CrowdStrike Falcon
Integration version: 35.0
Prerequisites
Before you proceed to configuring the integration in Google Security Operations SOAR, make sure to complete the following prerequisite steps:
Configure the API client.
Configure action permissions.
Configure connector permissions.
Configure the API client
To define a CrowdStrike API client and view, create, or modify API clients or keys, you need to have a Falcon Administrator role.
- In the Falcon UI, navigate to Support > API Clients and Keys. On this page, you can find existing clients, add new API clients, or view the audit log.
- Click Add new API Client.
- Provide a name for your new API client.
- Select appropriate API scopes.
- Click Save. The Client ID and Client Secret appear.
This is the only time when you see the client secret value. Make sure to store it securely.
For more details regarding access to the CrowdStrike API, see the Getting Access to the CrowdStrike API guide at the CrowdStrike blog.
Configure action permissions
Refer to the minimal permissions for actions, as listed in the following table:
| Action | Required permissions |
|---|---|
| Add Comment to Detection | Detections.ReadDetection.Write |
| Add Identity Protection Detection Comment | Alerts.ReadAlerts.Write |
| Add Incident Comment | Incidents.Write |
| Close Detection | Detections.ReadDetection.Write |
| Contain Endpoint | Hosts.ReadHosts.Write |
| Delete IOC | IOC Management.ReadIOC Management.Write |
| Download File | Hosts.ReadReal time response.ReadReal time response.Write |
| Execute Command | Hosts.ReadReal time response.ReadReal time response.WriteReal time response (admin).Write* for full privilege commands.
|
| Get Event Offset | Event streams.Read |
| Get Hosts by IOC | N/A: Deprecated |
| Get Host Information | Hosts.Read |
| Get Process Name By IOC | N/A: Deprecated |
| Lift Contained Endpoint | Hosts.ReadHosts.Write |
| List Hosts | Hosts.Read |
| List Host Vulnerabilities | Hosts.ReadSpotlight vulnerabilities.Read |
| List Uploaded IOCs | IOC Management.Read |
| Ping | Hosts.Read |
| Submit File | Reports (Falcon Intelligence).ReadSandbox (Falcon Intelligence).ReadSandbox (Falcon Intelligence).Write |
| Submit URL | Reports (Falcon Intelligence).ReadSandbox (Falcon Intelligence).ReadSandbox (Falcon Intelligence).Write |
| Update Detection | Detections.ReadDetection.WriteUser management.Read |
| Update Identity Protection Detection | Alerts.ReadAlerts.Write |
| Update Incident | Incidents.Write |
| Update IOC Information | IOC Management.ReadIOC Management.Write |
| Upload IOCs | IOC Management.ReadIOC Management.Write |
Configure connector permissions
Refer to the minimal permissions for connectors, as listed in the following table:
| Connector | Required permissions |
|---|---|
| CrowdStrike Detections Connector | Detection.Read |
| CrowdStrike Falcon Streaming Events Connector | Event streams.Read |
| CrowdStrike Identity Protection Detections Connector | Alerts.Read |
| CrowdStrike Incidents Connector | Incidents.Read |
Integrate CrowdStrike Falcon with Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration inputs
To configure the integration, use the following parameters:
| Parameters | |
|---|---|
API Root |
API root of the CrowdStrike instance. Default value is |
Client API ID |
Required Client ID for CrowdStrike API. |
Client API Secret |
Required Client Secret for CrowdStrike API. |
Verify SSL |
Check if your CrowdStrike Falcon connection requires an SSL verification. Unchecked by default. |
Actions
Before proceeding with the integration configuration, make sure that you've configured the minimal permissions for every integration item. For more details, refer to the Action permissions section of this document.
Add Comment to Detection
Add a comment to the detection in CrowdStrike Falcon.
Entities
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Detection ID |
Required
ID of the detection to add a comment to. |
Comment |
Required
The comment to add to the detection. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Add Identity Protection Detection Comment
Add a comment to the identity protection detection in CrowdStrike.
Entities
The action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Detection ID |
Required
ID of the detection to update. |
Comment |
Required
The comment to add to the detection. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully added comment to the
identity protection detection with ID
DETECTION_ID in CrowdStrike |
Action succeeded. |
Error executing action "Add Identity
Protection Detection Comment". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Add Identity
Protection Detection Comment". Reason: identity protection detection with
ID DETECTION_ID wasn't found in
CrowdStrike. Please check the
spelling. |
Action failed. Check the spelling. |
Add Incident Comment
Add comment to an incident in CrowdStrike.
Entities
The action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Incident ID |
Required
ID of the incident to update. |
Comment |
Required
The comment to add to the incident. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully added comment to the
incident INCIDENT_ID in CrowdStrike
|
Action succeeded. |
Error executing action "Add Incident Comment". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Add Incident Comment". Reason: incident
with ID INCIDENT_ID wasn't found in
CrowdStrike. Please check the spelling. |
Action failed. Check the spelling. |
Close Detection
Close a CrowdStrike Falcon detection.
Entities
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Detection ID |
Required
ID of the detection to close. |
Hide Detection |
Optional
If enabled, the action hides the detection in the UI. Enabled by default. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Contain Endpoint
Contain endpoint in CrowdStrike Falcon.
Entities
This action runs on the following entities:
- IP address
- Hostname
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Fail If Timeout |
Required
If enabled and not all of the endpoints are contained, the action fails. Enabled by default. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Entity enrichment table | Available |
| JSON result | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"EntityResult":
{
"status": "contained",
"modified_timestamp": "2019-06-24T07:47:37Z",
"major_version": "6",
"policies":
[{
"applied": "True",
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": ""
}],
"config_id_platform": "3",
"bios_manufacturer": "Example Inc.",
"system_manufacturer": "Example Corporation",
"device_policies":
{
"global_config":
{
"applied": "True",
"applied_date": "2019-06-03T23:24:04.893780991Z",
"settings_hash": "a75911b0",
"policy_type": "globalconfig",
"assigned_date": "2019-06-03T23:23:17.184432743Z",
"policy_id": ""
},
"Sensor_update":
{
"applied": "True",
"applied_date": "2019-05-30T23:13:55.23597658Z",
"settings_hash": "65994753|3|2|automatic;101",
"uninstall_protection": "ENABLED",
"policy_type": "sensor-update",
"assigned_date": "2019-05-30T23:04:31.485311459Z",
"policy_id": ""
},
"prevention":
{
"applied": "True",
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": ""
},
"device_control":
{
"applied": "True",
"applied_date": "2019-06-03T23:14:29.800434222Z",
"policy_type": "device-control",
"assigned_date": "2019-06-03T23:05:17.425127539Z",
"policy_id": ""
},
"remote_response":
{
"applied": "True",
"applied_date": "2019-04-29T07:40:04.469808388Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-04-29T07:39:55.218642441Z",
"policy_id": ""
}
},
"meta":
{
"Version":"12765"
},
"pointer_size": "8",
"last_seen": "2019-06-24T07:45:34Z",
"agent_local_time": "2019-06-18T12:17:06.259Z",
"first_seen": "2019-04-29T07:39:45Z",
"service_pack_major": "0",
"slow_changing_modified_timestamp": "2019-06-23T11:20:42Z",
"service_pack_minor": "0",
"system_product_name": "Virtual Machine",
"product_type_desc": "Server",
"build_number": "9600",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"local_ip": "192.0.2.1",
"external_ip": "203.0.113.1",
"hostname": "",
"config_id_build": "example-id",
"minor_version": "3",
"platform_id": "x",
"os_version": "Windows Server 2012 R2",
"config_id_base": "example-config",
"provision_status": "Provisioned",
"mac_address": "01:23:45:ab:cd:ef",
"bios_version": "090007 ",
"platform_name": "Windows",
"Agent_load_flags":"1",
"device_id": "",
"product_type": "3",
"agent_version": "5.10.9106.0"
},
"Entity": "198.51.100.255"
}
Entity enrichment
| Enrichment field | Logic |
|---|---|
status |
Returns if it exists in the JSON result |
modified_timestamp |
Returns if it exists in the JSON result |
major_version |
Returns if it exists in the JSON result |
policies |
Returns if it exists in the JSON result |
config_id_platform |
Returns if it exists in the JSON result |
bios_manufacturer |
Returns if it exists in the JSON result |
system_manufacturer |
Returns if it exists in the JSON result |
device_policies |
Returns if it exists in the JSON result |
meta |
Returns if it exists in the JSON result |
pointer_size |
Returns if it exists in the JSON result |
last_seen |
Returns if it exists in the JSON result |
agent_local_time |
Returns if it exists in the JSON result |
first_seen |
Returns if it exists in the JSON result |
service_pack_major |
Returns if it exists in the JSON result |
slow_changing_modified_timestamp |
Returns if it exists in the JSON result |
service_pack_minor |
Returns if it exists in the JSON result |
system_product_name |
Returns if it exists in the JSON result |
product_type_desc |
Returns if it exists in the JSON result |
build_number |
Returns if it exists in the JSON result |
cid |
Returns if it exists in the JSON result |
local_ip |
Returns if it exists in the JSON result |
external_ip |
Returns if it exists in the JSON result |
hostname |
Returns if it exists in the JSON result |
config_id_build |
Returns if it exists in the JSON result |
minor_version |
Returns if it exists in the JSON result |
platform_id |
Returns if it exists in the JSON result |
os_version |
Returns if it exists in the JSON result |
config_id_base |
Returns if it exists in the JSON result |
provision_status |
Returns if it exists in the JSON result |
mac_address |
Returns if it exists in the JSON result |
bios_version |
Returns if it exists in the JSON result |
platform_name |
Returns if it exists in the JSON result |
agent_load_flags |
Returns if it exists in the JSON result |
device_id |
Returns if it exists in the JSON result |
product_type |
Returns if it exists in the JSON result |
agent_version |
Returns if it exists in the JSON result |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Error executing action "Contain
Endpoint". Reason: ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Contain
Endpoint". Reason: the following endpoints initiated containment, but were
not able to finish it during action execution:
ENTITY_ID
|
Action failed. Check the endpoint status and
the |
Delete IOC
Delete custom IOCs in CrowdStrike Falcon.
