "File {file apth} wasn't extracted due to the following error: {error}" Async message: "Waiting for results for the following files:\n{0}".format(filepaths) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: "Error executing action "Submit File". Reason: {0}''.format(error.Stacktrace) If ran into a timeout: "Error executing action "Submit File". Reason: action ran into a timeout during execution. Pending files: {files that are still in progress}. Please increase the timeout in IDE." |
General |
| Case Wall | Results: {name} Name: {submit_name} Threat Score: {threat_score} Verdict: {verdict} Tags: csv of {classification_tags} |
Submit URL
Description
Submit URLs to a sandbox in CrowdStrike.
Parameters
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
| URLs | CSV | N/A | Yes | Specify the URLs that need to be submitted. |
| Sandbox Environment | DDL | Windows 10, 64-bit Possible Values:
|
No | Specify the sandbox environment for the analysis. |
| Network Environment | DDL | Default Possible values:
|
No | Specify the network environment for the analysis. |
| Check Duplicate | Checkbox | Checked | No | If enabled, the action checks if the file was already submitted previously and returns the available report. Note: during the validation "Network Environment" and "Sandbox Environment" are not taken into consideration. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
Case Wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If enriched some (is_success=true): "Successfully returned details about the following urls using CrowdStrike:\n".format(filepaths) If didn't enrich some (is_success=true): "Action wasn't able to return details about the following urls using CrowdStrike:\n"format(filepaths) If didn't enrich all (is_success=false): "No details about the urls were retrieved." Async message: "Waiting for results for the following urls:\n{0}".format(urls) The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Submit URL". Reason: {0}''.format(error.Stacktrace) If ran into a timeout: "Error executing action "Submit URL". Reason: action ran into a timeout during execution. Pending files: {files that are still in progress}. Please increase the timeout in IDE." |
General |
| Case Wall | Results: {name} Name: {submit_name} Threat Score: {threat_score} Verdict: {verdict} Tags: csv of {classification_tags} |
Connectors
Connector permissions
Refer to the minimal permissions for Connectors, as listed in the following table:
| Connector | Required permissions |
|---|---|
| CrowdStrike Detections Connector | Detection.Read |
| CrowdStrike Falcon Streaming Events Connector | Event streams.Read |
| CrowdStrike Identity Protection Detections Connector | Alerts.Read |
| CrowdStrike Incidents Connector | Incidents.Read |
Configure CrowdStrike Falcon connectors in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
CrowdStrike Detections Connector
Description
Pull detections from CrowdStrike. Dynamic list works with filters that are supported by the API of CrowdStrike.
How to work with dynamic list
In this connector, you can utilize the FQL language of CrowdStrike to modify the
filter that is sent by the connector. If you want to also ingest all detections
assigned to the certain analyst, then the analyst needs to provide the following
dynamic list entry: assigned_to_name:'USER_NAME'
Supported parameters
| Parameter name | Description |
|---|---|
| q | Full text search across all metadata fields. |
| date_updated | The date of the most recent update to a detection. |
| assigned_to_name | The human-readable name of the user to whom the detection is currently assigned. |
| max_confidence | When a detection has more than one associated behavior with varying confidence levels, this field captures the highest confidence value of all behaviors. Value can be any integer between 1-100. |
| detection_id | The ID of the detection. This ID can be used in conjunction with other APIs, such as the Detection Details API, or the Resolve Detection API. |
| max_severity | When a detection has more than one associated behavior with varying severity levels, this field captures the highest severity value of all behaviors. Value can be any integer between 1-100. |
| max_severity_displayname | The name used in the UI to determine the severity of the detection. Values include Critical, High, Medium, and Low |
| seconds_to_triaged | Time that it took to move a detection from new to in_progress. |
| seconds_to_resolved | Time that it took to move a detection from new and one of the resolved states (true_positive, false_positive, ignored, and closed). |
| status | The current status of the detection. Values include new, in_progress, true_positive, false_positive, and ignored. |