Entities
This action runs on the following entities:
- IP Address
- Hostname
- URL
- Hash
Action inputs
N/A
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Error executing action "Delete IOC".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Download File
Download files from the hosts in CrowdStrike Falcon.
You can find the downloaded file in a password-protected zip package. To access
the file, provide the following password: infected.
Entities
This action runs on the following entities:
- Filename
- IP address
- Host
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Download Folder Path |
Required
Path to the folder that stores the threat file. |
Overwrite |
Required
If enabled, the action overwrites the file with the same name. Disabled by default. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Entity table | Available |
| Enrichment table | Available |
| JSON result | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Entity table
| Entity | |
|---|---|
filepath |
Absolute path to the file. |
JSON result
{
"absolute_paths": ["/opt/file_1", "opt_file_2"]
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Error executing action "Download
File". Reason: ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Download
File". Reason: file with path PATH
already exists. Please delete the file or set "Overwrite" to true.
|
Action failed. Check the |
Waiting for results for the following
entities: ENTITY_ID |
Asynchronous message. |
Execute Command
Execute commands on the hosts in CrowdStrike Falcon.
Entities
This action runs on the following entities:
- IP address
- Hostname
Parameters
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Command |
Required
Command to execute on hosts. |
Admin Command |
Optional
If
|
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully executed command
"COMMAND" on the following
endpoints in CrowdStrike Falcon:
ENTITY_ID |
Action succeeded. |
Error executing action "Execute Command". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Waiting for results for the following
entities: ENTITY_ID |
Asynchronous message. |
Get Event Offset
Action retrieves the event offset used by the Event Streaming Connector.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Max Events To Process |
Required
Number of events the action needs to process starting from 30 days ago. Default value is 10000. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"offset": 100000
"timestamp": "<code><var>EVENT_TIMESTAMP</var></code>"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully retrieved event offset in CrowdStrike Falcon.
|
Action succeeded. |
Error executing action "Get Event
Offset". Reason: ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Get Host Information
Retrieve information about the hostname from CrowdStrike Falcon.
Entities
This action runs on the following entities:
- Hostname
- IP address
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Create Insight |
Optional
If enabled, the action creates insights containing information about entities. Enabled by default. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Entity enrichment table | Available |
| JSON result | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
[
{
"EntityResult": [
{
"modified_timestamp": "2019-01-17T13: 44: 57Z",
"major_version": "10",
"site_name": "Default-First-Site-Name",
"platform_id": "0",
"config_id_platform": "3",
"system_manufacturer": "ExampleInc.",
"meta": {
"version": "1111"
},
"first_seen": "2018-04-22T13: 06: 53Z",
"service_pack_minor": "0",
"product_type_desc": "Workstation",
"build_number": "111",
"hostname": "name",
"config_id_build": "8104",
"minor_version": "0",
"os_version": "Windows10",
"provision_status": "Provisioned",
"mac_address": "64-00-6a-2a-43-3f",
"bios_version": "1.2.1",
"agent_load_flags": "1",
"status": "normal",
"bios_manufacturer": "ExampleInc.",
"machine_domain": "Domain name",
"agent_local_time": "2019-01-14T19: 41: 09.738Z",
"slow_changing_modified_timestamp": "2019-01-14T17: 44: 40Z",
"service_pack_major": "0",
"device_id": "example-id",
"system_product_name": "OptiPlex7040",
"product_type": "1",
"local_ip": "192.0.2.1",
"external_ip": "203.0.113.1",
"cid": "example-cid",
"platform_name": "Windows",
"config_id_base": "65994753",
"last_seen": "2019-01-17T13: 44: 46Z",
"pointer_size": "8",
"agent_version": "4.18.8104.0",
"recent_logins": [
{
"user_name": "test",
"login_time": "2022-08-10T07:36:38Z"
},
{
"user_name": "test",
"login_time": "2022-08-10T07:36:35Z"
}
],
"online_status": "offline"
}
],
"Entity": "198.51.100.255"
}
]
Entity enrichment
| Enrichment field | Logic |
|---|---|
modified_timestamp |
Returns if it exists in the JSON result |
major_version |
Returns if it exists in the JSON result |
site_name |
Returns if it exists in the JSON result |
platform_id |
Returns if it exists in the JSON result |
config_id_platform |
Returns if it exists in the JSON result |
system_manufacturer |
Returns if it exists in the JSON result |
meta |
Returns if it exists in the JSON result |
first_seen |
Returns if it exists in the JSON result |
service_pack_minor |
Returns if it exists in the JSON result |
product_type_desc |
Returns if it exists in the JSON result |
build_number |
Returns if it exists in the JSON result |
hostname |
Returns if it exists in the JSON result |
config_id_build |
Returns if it exists in the JSON result |
minor_version |
Returns if it exists in the JSON result |
os_version |
Returns if it exists in the JSON result |
provision_status |
Returns if it exists in the JSON result |
mac_address |
Returns if it exists in the JSON result |
bios_version |
Returns if it exists in the JSON result |
agent_load_flags |
Returns if it exists in the JSON result |
status |
Returns if it exists in the JSON result |
bios_manufacturer |
Returns if it exists in the JSON result |
machine_domain |
Returns if it exists in the JSON result |
agent_local_time |
Returns if it exists in the JSON result |
slow_changing_modified_timestamp |
Returns if it exists in the JSON result |
service_pack_major |
Returns if it exists in the JSON result |
device_id |
Returns if it exists in the JSON result |
system_product_name |
Returns if it exists in the JSON result |
product_type |
Returns if it exists in the JSON result |
local_ip |
Returns if it exists in the JSON result |
external_ip |
Returns if it exists in the JSON result |
cid |
Returns if it exists in the JSON result |
platform_name |
Returns if it exists in the JSON result |
config_id_base |
Returns if it exists in the JSON result |
last_seen |
Returns if it exists in the JSON result |
pointer_size |
Returns if it exists in the JSON result |
agent_version |
Returns if it exists in the JSON result |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Error executing action "Get Host
Information". Reason: ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Get Hosts by IOC - Deprecated
List hosts related to the IOCs in CrowdStrike Falcon. Supported entities:
Hostname, URL, IP Address and Hash.
Note: Hostname entities are treated as domain IOCs. The action
extracts the domain part out of URLs. Only the MD5 and SHA-256 hashes are
supported.
Entities
This action runs on the following entities:
- IP Address
- Hostname
- URL
- Hash
Action inputs
N/A
Action outputs
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"hash":
[{
"modified_timestamp": "2019-01-17T13: 44: 57Z",
"major_version": "10",
"site_name": "Example-Name",
"platform_id": "ExampleID",
"config_id_platform": "3",
"system_manufacturer": "ExampleInc.",
"meta": {"version": "49622"},
"first_seen": "2018-04-22T13: 06: 53Z",
"service_pack_minor": "0",
"product_type_desc": "Workstation",
"build_number": "14393",
"hostname": "name",
"config_id_build": "ExampleID",
"minor_version": "0",
"os_version": "Windows10",
"provision_status": "Provisioned",
"mac_address": "01:23:45:ab:cd:ef",
"bios_version": "1.2.1",
"agent_load_flags": "1",
"status": "normal",
"bios_manufacturer": "ExampleInc.",
"machine_domain": "Example Domain",
"Device_policies":
{
"sensor_update":
{
"applied": true,
"applied_date": "2018-12-11T23: 09: 18.071417837Z",
"settings_hash": "65994753|3|2|automatic",
"policy_type": "sensor-update",
"assigned_date": "2018-12-11T23: 08: 38.16990705Z",
"policy_id": "Example ID"
}
},
"agent_local_time": "2019-01-14T19: 41: 09.738Z",
"slow_changing_modified_timestamp": "2019-01-14T17: 44: 40Z",
"service_pack_major": "0", "device_id": "2653595a063e4566519ef4fc813fcc56",
"system_product_name": "OptiPlex7040",
"product_type": "1",
"local_ip": "192.0.2.1",
"external_ip": "203.0.113.1",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"platform_name": "Windows",
"config_id_base": "ExampleID",
"policies":
[{
"applied": true,
"applied_date": "2019-01-02T22: 45: 21.315392338Z",
"settings_hash": "18db1203",
"policy_type": "prevention",
"assigned_date": "2019-01-02T22: 45: 11.214774996Z",
"policy_id": "Example ID"
}],
"last_seen": "2019-01-17T13: 44: 46Z",
"pointer_size": "8",
"agent_version": "4.18.8104.0"
}]
}
Entity enrichment
| Enrichment field | Logic |
|---|---|
| modified_timestamp | Returns if it exists in JSON result |
| major_version | Returns if it exists in JSON result |
| site_name | Returns if it exists in JSON result |
| platform_id | Returns if it exists in JSON result |
| config_id_platform | Returns if it exists in JSON result |
| system_manufacturer | Returns if it exists in JSON result |
| meta | Returns if it exists in JSON result |
| first_seen | Returns if it exists in JSON result |
| service_pack_minor | Returns if it exists in JSON result |
| product_type_desc | Returns if it exists in JSON result |
| build_number | Returns if it exists in JSON result |
| hostname | Returns if it exists in JSON result |
| config_id_build | Returns if it exists in JSON result |
| minor_version | Returns if it exists in JSON result |
| os_version | Returns if it exists in JSON result |
| provision_status | Returns if it exists in JSON result |
| mac_address | Returns if it exists in JSON result |
| bios_version | Returns if it exists in JSON result |
| agent_load_flags | Returns if it exists in JSON result |
| status | Returns if it exists in JSON result |
| bios_manufacturer | Returns if it exists in JSON result |
| machine_domain | Returns if it exists in JSON result |
| Device_policies | Returns if it exists in JSON result |
| agent_local_time | Returns if it exists in JSON result |
| slow_changing_modified_timestamp | Returns if it exists in JSON result |
| service_pack_major | Returns if it exists in JSON result |
| system_product_name | Returns if it exists in JSON result |
| product_type | Returns if it exists in JSON result |
| local_ip | Returns if it exists in JSON result |
| external_ip | Returns if it exists in JSON result |
| cid | Returns if it exists in JSON result |
| platform_name | Returns if it exists in JSON result |
| config_id_base | Returns if it exists in JSON result |
| policies | Returns if it exists in JSON result |
| last_seen | Returns if it exists in JSON result |
| pointer_size | Returns if it exists in JSON result |
| agent_version | Returns if it exists in JSON result |
Entity insight
N/A
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and at least one host related to the provided IOCs is found (is_success=true): "Successfully retrieved hosts related to the provided IOCs in CrowdStrike Falcon." If no related hosts are found (is_success=false): "No hosts were related to the provided IOCs in CrowdStrike Falcon." The action should fail and stop a playbook execution: If a critical error is reported: "Error executing action "{action name}". Reason: {traceback}." |
General |
Get Process Name by IOC - Deprecated
Retrieve processes related to the IOCs and provided devices in CrowdStrike
Falcon. Supported entities: Hostname, URL, IP Address and Hash.
Note: Hostname entities are treated as domain IOCs. The action
extracts the domain part out of URLs. Only the MD5, SHA-1 and SHA-256 hashes
are supported. The IP Address entities are treated as IOCs.
Parameters
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Devices Names | 11 | N/A | Yes | Specify a comma-separated list of devices for which you want to retrieve processes related to entities. |
Run On
This action runs on the following entities:
- Hostname
- URL
- Hash
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"EntityResult":
[{
"Process Name": "example.exe",
"Indicator": "986a4715113359b527b15efe1ee09306", "Host Name": "example-name"
},{
"Process Name": "example.exe",
"Indicator": "986a4715113359b527b15efe1ee09306",
"Host Name": "example-name"
},{
"Process Name": "example.exe",
"Indicator": "986a4715113359b527b15efe1ee09306",
"Host Name": "example-name"
}],
"Entity": "example_entity"
}
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Process Name | Returns if it exists in JSON result |
| Indicator | Returns if it exists in JSON result |
| Host Name | Returns if it exists in JSON result |
Entity Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If found processes related to entities for at least one endpoint (is_success=true): "Successfully retrieved processes related to the IOCs on the following endpoints in CrowdStrike Falcon: {device name}." If no processes are found for at least one endpoint or the device is not found (is_success=true): "No related processes were found on the following endpoints in CrowdStrike Falcon: {device name}." If no processes are found for all endpoints or none of the devices are found (is_success=false): "No related processes were found on the provided endpoints in CrowdStrike Falcon. The action should fail and stop a playbook execution: If a critical error is reported: "Error executing "{action name}". Reason: {trace back}." |
Get Vertex Details
List all the properties associated with a particular indicator.
Entities
This action runs on the following entities:
- Hostname
- URL
- Hash
Action inputs
N/A
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Entity enrichment table | Available |
| JSON result | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
[{
"EntityResult":
[{
"vertex_type": "module",
"timestamp": "2019-01-17T10: 52: 40Z",
"object_id":"example_id",
"properties":
{
"SHA256HashData": "7afb56dd48565c3c9804f683c80ef47e5333f847f2d3211ec11ed13ad36061e1",
"MD5HashData": "54cb91395cdaad9d47882533c21fc0e9",
"SHA1HashData": "3b1333f826e5fe36395042fe0f1b895f4a373f1b"
},
"edges":
{
"primary_module":
[{
"direction": "in",
"timestamp": "2019-01-13T10: 58: 51Z",
"object_id": "example-id",
"id": "pid: cb4493e4af2742b068efd16cb48b7260: 3738513791849",
"edge_type": "primary_module",
"path": "example-path",
"scope": "device",
"properties": {},
"device_id": "example-id"
}]
},
"scope": "device",
"customer_id": "example-id",
"id": "mod: cb4493e4af2742b068efd16cb48b7260: 7afb56dd48565c3c9804f683c80ef47e5333f847f2d3211ec11ed13ad36061e1",
"device_id": "example-id"
}],
"Entity": "198.51.100.255"
}]
Entity enrichment
| Enrichment field | Logic |
|---|---|
vertex_type |
Returns if it exists in the JSON result |
timestamp |
Returns if it exists in the JSON result |
object_id |
Returns if it exists in the JSON result |
properties |
Returns if it exists in the JSON result |
edges |
Returns if it exists in the JSON result |
scope |
Returns if it exists in the JSON result |
customer_id |
Returns if it exists in the JSON result |
id |
Returns if it exists in the JSON result |
device_id |
Returns if it exists in the JSON result |
Lift Contained Endpoint
Lift endpoint containment in CrowdStrike Falcon.
Entities
This action runs on the following entities:
- IP Address
- Hostname
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Fail If Timeout |
Required
If enabled and the containment is not lifted on all endpoints, the action fails. Enabled by default. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Entity enrichment table | Available |
| JSON result | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"EntityResult":
{
"status": "contained",
"modified_timestamp": "2019-06-24T07:47:37Z",
"major_version": "6", "policies":
[{
"applied": "True",
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": ""
}],
"config_id_platform": "example-id",
"bios_manufacturer": "Example Inc.",
"system_manufacturer": "Example Corporation",
"Device_policies":
{
"global_config":
{
"applied": "True",
"applied_date": "2019-06-03T23:24:04.893780991Z",
"settings_hash": "a75911b0",
"policy_type": "globalconfig",
"assigned_date": "2019-06-03T23:23:17.184432743Z",
"policy_id": ""
},
"Sensor_update":
{
"applied": "True",
"applied_date": "2019-05-30T23:13:55.23597658Z",
"settings_hash": "65994753|3|2|automatic;101",
"uninstall_protection": "ENABLED",
"policy_type": "sensor-update",
"assigned_date": "2019-05-30T23:04:31.485311459Z",
"policy_id": "9d1e405846de4ebdb63f674866d390dc"
},
"Prevention":
{
"applied": "True",
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": ""
},
"device_control":
{
"applied": "True",
"applied_date": "2019-06-03T23:14:29.800434222Z",
"policy_type": "device-control",
"assigned_date": "2019-06-03T23:05:17.425127539Z",
"policy_id": ""
},
"Remote_response":
{
"applied": "True",
"applied_date": "2019-04-29T07:40:04.469808388Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-04-29T07:39:55.218642441Z",
"policy_id": ""
}
},
"meta":
{"version": "12765"},
"pointer_size": "8",
"last_seen": "2019-06-24T07:45:34Z",
"agent_local_time": "2019-06-18T12:17:06.259Z",
"first_seen": "2019-04-29T07:39:45Z",
"service_pack_major": "0",
"slow_changing_modified_timestamp": "2019-06-23T11:20:42Z",
"service_pack_minor": "0",
"system_product_name":"Virtual Machine",
"product_type_desc": "Server",
"build_number": "9600",
"cid": "",
"local_ip": "192.0.2.1",
"external_ip": "203.0.113.1",
"hostname": "example-hostname",
"config_id_build": "9106",
"minor_version": "3",
"platform_id": "0",
"os_version": "Windows Server 2012 R2",
"config_id_base": "example-id",
"provision_status": "Provisioned",
"mac_address": "01-23-45-ab-cd-ef",
"bios_version": "090007 ",
"platform_name": "Windows",
"agent_load_flags": "1",
"device_id": "",
"product_type": "3",
"agent_version": "5.10.9106.0"
},
"Entity": "198.51.100.255"
}
Entity enrichment
| Enrichment field | Logic |
|---|---|
status |
Returns if it exists in the JSON result |
modified_timestamp |
Returns if it exists in the JSON result |
major_version |
Returns if it exists in the JSON result |
config_id_platform |
Returns if it exists in the JSON result |
system_manufacturer |
Returns if it exists in the JSON result |
Device_policies |
Returns if it exists in the JSON result |
meta |
Returns if it exists in the JSON result |
pointer_size |
Returns if it exists in the JSON result |
last_seen |
Returns if it exists in the JSON result |
agent_local_time |
Returns if it exists in the JSON result |
first_seen |
Returns if it exists in the JSON result |
service_pack_major |
Returns if it exists in the JSON result |
slow_changing_modified_timestamp |
Returns if it exists in the JSON result |
service_pack_minor |
Returns if it exists in the JSON result |
system_product_name |
Returns if it exists in the JSON result |
product_type_desc |
Returns if it exists in the JSON result |
build_number |
Returns if it exists in the JSON result |
cid |
Returns if it exists in the JSON result |
local_ip |
Returns if it exists in the JSON result |
external_ip |
Returns if it exists in the JSON result |
hostname |
Returns if it exists in the JSON result |
config_id_build |
Returns if it exists in the JSON result |
minor_version |
Returns if it exists in the JSON result |
platform_id |
Returns if it exists in the JSON result |
os_version |
Returns if it exists in the JSON result |
config_id_base |
Returns if it exists in the JSON result |
provision_status |
Returns if it exists in the JSON result |
mac_address |
Returns if it exists in the JSON result |
bios_version |
Returns if it exists in the JSON result |
platform_name |
Returns if it exists in the JSON result |
agent_load_flags |
Returns if it exists in the JSON result |
device_id |
Returns if it exists in the JSON result |
product_type |
Returns if it exists in the JSON result |
agent_version |
Returns if it exists in the JSON result |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Waiting for containment lift to finish for the following
endpoints: ENTITY_ID |
Asynchronous message. |
Error executing action "Lift
Contained Endpoint". Reason: the following endpoints initiated containment
lift, but were not able to finish it during action execution:
ENTITY_ID |
Action failed. Check the endpoint status and
the |
Error executing action "Lift Contained Endpoint". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
List Host Vulnerabilities
List vulnerabilities found on the host in CrowdStrike Falcon.