| adversary_ids | If behaviors or indicators in a detection are attributed to an adversary that is tracked by CrowdStrike Falcon Intelligence, those adversaries will have an ID associated with them. These IDs are found in a detection's metadata which can be viewed using the Detection Details API. |
| cid | Your organization's customer ID (CID). |
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | behaviors_technique | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https://api.crowdstrike.com | Yes | API root of the CrowdStrike instance. |
| Client ID | String | N/A | Yes | Client ID of the CrowdStrike account. |
| Client Secret | Password | N/A | Yes | Client Secret of the CrowdStrike account. |
| Lowest Severity Score To Fetch | Integer | 50 | No | Lowest severity score of the detections to fetch. If nothing is provided, the connector won't apply this filter. Maximum is 100. |
| Lowest Confidence Score To Fetch | Integer | 0 | No | Lowest confidence score of the detections to fetch. If nothing is provided, the connector won't apply this filter. Maximum is 100. |
| Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch detections. |
| Max Detections To Fetch | Integer | 10 | No | How many detections to process per one connector iteration. Default: 10. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verify the SSL certificate for the connection to the CrowdStrike server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
| Alert Name Template | String | N/A | No | If provided, the connector uses this value for Google Security Operations SOAR Alert Name. You can provide placeholders in the following format: [name of the field]. Example: Phishing - [event_mailbox]. Note: The connector uses the first Google Security Operations SOAR Event for placeholders. Only keys that have string value are handled. If nothing is provided or user provides an invalid template, the connector uses the default alert name. |
| Padding Period | Integer | N/A | No | The number of hours the connector uses for padding. Maximum: 6 |
Connector rules
Proxy support
The connector supports proxy.
CrowdStrike Falcon Streaming Events Connector
Changes made from the current PS Connector
The following parameters were changed from existing connector created PS team:
- Updated authentication method to work based on client ID and client secret, changed from API UUID, API Key.
- Removal of dynamic list: A dynamic list is not used to specify event types to fetch. Instead, users specify event types that they would want to ingest in a comma separated format (Event Types parameter).
API Permissions
To run this connector, a system App Name needs to be provided. This is used to make a HTTP connection to CrowdStrike in order to find events for ingesting into Google Security Operations SOAR. It has a maximum of 32 characters. This is configured in Google Security Operations SOAR under the connector parameters.
Use cases and examples
Use case 1: The capability to ingest Detection events data
CrowdStrike Falcon detects a malicious file SophosCleanM.exe trying to execute in an endpoint. CrowdStrike stops the operation and creates an alert that contains the hashes of the file in the event data. We are interested in the reputation of the file and therefore we proceed to run the hashes discovered on VirusTotal. VirusTotal finds the hash malicious. From there we proceed to run a Mcafee EDR action which quarantines the file.
Use case 2: To have User Activity Audit events data ingestion
A CrowdStrike user makes an update to the detection status from new to false-positive and an event with the operation name "detection_update" is created. The senior analyst would like to do a follow up to get the reasons why it was marked as a false positive from the person who did it. From the event ingested we can get the identity of the user then run active directory enrich entities action to get more details of the user for easier tracking down
Use case 3: To have Auth Activity Audit events data ingestion
An event is created that user X has created a new user and granted user roles to the newly created user. As an analyst, it is to their interest to understand why the user was created. As a result, using the user ID of user X they run active directory enrich entities action to learn the role of user X to confirm if they are authorized to add users.
Use Case 4: To have Remote Response End Events data ingestion
A remote event shows that user X had a remote connection to a given host and executed commands as a root user to access a web server directory. An analyst would like to get more information about both the user and the host that was involved. He, therefore, uses the Active Directory action to enrich both the user and the host. Based on the user information returned he may decide to suspend the user until he understands the purpose of the connection.