Entities
This action runs on the following entities:
- IP address
- Hostname
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Severity Filter |
Optional
Comma-separated list of vulnerability severities. If no value is provided, the action ingests all related vulnerabilities. Possible values are:
|
Create Insight |
Optional
If enabled, the action creates an insight per entity containing statistical information about related vulnerabilities. Enabled by default. |
Max Vulnerabilities To Return |
Optional
Number of vulnerabilities to return per host. If nothing is provided, the action processes all of the related vulnerabilities. Default value is 100. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | N/A |
| JSON result | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"statistics": {
"total": 123,
"severity": {
"critical": 1,
"high": 1,
"medium": 1,
"low": 1,
"unknown": 1
},
"status": {
"open": 1,
"reopened": 1
},
"has_remediation": 1
},
"details": [
{
"id": "74089e36ac3a4271ab14abc076ed18eb_fff6de34c1b7352babdf7c7d240749e7",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"aid": "74089e36ac3a4271ab14abc076ed18eb",
"created_timestamp": "2021-05-12T22:45:47Z",
"updated_timestamp": "2021-05-12T22:45:47Z",
"status": "open",
"cve": {
"id": "CVE-2021-28476",
"base_score": 9.9,
"severity": "CRITICAL",
"exploit_status": 0
},
"app": {
"product_name_version": "Example 01"
},
"apps": [
{
"product_name_version": "Example 01",
"sub_status": "open",
"remediation": {
"ids": [
"acc34cd461023ff8a966420fa8839365"
]
}
}
],
"host_info": {
"hostname": "example-hostname",
"local_ip": "192.0.2.1",
"machine_domain": "",
"os_version": "Windows 10",
"ou": "",
"site_name": "",
"system_manufacturer": "Example Inc.",
"groups": [],
"tags": [],
"platform": "Windows"
},
"remediation": [
{
"id": "acc34cd461023ff8a966420fa8839365",
"reference": "KB5003169",
"title": "Update Microsoft Windows 10 1909",
"action": "Install patch for Microsoft Windows 10 1909 x64 (Workstation): Security Update ABCDEF",
"link": "https://example.com/ABCDEF"
}
]
}
]
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Error executing action "List Host Vulnerabilities". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "List Host
Vulnerabilities". Reason: Invalid value provided in the Severity Filter
parameter. Possible values: Critical, High, Medium, Low, Unknown.
|
Action failed. Check the |
Case wall table
Type: Entity
Columns:
- Name
- Score
- Severity
- Status
- App
- Has Remediation
List Hosts
List available hosts in CrowdStrike Falcon.
Entities
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Filter Logic |
Optional
Logic to use when searching for hosts. Default value is
|
Filter Value |
Optional
Value to use for host filtering. |
Max Hosts To Return |
Optional
Number of hosts to return. Default value is 50. Max value is 1000. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
[{
"modified_timestamp": "2019-05-15T15:03:12Z",
"platform_id": "0",
"config_id_platform": "3",
"system_manufacturer": "Example Corporation",
"meta": {"version": "4067"},
"first_seen": "2019-04-29T07:39:45Z",
"service_pack_minor": "0",
"product_type_desc": "Server",
"build_number": "9600",
"hostname": "example-hostname",
"config_id_build": "8904",
"minor_version": "3",
"os_version": "Windows Server 2012 R2",
"provision_status": "Provisioned",
"mac_address": "01:23:45:ab:cd:ef",
"bios_version": "090007 ",
"agent_load_flags": "0",
"status": "normal",
"bios_manufacturer": "Example Inc.",
"device_policies":
{
"Sensor_update":
{
"applied": true,
"applied_date": "2019-05-02T22:05:09.577000651Z",
"settings_hash": "65994753|3|2|automatic",
"policy_type": "sensor-update",
"assigned_date": "2019-05-02T22:03:36.804382667Z",
"policy_id": "9d1e405846de4ebdb63f674866d390dc"
},
"remote_response":
{
"applied": true,
"applied_date": "2019-04-29T07:40:04.469808388Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-04-29T07:39:55.218642441Z",
"policy_id": "21e4fb4dedd74c6fb0bcd6a348aa046c"
},
"device_control":
{
"applied": true,
"applied_date": "2019-04-29T07:40:06.896362608Z",
"assigned_date": "2019-04-29T07:39:55.218637999Z",
"policy_type": "device-control",
"policy_id": "c360df7193364b23aa4fc47f0238c899"
},
"prevention":
{
"applied": true,
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
},
"global_config":
{
"applied": true,
"applied_date": "2019-04-29T07:45:18.94807838Z",
"settings_hash": "3d78f9ab",
"policy_type": "globalconfig",
"assigned_date": "2019-04-29T07:45:08.165941325Z",
"policy_id": "985b1a25afcb489ea442d2d1430b1679"
}
},
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_local_time": "2019-05-02T22:05:00.015Z",
"slow_changing_modified_timestamp": "2019-05-02T22:05:09Z",
"service_pack_major": "0",
"device_id": "0ab8bc6d968b473b72a5d11a41a24c21",
"system_product_name": "Virtual Machine",
"product_type": "3",
"local_ip": "192.0.2.1",
"external_ip": "203.0.113.1",
"major_version": "6",
"platform_name": "Windows",
"config_id_base": "65994753",
"policies":
[{
"applied": true,
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
}],
"agent_version": "4.26.8904.0",
"pointer_size": "8",
"last_seen": "2019-05-15T15:01:23Z"
},
{
"modified_timestamp": "2019-05-13T07:24:36Z",
"site_name": "Example-Site-Name",
"config_id_platform": "3",
"system_manufacturer": "Example Inc.",
"meta": {"version": "14706"},
"first_seen": "2018-04-17T11:02:20Z",
"platform_name": "Windows",
"service_pack_minor": "0",
"product_type_desc": "Workstation",
"build_number": "17134",
"hostname": "example-hostname",
"config_id_build": "8904",
"minor_version": "0",
"os_version": "Windows 10",
"provision_status": "Provisioned",
"mac_address": "01:23:45:ab:cd:ef",
"bios_version": "1.6.5",
"agent_load_flags": "0",
"status": "normal",
"bios_manufacturer": "Example Inc.",
"machine_domain": "example.com",
"device_policies":
{
"sensor_update":
{
"applied": true,
"applied_date": "2019-05-05T12:52:23.121596885Z",
"settings_hash": "65994753|3|2|automatic",
"policy_type": "sensor-update",
"assigned_date": "2019-05-05T12:51:37.544605747Z",
"policy_id": "9d1e405846de4ebdb63f674866d390dc"
},
"Remote_response":
{
"applied": true,
"applied_date": "2019-02-10T07:57:59.064362539Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-02-10T07:57:50.610924385Z",
"policy_id": "21e4fb4dedd74c6fb0bcd6a348aa046c"
},
"device_control":
{
"applied": true,
"applied_date": "2019-03-25T15:01:28.51681072Z",
"assigned_date": "2019-03-25T15:00:22.442519168Z",
"policy_type": "device-control",
"policy_id": "c360df7193364b23aa4fc47f0238c899"
},
"Prevention":
{
"applied": true,
"applied_date": "2019-04-04T06:54:06.909774295Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-04T06:53:57.135897343Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
},
"global_config":
{
"applied": true,
"applied_date": "2019-02-10T07:57:53.70275875Z",
"settings_hash": "3d78f9ab",
"policy_type": "globalconfig",
"assigned_date": "2019-02-10T07:57:50.610917888Z",
"policy_id": "985b1a25afcb489ea442d2d1430b1679"
}
},
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_local_time": "2019-05-05T15:52:08.172Z",
"slow_changing_modified_timestamp": "2019-05-12T12:37:35Z",
"service_pack_major": "0",
"device_id": "cb4493e4af2742b068efd16cb48b7260",
"system_product_name": "example-name",
"product_type": "1",
"local_ip": "192.0.2.1",
"external_ip": "203.0.113.1",
"major_version": "10",
"platform_id": "0",
"config_id_base": "65994753",
"policies":
[{
"applied": true,
"applied_date": "2019-04-04T06:54:06.909774295Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-04T06:53:57.135897343Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
}],
"agent_version": "4.26.8904.0",
"pointer_size": "8",
"last_seen": "2019-05-13T07:21:30Z"
},
{
"modified_timestamp": "2019-05-09T14:22:50Z",
"site_name": "Example-Site-Name",
"config_id_platform": "3",
"system_manufacturer": "Dell Inc.",
"meta": {"version": "77747"},
"first_seen": "2018-07-01T12:19:23Z",
"platform_name": "Windows",
"service_pack_minor": "0",
"product_type_desc": "Workstation",
"build_number": "17134",
"hostname":"example-hostname",
"config_id_build": "8904",
"minor_version": "0",
"os_version": "Windows 10",
"provision_status": "Provisioned",
"mac_address": "01:23:45:ab:cd:ef",
"bios_version": "1.2.1",
"agent_load_flags": "0",
"status": "normal",
"bios_manufacturer": "Example Inc.",
"machine_domain": "example.com",
"device_policies":
{
"sensor_update":
{
"applied": true,
"applied_date": "2019-05-02T22:10:50.336101107Z",
"settings_hash": "65994753|3|2|automatic",
"policy_type": "sensor-update",
"assigned_date": "2019-05-02T22:10:50.336100731Z",
"policy_id": "9d1e405846de4ebdb63f674866d390dc"
},
"remote_response":
{
"applied": true,
"applied_date": "2019-02-08T02:46:31.919442939Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-02-08T02:46:22.219718098Z",
"policy_id": "21e4fb4dedd74c6fb0bcd6a348aa046c"
},
"device_control":
{
"applied": true,
"applied_date": "2019-03-24T16:43:31.777981725Z",
"assigned_date": "2019-03-24T16:42:21.395540493Z",
"policy_type": "device-control",
"policy_id": "c360df7193364b23aa4fc47f0238c899"
},
"prevention":
{
"applied": true,
"applied_date": "2019-04-03T23:58:50.870694195Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-03T23:57:22.534513932Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
},
"global_config":
{
"applied": true,
"applied_date": "2019-02-08T01:14:14.810607774Z",
"settings_hash": "3d78f9ab",
"policy_type": "globalconfig",
"assigned_date": "2019-02-08T01:14:05.585922067Z",
"policy_id": "985b1a25afcb489ea442d2d1430b1679"
}
},
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_local_time": "2019-05-03T01:10:29.340Z",
"slow_changing_modified_timestamp": "2019-05-02T22:10:46Z",
"service_pack_major": "0",
"device_id": "1c2f1a7f88f8457f532f1c615f07617b",
"system_product_name": "Example Name",
"product_type": "1",
"local_ip": "192.0.2.1",
"external_ip": "203.0.113.1",
"major_version": "10",
"platform_id": "0",
"config_id_base": "65994753",
"policies":
[{
"applied": true,
"applied_date": "2019-04-03T23:58:50.870694195Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-03T23:57:22.534513932Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
}],
"agent_version": "4.26.8904.0",
"pointer_size": "8",
"last_seen": "2019-05-09T14:20:53Z"
}]
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Error executing action "List Hosts".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
List Uploaded IOCs
List available custom IOCs in CrowdStrike Falcon.