Connector Parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | device_product | Yes | Describes the name of the field where the product name is stored. |
| Event Field Name | String | Name | Yes | Describes the name of the field where the event name is stored. |
| Environment Field Name | String | N/A | No | Describes the name of the field where the environment name is stored. If environment field isn't found, environment is "" |
| Environment Regex Pattern | String | N/A | No | A regex pattern to run on the value found in the "Environment Field Name" field. |
| Client ID | String | N/A | Yes | Client ID for the Crowdstrike API Eg.8465cf0cbe8b4ea4bbd96c7154adb9c9 |
| API Root | String | https://api.crowdstrike.com | Yes | API Root of the CrowdStrike instance. |
| Client Secret | String | N/A | Yes | Client Secret for CrowdStrike API Eg.8eKzpEkfXGmNPjbI90Y7hWdLRnDg42JwvOQ315u6 |
| Event types | String | DetectionSummaryEvent, |
No | Specify a comma-separated list of event types. |
| Script Timeout (Seconds) | Integer | 60 | Yes | Timeout limit for the python process running the current script. |
| Max Events per Cycle | Integer | 10 | Yes | Max events to process per connector run. |
| Max Day Backwards | Integer | 3 | No | Max amount of days to fetch events data backwards |
| Min Severity | Integer | 0 | No | Specify the events that should be ingested based on the events severity (detections events). The value ranges from 0-5. If other event types besides detections are ingested by the connector, connector sets a severity for them as -1 and this filter is not applied to those types of events |
| Proxy Server Addresses | String | N/A | No | Proxy server address. |
| Proxy Username | String | N/A | No | Proxy username. |
| Proxy Password | Password | N/A | No | Proxy password. |
| Verify SSL | Checkbox | Unchecked | No | Specify whether to use SSL |
| Rule Generator Template | String | N/A | No | If provided, the connector uses this value for Siemplify Rule Generator. You can provide placeholders in the following format: [name of the field]. Example: Phishing - [event_mailbox]. Note: The connector uses first Siemplify Event for placeholders. Only keys that have string value are handled. If nothing is provided or the user provides an invalid template, the connector uses the default rule generator. |
Connector rules
Proxy support
The connector supports proxy.
Dynamic list rules
The connector doesn't support dynamic list.
CrowdStrike Identity Protection Detections Connector
Description
Pull Identity Protection detections from CrowdStrike. Dynamic list works with the display_name parameter.
Connector parameters
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | behaviors_technique | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the Environment Field Name field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https://api.crowdstrike.com | Yes | API root of the CrowdStrike instance. |
| Client ID | String | N/A | Yes | Client ID of the CrowdStrike account. |
| Client Secret | Password | N/A | Yes | Client Secret of the CrowdStrike account. |
| Lowest Severity Score To Fetch | String | 50 | No | Lowest severity score of the detections to fetch. If nothing is provided, the connector won't apply this filter. The maximum parameter value is 100. The action also supports the following values: Low, Medium, High, Critical. |
| Lowest Confidence Score To Fetch | Integer | 0 | No | The lowest confidence score of the detections to fetch. If nothing is provided, the connector won't apply this filter. The maximum parameter value is 100. |
| Max Hours Backwards | Integer | 1 | No | The number of hours from where to fetch detections. |
| Max Detections To Fetch | Integer | 10 | No | The number of detections to process per one connector iteration. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, the verifies that the SSL certificate for the connection to the CrowdStrike server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector rules
The connector supports Proxy.
CrowdStrike Incidents Connector
Pull incident and related behaviors from CrowdStrike.
The dynamic list works with the incident_type parameter.
Connector parameters
To configure the connector, use the following parameters:
| Parameters | |
|---|---|
| Product Field Name | Required Enter the source field name in order to retrieve the Product Field name. Default value is |
| Event Field Name | Required Enter the source field name in order to retrieve the Event Field name. Default value is |
| Environment Field Name | Optional Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. Default value is |
| Environment Regex Pattern | Optional
A regular expression pattern to run on the value found in the Default value The parameter allows the user to manipulate the environment field using the regular expression logic. If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Required Timeout limit for the python process running the current script. Default value is 180. |
| API Root | Required API root of the CrowdStrike instance. Default value is |
| Client ID | Required Client ID of the CrowdStrike account. |
| Client Secret | Required Client Secret of the CrowdStrike account. |
| Lowest Severity Score To Fetch | Optional Lowest severity score of the incidents to fetch. If nothing is provided, the connector will ingest incidents with all severities. Max value is 100. |
| Max Hours Backwards | Optional Amount of hours from where to fetch incidents. Default value is 1. |
| Max Incidents To Fetch | Optional The number of incidents to process per one connector iteration. Max value is 100. Default value is 10. |
| Use dynamic list as a blocklist | Required If checked, the dynamic list is used as a blocklist. Unchecked by default. |
| Verify SSL | Required If checked, verifies that the SSL certificate for the connection to the CrowdStrike server is valid. Unchecked by default. |
| Proxy Server Address | Optional The address of the proxy server to use. |
| Proxy Username | Optional The proxy username to authenticate with. |
| Proxy Password | Optional The proxy password to authenticate with. |
Connector rules
The connector supports Proxy.