Entities
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
IOC Type Filter |
Optional
A comma-separated list of IOC types to return. Default value is
|
Value Filter Logic |
Optional
Value of the filter logic. Default is
If |
Value Filter String |
Optional
String to search among IOCs. |
Max IOCs To Return |
Optional
Number of IOCs to return. Default value is 50. Max value is 500. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | N/A |
| JSON result | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"id": "fbe8c2739f3c6df95e62e0ae54569974437b2d9306eaf6740134ccf1a05e23d3",
"type": "sha256",
"value": "8a86c4eecf12446ff273afc03e1b3a09a911d0b7981db1af58cb45c439161295",
"action": "no_action",
"severity": "",
"metadata": {
"signed": false,
"av_hits": -1
},
"platforms": [
"windows"
],
"tags": [
"Hashes 22.Nov.20 15:29 (Windows)"
],
"expired": false,
"deleted": false,
"applied_globally": true,
"from_parent": false,
"created_on": "2021-04-22T03:54:09.235120463Z",
"created_by": "internal@example.com",
"modified_on": "2021-04-22T03:54:09.235120463Z",
"modified_by": "internal@example.com"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully found custom IOCs for the provided criteria in
CrowdStrike Falcon. |
Action succeeded. |
Error executing action "List Uploaded IOCs". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "List Uploaded IOCs". Reason: "IOC Type
Filter" contains an invalid value. Please check the spelling. Possible
values: ipv4, ipv6, md5, sha1, sha256, domain. |
Action failed. Check the spelling and the |
Case wall table
Columns:
- Action
- Severity
- Signed
- AV Hits
- Platforms
- Tags
- Created At
- Created By
Ping
Test connectivity to the CrowdStrike Falcon with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Entities
This action runs on all entities.
Action inputs
N/A
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Submit File
Submit files to a sandbox in CrowdStrike.
Supported file and archive formats
According to the CrowdStrike portal, the sandbox supports the following file formats:
| Supported file formats | |
|---|---|
.exe, .scr, .pif,
.dll, .com, .cpl |
Portable executables |
.doc, .docx, .ppt,
.pps, .pptx, .ppsx,
.xls, .xlsx, .rtf,
.pub |
Office documents |
.pdf |
|
.apk |
APK |
.jar |
Executable JAR |
.sct |
Windows script component |
.lnk |
Windows shortcut |
.chm |
Windows help |
.hta |
HTML application |
.wsf |
Windows script file |
.js |
JavaScript |
.vbs, .vbe |
Visual Basic |
.swf |
Shockwave Flash |
.pl |
Perl |
.ps1, .psd1, .psm1 |
Powershell |
.svg |
Scalable vector graphics |
.py |
Python |
.elf |
Linux ELF executables |
.eml |
Email files: MIME RFC 822 |
.msg |
Email files: Outlook |
According to the CrowdStrike portal, the sandbox supports the following archive formats:
.zip.7z
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
File Paths |
Required
Specified paths to files that should be submitted. For a list of the supported file formats, refer to the Supported file and archive formats section of this document. |
Sandbox Environment |
Optional
Sandbox environment to analyze. Default value is
|
Network Environment |
Optional
Network environment to analyze. Default value is
|
Archive Password |
Optional
Password to use when working with archive files. |
Document Password |
Optional
Password to use when working with Adobe or Office files. Max password length is 32 characters. |
Check Duplicate |
Optional
If enabled, the action checks if the file was already submitted previously and returns the available report. Enabled by default. |
Comment |
Optional
Comment to submit. |
Confidential Submission |
Optional
If enabled, the file is only shown to users within your customer account. Disabled by default. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | Available |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
|
The action returned an error. Check the supported file formats for this action. |
Waiting for results for the following
files: PATHS |
Asynchronous message. |
Error executing action "Submit File".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Submit File".
Reason: action ran into a timeout during execution. Pending files:
FILES_IN_PROGRESS. Please increase
the timeout in IDE.
|
Action failed. Increase the timeout in IDE. |
Case wall table
Columns:
- Results
- Name
- Threat Score
- Verdict
- Tags
Submit URL
Submit URLs to a sandbox in CrowdStrike.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
URLs |
Required
URLs to submit. |
Sandbox Environment |
Optional
Sandbox environment to analyze. Default value is
|
Network Environment |
Optional
Network environment to analyze. Default value is
|
Check Duplicate |
Optional
If enabled, the action checks if the URL was already submitted previously and returns the available report. Enabled by default. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Waiting for results for the following
URLs: PATHS |
Asynchronous message. |
Error executing action "Submit URL".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Submit URL".
Reason: action ran into a timeout during execution. Pending files:
FILES_IN_PROGRESS. Please increase
the timeout in IDE. |
Action failed. Increase the timeout in IDE. |
Update Detection
Update detection in CrowdStrike Falcon.
Entities
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Detection ID |
Required
ID of the detection to update. |
Status |
Required
Specified detection status. Default value is
|
Assign Detection to |
Optional
Email address of the CrowdStrike Falcon user who is the assignee of the detection. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully updated detection
DETECTION_ID in CrowdStrike Falcon.
|
Action succeeded. |
Error executing action "Update
Detection". Reason: ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Update
Detection". Reason: Either "Status" or "Assign Detection To" should have a
proper value. |
Action failed. Check the values of the |
Update Identity Protection Detection
Update an identity protection detection in CrowdStrike.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Detection ID |
Required
ID of the detection to update. |
Status |
Optional
Specified status of the detection. Default value is Possible values are:
|
Assign to |
Optional
Name of the assigned analyst. If If invalid value is provided, the action does not change the current assignee. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"added_privileges": [
"DomainAdminsRole"
],
"aggregate_id": "aggind:27fe4e476ca3490b8476b2b6650e5a74:70378936-3A00-400B-8136-4ED8DB047549",
"assigned_to_uid": "example@example.com",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"composite_id": "27fe4e476ca3490b8476b2b6650e5a74:ind:27fe4e476ca3490b8476b2b6650e5a74:70378936-3A00-400B-8136-4ED8DB047549",
"confidence": 20,
"context_timestamp": "2022-11-15T12:58:15.629Z",
"crawl_edge_ids": {
"Sensor": [
"N6KIZ`%V`&d#&#sRaHNV[f3[CA4lr/C_N;.JnbglJpdg8TCCTqnr!9D\\['ALM&eNbPq?kt$#@]+01Ac[&th0-0]E'J8:]mFV?'g5HZ/$B.%BC29_`4U_?%a)_&#k>,G>:=E>%[7^<aLSVj=`UCMcRUH[a9/*^hO_7Ft(js#P<M<(eG3(B=I8rr",
"XNXnKK.mi:ckQ^2c7AGRMK^'rd:p[_JkD_5ZM$W:d'J8oN:42nj.Ho1-^E5D16b0VALJ`2cDEEJTVdY\\n.-WQ^_B[7$1pH[Glgm@go]-LB%M1,c#2F)nli-Ge#V<=[!c_jh8e3D8E-S0FheDm*BHh-P/s6q!!*'!",
"N6L*L\">LGfi/.a$IkpaFlWjT.YU#P@Gu8Qe6'0SK=M]ChI,FQXqo=*M(QR+@6c8@m1pIc)Dqs+WLXjbpom5@$T+oqC5RJk!9atPF/<mG'H`V9P0YII;!>C8YL)XS&ATORi>!U.7<Ds\"<dT/Mkp\\V%!U[RS_YC/Wrn[Z`S(^4NU,lV#X3/#pP7K*>g!<<'"
]
},
"crawl_vertex_ids": {
"Sensor": [
"aggind:27fe4e476ca3490b8476b2b6650e5a74:70378936-3A00-400B-8136-4ED8DB047549",
"idpind:27fe4e476ca3490b8476b2b6650e5a74:EEFC50A4-2641-3809-9F45-7C308193CD67",
"ind:27fe4e476ca3490b8476b2b6650e5a74:70378936-3A00-400B-8136-4ED8DB047549",
"uid:27fe4e476ca3490b8476b2b6650e5a74:S-1-5-21-3479765008-4256118348-3151044947-3595"
]
},
"crawled_timestamp": "2022-11-15T13:58:17.251061883Z",
"created_timestamp": "2022-11-15T12:59:17.239585706Z",
"description": "A user received new privileges",
"display_name": "Privilege escalation (user)",
"end_time": "2022-11-15T12:58:15.629Z",
"falcon_host_link": "https://example.com/",
"id": "ind:27fe4e476ca3490b8476b2b6650e5a74:70378936-3A00-400B-8136-4ED8DB047549",
"name": "IdpEntityPrivilegeEscalationUser",
"objective": "Gain Access",
"pattern_id": 51113,
"previous_privileges": "0",
"privileges": "8321",
"product": "idp",
"scenario": "privilege_escalation",
"severity": 2,
"show_in_ui": true,
"source_account_domain": "EXAMPLE.COM",
"source_account_name": "ExampleName",
"source_account_object_sid": "S-1-5-21-3479765008-4256118348-3151044947-3595",
"start_time": "2022-11-15T12:58:15.629Z",
"status": "new",
"tactic": "Privilege Escalation",
"tactic_id": "TA0004",
"tags": [
"red_team"
],
"technique": "Valid Accounts",
"technique_id": "T1078",
"timestamp": "2022-11-15T12:58:17.239Z",
"type": "idp-user-endpoint-app-info",
"updated_timestamp": "2022-11-23T15:22:20.271100181Z"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully updated identity protection detection with ID
DETECTION_ID in CrowdStrike.
|
Action succeeded. |
Error executing action "Update Identity Protection Detection".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Update Identity Protection Detection".
Reason: identity protection detection with ID
DETECTION_ID wasn't found in
CrowdStrike. Please check the spelling. |
Action failed. Check the spelling. |
Error executing action "Update
Identity Protection Detection". Reason: at least one of the "Status" or
"Assign To" parameters should have a value. |
Action failed. Check the values of the |
Update Incident
Update an incident in CrowdStrike.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Incident ID |
Required
Specifies the ID of the incident to update. |
Status |
Optional
Specifies the status for the incident. Possible values are:
|
Assign to |
Optional
Specifies the name or email of the assigned analyst. If |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"data_type": "Incident"
"incident_id": "inc:fee8a6ef0cb3412e9a781dcae0287c85:9dfa480ae6214309bff0c8dc2ad8af7c",
"incident_type": 1,
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"host_ids": [
"fee8a6ef0cb3412e9a781dcae0287c85"
],
"hosts": [
{
"device_id": "fee8a6ef0cb3412e9a781dcae0287c85",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_load_flags": "1",
"agent_local_time": "2023-01-09T11:28:59.170Z",
"agent_version": "6.48.16207.0",
"bios_manufacturer": "Example Inc.",
"bios_version": "1.20.0",
"config_id_base": "65994753",
"config_id_build": "16207",
"config_id_platform": "3",
"external_ip": "198.51.100.1",
"hostname": "DESKTOP-EXAMPLE",
"first_seen": "2022-09-26T09:56:42Z",
"last_seen": "2023-01-09T12:11:35Z",
"local_ip": "192.0.2.1",
"mac_address": "00-15-5d-65-39-86",
"major_version": "10",
"minor_version": "0",
"os_version": "Windows 10",
"platform_id": "0",
"platform_name": "Windows",
"product_type": "1",
"product_type_desc": "Workstation",
"status": "contained",
"system_manufacturer": "Example Inc.",
"system_product_name": "G5 5500",
"modified_timestamp": "2023-01-09T12:11:48Z"
}
],
"created": "2023-01-09T12:12:51Z",
"start": "2023-01-09T11:23:27Z",
"end": "2023-01-09T12:52:01Z",
"state": "closed",
"status": 20,
"tactics": [
"Defense Evasion",
"Privilege Escalation",
"Credential Access"
],
"techniques": [
"Disable or Modify Tools",
"Access Token Manipulation",
"Input Capture",
"Bypass User Account Control"
],
"objectives": [
"Keep Access",
"Gain Access"
],
"users": [
"DESKTOP-EXAMPLE$",
"EXAMPLE"
],
"fine_score": 21
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully Successfully updated incident with ID
INCIDENT_ID in
CrowdStrike |
Action succeeded. |
Error executing action "Update
Incident". Reason: ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Update Incident". Reason: incident with
ID INCIDENT_ID wasn't found in
CrowdStrike. Please check the spelling. |
Action failed. Check the spelling. |
Error executing action "Update
Incident". Reason: user USER_ID
wasn't found in CrowdStrike. Please check the spelling. |
Action failed. Check the spelling. |
Error executing action "Update
Incident". Reason: at least one of the "Status" or "Assign To" parameters
should have a value. |
Action failed. Check input parameters. |
Update IOC Information
Update information about custom IOCs in CrowdStrike Falcon.
Entities
This action runs on the following entities:
- Hostname
- URL
- IP address
- Hash
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Description |
Optional
New description for custom IOCs. |
Source |
Optional
Source for custom IOCs. |
Expiration days |
Optional
Number of days left until expiration. |
Detect policy |
Optional
If enabled, the notification is sent for the identified IOCs. If disabled, no action is taken. Enabled by default. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | Available |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"id": "563df6a812f2e7020a17f77ccd809176ca3209cf7c9447ee36c86b4215860856",
"type": "md5",
"value": "7e4b0f81078f27fde4aeb87b78b6214c",
"source": "testSource",
"action": "detect",
"severity": "high",
"description": "test description update",
"platforms": [
"example"
],
"tags": [
"Hashes 17.Apr.18 12:20 (Example)"
],
"expiration": "2022-05-01T12:00:00Z",
"expired": false,
"deleted": false,
"applied_globally": true,
"from_parent": false,
"created_on": "2021-04-22T03:54:09.235120463Z",
"created_by": "internal@example.com",
"modified_on": "2021-09-16T10:09:07.755804336Z",
"modified_by": "c16fd3a055eb46eda81e064fa6dd43de"
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Error executing action "Update IOC
Information". Reason: ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Upload IOCs
Add custom IOCs in CrowdStrike Falcon.
Entities
This action runs on the following entities:
- IP address
- Hostname
- URL
- Hash
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
Platform |
Required
Comma-separated list of platforms related to the IOC. Default value is
|
Severity |
Required
Specified severity of the IOC. Default value is
|
Comment |
Optional
Comment containing more context related to the IOC. |
Host Group Name |
Required
Name of the host group. |
Action |
Optional
Specified action for uploaded IOCs. Default value is Possible values are:
The |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Error executing action "Upload IOCs".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Upload IOCs". Reason: Host group
"HOST_GROUP_NAME" was not found.
Please check the spelling. |
Action failed. Check the |
Error executing action "Upload IOCs".
Invalid value provided for the parameter "Platform". Possible values:
Windows, Linux, Mac. |
Action failed. Check the |
Connectors
Make sure you've configured the minimal permissions for every CrowdStrike connector. For more details, refer to the Connector permissions section of this document.
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
CrowdStrike events
Events are pieces of information gathered by the Falcon sensors on your hosts. There are four types of events in CrowdStrike:
| CrowdStrike event types | |
|---|---|
| Auth activity audit events | Events generated every time the authorization is requested, allowed, or completed on endpoints. |
| Detection summary events | Events generated when threats are detected on endpoints. |
| Remote response session end events | Events generated from remote sessions on endpoints. |
| User activity audit events | Events generated to monitor activities carried out by active users on endpoints. |
Connectors ingest events into Google Security Operations SOAR to create alerts and enrich cases with event data. You can select what events to ingest into Google Security Operations SOAR: all event types or selected ones.
CrowdStrike Detections Connector
Pull detections from CrowdStrike.
Dynamic list works with filters supported by the CrowdStrike API.
How to work with the dynamic list
When working with the dynamic list, adhere to the following recommendations:
- Use the CrowdStrike FQL language to modify the filter sent by the connector.
- Provide a separate entry in the dynamic list for each filter.
To ingest all detections assigned to a specific analyst, make sure that the analyst provides the following dynamic list entry:
assigned_to_name:'ANALYST_USER_NAME'
Dynamic list supports the following parameters:
| Supported parameters | |
|---|---|
q |
Full text search across all metadata fields. |
date_updated |
Date of the most recent detection update. |
assigned_to_name |
The human-readable username of the detection assignee. |
max_confidence |
When a detection has more than one associated behavior with varying confidence levels, this field captures the highest confidence value of all behaviors. The parameter value can be any integer from 1 to 100. |
detection_id |
Detection ID that can be used in conjunction with other APIs, such as the Detection Details API or Resolve Detection API. |
max_severity |
When a detection has more than one associated behavior with varying severity levels, this field captures the highest severity value of all behaviors. The parameter value can be any integer from 1 to 100. |
max_severity_displayname |
Name used in UI to determine the detection severity. Possible values are:
|
seconds_to_triaged |
Time required for a detection to change its status from new
to in_progress. |
seconds_to_resolved |
Time required for a detection to change its status from new
to any of the resolved states (true_positive,
false_positive, ignored, and
closed). |
status |
Current status of the detection. Possible values are:
|
adversary_ids |
The adversary tracked by CrowdStrike Falcon Intelligence possesses an ID associated with the attributed behaviors or indicators in a detection. These IDs are located in a detection metadata accessible through the Detection Details API. |
cid |
Customer ID (CID) of your organization. |
Connector parameters
To configure the connector, use the following parameters:
| Parameters | |
|---|---|
Product Field Name |
Required
Enter the source field name to retrieve the Default value is |
Event Field Name |
Required
Enter the source field name to retrieve the Default value is |
Environment Field Name |
Optional
Name of the field where the environment name is stored. If the environment field isn't found, the default environment is used. Default value is |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
The default value The parameter lets you manipulate the environment field using the regular expression logic. If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) |
Required Timeout limit for the python process running the current script. Default value is 180 seconds. |
API Root |
Required
API root of the CrowdStrike instance. Default value is |
Client ID |
Required
Client ID of the CrowdStrike account. |
Client Secret |
Required
Client Secret of the CrowdStrike account. |
Lowest Severity Score To Fetch |
Optional
Lowest severity score of the detections to fetch. If no value is provided, the connector doesn't apply this filter. Max value is 100. Default value is 50. |
Lowest Confidence Score To Fetch |
Optional
Lowest confidence score of the detections to fetch. If no value is provided, the connector doesn't apply this filter. Max value is 100. Default value is 0. |
Max Hours Backwards |
Optional
Amount of hours from where to fetch detections. Default value is 1 hour. |
Max Detections To Fetch |
Optional
Number of detections to process per one connector iteration. Default value is 10. |
Verify SSL |
Required
If checked, verifies that the SSL certificate for the connection to the CrowdStrike server is valid. Unchecked by default. |
Proxy Server Address |
Optional
Address of the proxy server to use. |
Proxy Username |
Optional
Proxy username to authenticate with. |
Proxy Password |
Optional
Proxy password to authenticate with. |
Alert Name Template |
Optional
If provided, the connector uses this value for the Google Security Operations SOAR alert name. You can provide placeholders in
the following format: [ If no value or an invalid template is provided, the connector uses the default alert name. This parameter allows only keys with a string value. |
Padding Period |
Optional
Number of hours the connector uses for padding. Max value is 6 hours. |
Connector rules
The connector supports proxy.