Connector events
The Incidents Connector has two types of events: one is based on incident and the other on behavior.
The example of an event based on incident is as follows:
{
"data_type": "Incident"
"incident_id": "inc:fee8a6ef0cb3412e9a781dcae0287c85:9dfa480ae6214309bff0c8dc2ad8af7c",
"incident_type": 1,
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"host_ids": [
"fee8a6ef0cb3412e9a781dcae0287c85"
],
"hosts": [
{
"device_id": "fee8a6ef0cb3412e9a781dcae0287c85",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_load_flags": "1",
"agent_local_time": "2023-01-09T11:28:59.170Z",
"agent_version": "6.48.16207.0",
"bios_manufacturer": "Example Inc.",
"bios_version": "1.20.0",
"config_id_base": "65994753",
"config_id_build": "16207",
"config_id_platform": "3",
"external_ip": "203.0.113.1",
"hostname": "DESKTOP-EXAMPLE",
"first_seen": "2022-09-26T09:56:42Z",
"last_seen": "2023-01-09T12:11:35Z",
"local_ip": "192.0.2.1",
"mac_address": "00-15-5d-65-39-86",
"major_version": "01",
"minor_version": "0",
"os_version": "Example OS 01",
"platform_id": "0",
"platform_name": "Example",
"product_type": "1",
"product_type_desc": "Workstation",
"status": "contained",
"system_manufacturer": "Example Inc.",
"system_product_name": "G5 5500",
"modified_timestamp": "2023-01-09T12:11:48Z"
}
],
"created": "2023-01-09T12:12:51Z",
"start": "2023-01-09T11:23:27Z",
"end": "2023-01-09T12:52:01Z",
"state": "closed",
"status": 20,
"tactics": [
"Defense Evasion",
"Privilege Escalation",
"Credential Access"
],
"techniques": [
"Disable or Modify Tools",
"Access Token Manipulation",
"Input Capture",
"Bypass User Account Control"
],
"objectives": [
"Keep Access",
"Gain Access"
],
"users": [
"DESKTOP-EXAMPLE$",
"EXAMPLE"
],
"fine_score": 21
}
The example of an event based on behavior is as follows:
{
"behavior_id": "ind:fee8a6ef0cb3412e9a781dcae0287c85:1298143147841-372-840208",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"aid": "fee8a6ef0cb3412e9a781dcae0287c85",
"incident_id": "inc:fee8a6ef0cb3412e9a781dcae0287c85:9dfa480ae6214309bff0c8dc2ad8af7c",
"incident_ids": [
"inc:fee8a6ef0cb3412e9a781dcae0287c85:9dfa480ae6214309bff0c8dc2ad8af7c"
],
"pattern_id": 372,
"template_instance_id": 0,
"timestamp": "2023-01-09T11:24:25Z",
"cmdline": "\"C:\\WINDOWS\\system32\\SystemSettingsAdminFlows.exe\" SetNetworkAdapter {4ebe49ef-86f5-4c15-91b9-8da03d796416} enable",
"filepath": "\\Device\\HarddiskVolume3\\Windows\\System32\\SystemSettingsAdminFlows.exe",
"domain": "DESKTOP-EXAMPLE",
"pattern_disposition": -1,
"sha256": "78f926520799565373b1a8a42dc4f2fa328ae8b4de9df5eb885c0f7c971040d6",
"user_name": "EXAMPLE",
"tactic": "Privilege Escalation",
"tactic_id": "TA0004",
"technique": "Bypass User Account Control",
"technique_id": "T1548.002",
"display_name": "ProcessIntegrityElevationTarget",
"objective": "Gain Access",
"compound_tto": "GainAccess__PrivilegeEscalation__BypassUserAccountControl__1__0__0__0"
}