Connector events
Example of the connector event is as follows:
{
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"created_timestamp": "2021-01-12T16:19:08.651448357Z",
"detection_id": "ldt:74089e36ac3a4271ab14abc076ed18eb:4317290676",
"device": {
"device_id": "74089e36ac3a4271ab14abc076ed18eb",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_load_flags": "0",
"agent_local_time": "2021-01-12T16:07:16.205Z",
"agent_version": "6.13.12708.0",
"bios_manufacturer": "Example LTD",
"bios_version": "6.00",
"config_id_base": "65994753",
"config_id_build": "12708",
"config_id_platform": "3",
"external_ip": "203.0.113.1",
"hostname": "EXAMPLE-01",
"first_seen": "2021-01-12T16:01:43Z",
"last_seen": "2021-01-12T16:17:21Z",
"local_ip": "192.0.2.1",
"mac_address": "00-50-56-a2-5d-a3",
"major_version": "10",
"minor_version": "0",
"os_version": "Windows 10",
"platform_id": "0",
"platform_name": "Windows",
"product_type": "1",
"product_type_desc": "Workstation",
"status": "normal",
"system_manufacturer": "Example, Inc.",
"system_product_name": "Example ",
"modified_timestamp": "2021-01-12T16:17:29Z",
"behaviors":
{
"device_id": "74089e36ac3a4271ab14abc076ed18eb",
"timestamp": "2021-01-12T16:17:19Z",
"template_instance_id": "10",
"behavior_id": "10146",
"filename": "reg.exe",
"filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\reg.exe",
"alleged_filetype": "exe",
"cmdline": "REG ADD HKCU\\Environment /f /v UserInitMprLogonScript /t REG_MULTI_SZ /d \"C:\\TMP\\mim.exe sekurlsa::LogonPasswords > C:\\TMP\\o.txt\"",
"scenario": "credential_theft",
"objective": "Gain Access",
"tactic": "Credential Access",
"tactic_id": "TA0006",
"technique": "Credential Dumping",
"technique_id": "T1003",
"display_name": "Example-Name",
"severity": 70,
"confidence": 80,
"ioc_type": "hash_sha256",
"ioc_value": "b211c25bf0b10a82b47e9d8da12155aad95cff14cebda7c4acb35a94b433ddfb",
"ioc_source": "library_load",
"ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\reg.exe",
"user_name": "Admin",
"user_id": "example-id",
"control_graph_id": "ctg:74089e36ac3a4271ab14abc076ed18eb:4317290676",
"triggering_process_graph_id": "pid:74089e36ac3a4271ab14abc076ed18eb:4746437404",
"sha256": "b211c25bf0b10a82b47e9d8da12155aad95cff14cebda7c4acb35a94b433ddfb",
"md5": "05cf3ce225b05b669e3118092f4c8eab",
"parent_details": {
"parent_sha256": "d0ceb18272966ab62b8edff100e9b4a6a3cb5dc0f2a32b2b18721fea2d9c09a5",
"parent_md5": "9d59442313565c2e0860b88bf32b2277",
"parent_cmdline": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Admin\\Desktop\\APTSimulator-master\\APTSimulator-master\\APTSimulator.bat\" \"",
"parent_process_graph_id": "pid:74089e36ac3a4271ab14abc076ed18eb:4520199381"
},
"pattern_disposition": 2048,
"pattern_disposition_details": {
"indicator": false,
"detect": false,
"inddet_mask": false,
"sensor_only": false,
"rooting": false,
"kill_process": false,
"kill_subprocess": false,
"quarantine_machine": false,
"quarantine_file": false,
"policy_disabled": false,
"kill_parent": false,
"operation_blocked": false,
"process_blocked": true,
"registry_operation_blocked": false,
"critical_process_disabled": false,
"bootup_safeguard_enabled": false,
"fs_operation_blocked": false,
"handle_operation_downgraded": false
}
}
},
"email_sent": false,
"first_behavior": "2021-01-12T16:17:19Z",
"last_behavior": "2021-01-12T16:17:19Z",
"max_confidence": 80,
"max_severity": 70,
"max_severity_displayname": "High",
"show_in_ui": true,
"status": "new",
"hostinfo": {
"domain": ""
},
"seconds_to_triaged": 0,
"seconds_to_resolved": 0,
}
CrowdStrike Falcon Streaming Events Connector
Refer to the following examples to check what use cases the connector addresses:
- Detection events data ingestion.
CrowdStrike Falcon detects an attempt to execute the maliciousSophosCleanM.exefile on an endpoint. CrowdStrike stops the operation and creates an alert containing file hashes in the event data.
An analyst interested in file reputation runs discovered hashes in VirusTotal and finds out that a hash is malicious. As a following step, the Mcafee EDR action quarantines the malicious file. - User activity audit events data ingestion.
A CrowdStrike user, Dani, updates the detection status fromnewtofalse-positive. This user action creates an event named detection_update.
The analyst performs a follow up to understand why Dani has marked the action false positive and checks the ingested event containing the information about Dani's identity.
As a following step, the analyst runs the Active Directory Enrich Entities action to obtain more details about the incident and simplify tracking Dani down. - Auth activity audit events data ingestion.
An event indicates that Dani has created a new user account and granted user roles to it.
To investigates the event and understand why the user was created, the analyst uses Dani's user ID to run the Active Directory Enrich Entities action and find out Dani's user role to confirm if they are authorized to add new users. - Remote response end events data ingestion.
A remote event indicates that Dani had a remote connection to a specific host and executed commands as a root user to access a web server directory.
To get more information about both Dani and the host involved, the analyst runs the Active Directory action to enrich both the user and the host. Based on information returned, the analyst might decide to suspend Dani until the purpose of the remote connection is clarified.
Connector Parameters
To configure the connector, use the following parameters:
| Parameters | |
|---|---|
Product Field Name |
Required
Enter the source field name to retrieve the Default value is |
Event Field Name |
Required
Enter the source field name to retrieve the Default value is |
Environment Field Name |
Optional
Name of the field where the environment name is stored. If the environment field isn't found, the default environment is used. Default value is |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
The default value The parameter lets you manipulate the environment field using the regular expression logic. If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
API Root |
Required
API root of the CrowdStrike instance. Default value is |
Client ID |
Required
Client ID of the CrowdStrike account. |
Client Secret |
Required
Client Secret of the CrowdStrike account. |
Event types |
Optional
A comma-separated list of event types. Examples of the event types are:
|
Max Days Backwards |
Optional
Number of days before today to retrieve detections from. Default value is 3 days. |
Max Events Per Cycle |
Optional
Number of events to process per one connector iteration. Default value is 10. |
Min Severity |
Optional Events to ingest based on the event severity (detection events). The value ranges from 0 to 5. If other event types besides detections are ingested, their severity is
set to |
Verify SSL |
Required
If checked, verifies that the SSL certificate for the connection to the CrowdStrike server is valid. Unchecked by default. |
Script Timeout (Seconds) |
Required Timeout limit for the python process running the current script. Default value is 60 seconds. |
Proxy Server Address |
Optional
Address of the proxy server to use. |
Proxy Username |
Optional
Proxy username to authenticate with. |
Proxy Password |
Optional
Proxy password to authenticate with. |
Rule Generator Template |
Optional
If provided, the connector uses this value for the Google Security Operations SOAR rule generator. You can provide placeholders
in the following format: [ If no value or an invalid template is provided, the connector uses the default rule generator. This parameter allows only keys with a string value. |
Connector rules
Connector supports proxy.
Connector doesn't support dynamic list.
CrowdStrike Identity Protection Detections Connector
Pull Identity Protection detections from CrowdStrike. The dynamic list works with
the display_name parameter.
Connector parameters
To configure the connector, use the following parameters:
| Parameters | |
|---|---|
Product Field Name |
Required
Enter the source field name to retrieve the Default value is |
Event Field Name |
Required
Enter the source field name to retrieve the Default value is |
Environment Field Name |
Optional
Name of the field where the environment name is stored. If the environment field isn't found, the default environment is used. Default value is |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
The default value The parameter lets you manipulate the environment field using the regular expression logic. If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) |
Required Timeout limit for the python process running the current script. Default value is 180 seconds. |
API Root |
Required
API root of the CrowdStrike instance. Default value is |
Client ID |
Required
Client ID of the CrowdStrike account. |
Client Secret |
Required
Client Secret of the CrowdStrike account. |
Lowest Severity Score To Fetch |
Optional
Lowest severity score of the detections to fetch. If no value is provided, the connector doesn't apply this filter. Max value is 100. Default value is 50. The connector also supports the following values for this parameter:
|
Lowest Confidence Score To Fetch |
Optional
Lowest confidence score of the detections to fetch. If no value is provided, the connector doesn't apply this filter. Max value is 100. Default value is 0. |
Max Hours Backwards |
Optional
Number of hours prior to now to retrieve detections from. Default value is 1 hour. |
Max Detections To Fetch |
Optional
Number of detections to process per one connector iteration. Default value is 10. |
Verify SSL |
Required
If checked, verifies that the SSL certificate for the connection to the CrowdStrike server is valid. Unchecked by default. |
Proxy Server Address |
Optional
Address of the proxy server to use. |
Proxy Username |
Optional
Proxy username to authenticate with. |
Proxy Password |
Optional
Proxy password to authenticate with. |
Connector rules
Connector supports proxy.
Connector event
Example of the connector event is as follows:
{
"added_privileges": [
"DomainAdminsRole"
],
"aggregate_id": "aggind:27fe4e476ca3490b8476b2b6650e5a74:C34185DF-C3BA-4F69-93EB-1B61A213AF86",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"composite_id": "27fe4e476ca3490b8476b2b6650e5a74:ind:27fe4e476ca3490b8476b2b6650e5a74:C34185DF-C3BA-4F69-93EB-1B61A213AF86",
"confidence": 20,
"context_timestamp": "2022-11-15T12:58:13.155Z",
"crawl_edge_ids": {
"Sensor": [
"N6Fq4_]TKjckDDWI$fKO`l>_^KFO4!,Z/&o<H7_)4[Ip*h@KUG8%Xn3Fm3@]<gF_c,c1eeW\\O-J9l;HhVHA\"DH#\\pO1M#>X^dZWWg%V:`[+@g9@3h\"Q\"7r8&lj-o[K@24f;Xl.rlhgWC8%j5\\O7p/G7iQ*ST&12];a_!REjkIUL.R,/U^?]I!!*'!",
"XNXPaK.m]6i\"HhDPGX=XlMl2?8Mr#H;,A,=7aF9N)>5*/Hc!D_>MmDTO\\t1>Oi6ENO`QkWK=@M9q?[I+pm^)mj5=T_EJ\"4cK99U+!/ERSdo(X^?.Z>^]kq!ECXH$T.sfrJpT:TE+(k]<'Hh]..+*N%h_5<Z,63,n!!*'!",
"N6L$J`'>\":d#'I2pLF4-ZP?S-Qu#75O,>ZD+B,m[\"eGe@(]>?Nqsh8T3*q=L%=`KI_C[Wmj3?D!=:`(K)7/2g&8cCuB`r9e\"jTp/QqK7.GocpPSq4\\-#t1Q*%5C0%S1$f>KT&a81dJ!Up@EZY*;ssFlh8$cID*qr1!)S<!m@A@s%JrG9Go-f^B\"<7s8N"
]
},
"crawl_vertex_ids": {
"Sensor": [
"uid:27fe4e476ca3490b8476b2b6650e5a74:S-1-5-21-3479765008-4256118348-3151044947-3195",
"ind:27fe4e476ca3490b8476b2b6650e5a74:C34185DF-C3BA-4F69-93EB-1B61A213AF86",
"aggind:27fe4e476ca3490b8476b2b6650e5a74:C34185DF-C3BA-4F69-93EB-1B61A213AF86",
"idpind:27fe4e476ca3490b8476b2b6650e5a74:715224EE-7AD6-33A1-ADA9-62C4608DA546"
]
},
"crawled_timestamp": "2022-11-15T14:33:50.641703679Z",
"created_timestamp": "2022-11-15T12:59:15.444106807Z",
"description": "A user received new privileges",
"display_name": "Privilege escalation (user)",
"end_time": "2022-11-15T12:58:13.155Z",
"falcon_host_link": "https://example.com/identity-protection/detections/",
"id": "ind:27fe4e476ca3490b8476b2b6650e5a74:C34185DF-C3BA-4F69-93EB-1B61A213AF86",
"name": "IdpEntityPrivilegeEscalationUser",
"objective": "Gain Access",
"pattern_id": 51113,
"previous_privileges": "0",
"privileges": "8321",
"product": "idp",
"scenario": "privilege_escalation",
"severity": 2,
"show_in_ui": true,
"source_account_domain": "EXAMPLE.COM",
"source_account_name": "ExampleName",
"source_account_object_sid": "S-1-5-21-3479765008-4256118348-3151044947-3195",
"start_time": "2022-11-15T12:58:13.155Z",
"status": "new",
"tactic": "Privilege Escalation",
"tactic_id": "TA0004",
"technique": "Valid Accounts",
"technique_id": "T1078",
"timestamp": "2022-11-15T12:58:15.397Z",
"type": "idp-user-endpoint-app-info",
"updated_timestamp": "2022-11-15T14:33:50.635238527Z"
}
CrowdStrike Incidents Connector
Pull incident and related behaviors from CrowdStrike.
The dynamic list works with the incident_type parameter.
Connector parameters
To configure the connector, use the following parameters:
| Parameters | |
|---|---|
Product Field Name |
Required
Enter the source field name to retrieve the Default value is |
Event Field Name |
Required
Enter the source field name to retrieve the Default value is |
Environment Field Name |
Optional
Name of the field where the environment name is stored. If the environment field isn't found, the default environment is used. Default value is |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
The default value The parameter lets you manipulate the environment field using the regular expression logic. If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) |
Required Timeout limit for the python process running the current script. Default value is 180 seconds. |
API Root |
Required
API root of the CrowdStrike instance. Default value is |
Client ID |
Required
Client ID of the CrowdStrike account. |
Client Secret |
Required
Client Secret of the CrowdStrike account. |
Lowest Severity Score To Fetch |
Optional
Lowest severity score of the incidents to fetch. If no value is provided, the connector ingests incidents with all severities. Max value is 100. |
Max Hours Backwards |
Optional
Number of hours before now to retrieve incidents from. Default value is 1 hour. |
Max Incidents To Fetch |
Optional
Number of incidents to process per one connector iteration. Max value is 100. Default value is 10. |
Use dynamic list as a blocklist |
Required
If checked, the dynamic list is used as a blocklist. Unchecked by default. |
Verify SSL |
Required
If checked, verifies that the SSL certificate for the connection to the CrowdStrike server is valid. Unchecked by default. |
Proxy Server Address |
Optional
Address of the proxy server to use. |
Proxy Username |
Optional
Proxy username to authenticate with. |
Proxy Password |
Optional
Proxy password to authenticate with. |
Connector rules
Connector supports proxy.
Connector events
The Incidents Connector has two types of events: one is based on incident and the other on behavior.
The example of an event based on incident is as follows:
{
"data_type": "Incident"
"incident_id": "inc:fee8a6ef0cb3412e9a781dcae0287c85:9dfa480ae6214309bff0c8dc2ad8af7c",
"incident_type": 1,
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"host_ids": [
"fee8a6ef0cb3412e9a781dcae0287c85"
],
"hosts": [
{
"device_id": "fee8a6ef0cb3412e9a781dcae0287c85",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_load_flags": "1",
"agent_local_time": "2023-01-09T11:28:59.170Z",
"agent_version": "6.48.16207.0",
"bios_manufacturer": "Example Inc.",
"bios_version": "1.20.0",
"config_id_base": "65994753",
"config_id_build": "16207",
"config_id_platform": "3",
"external_ip": "203.0.113.1",
"hostname": "DESKTOP-EXAMPLE",
"first_seen": "2022-09-26T09:56:42Z",
"last_seen": "2023-01-09T12:11:35Z",
"local_ip": "192.0.2.1",
"mac_address": "00-15-5d-65-39-86",
"major_version": "01",
"minor_version": "0",
"os_version": "Windows 10",
"platform_id": "0",
"platform_name": "Windows",
"product_type": "1",
"product_type_desc": "Workstation",
"status": "contained",
"system_manufacturer": "Example Inc.",
"system_product_name": "G5 5500",
"modified_timestamp": "2023-01-09T12:11:48Z"
}
],
"created": "2023-01-09T12:12:51Z",
"start": "2023-01-09T11:23:27Z",
"end": "2023-01-09T12:52:01Z",
"state": "closed",
"status": 20,
"tactics": [
"Defense Evasion",
"Privilege Escalation",
"Credential Access"
],
"techniques": [
"Disable or Modify Tools",
"Access Token Manipulation",
"Input Capture",
"Bypass User Account Control"
],
"objectives": [
"Keep Access",
"Gain Access"
],
"users": [
"DESKTOP-EXAMPLE$",
"EXAMPLE"
],
"fine_score": 21
}
The example of an event based on behavior is as follows:
{
"behavior_id": "ind:fee8a6ef0cb3412e9a781dcae0287c85:1298143147841-372-840208",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"aid": "fee8a6ef0cb3412e9a781dcae0287c85",
"incident_id": "inc:fee8a6ef0cb3412e9a781dcae0287c85:9dfa480ae6214309bff0c8dc2ad8af7c",
"incident_ids": [
"inc:fee8a6ef0cb3412e9a781dcae0287c85:9dfa480ae6214309bff0c8dc2ad8af7c"
],
"pattern_id": 372,
"template_instance_id": 0,
"timestamp": "2023-01-09T11:24:25Z",
"cmdline": "\"C:\\WINDOWS\\system32\\SystemSettingsAdminFlows.exe\" SetNetworkAdapter {4ebe49ef-86f5-4c15-91b9-8da03d796416} enable",
"filepath": "\\Device\\HarddiskVolume3\\Windows\\System32\\SystemSettingsAdminFlows.exe",
"domain": "DESKTOP-EXAMPLE",
"pattern_disposition": -1,
"sha256": "78f926520799565373b1a8a42dc4f2fa328ae8b4de9df5eb885c0f7c971040d6",
"user_name": "EXAMPLE",
"tactic": "Privilege Escalation",
"tactic_id": "TA0004",
"technique": "Bypass User Account Control",
"technique_id": "T1548.002",
"display_name": "ProcessIntegrityElevationTarget",
"objective": "Gain Access",
"compound_tto": "GainAccess__PrivilegeEscalation__BypassUserAccountControl__1__0__0__0"
}