Integrate CrowdStrike Falcon with Google SecOps
This document explains how to integrate CrowdStrike Falcon with Google Security Operations (Google SecOps).
Integration version: 56.0
This integration uses one or more open source components. You can download a copy of the full source code of this integration from the Cloud Storage bucket.
Use cases
In the Google SecOps platform, the CrowdStrike Falcon integration solves the following use cases:
Automated malware containment: use the capabilities of the Google SecOps platform to automatically quarantine the affected endpoint, retrieve the file hash for further analysis, and prevent the spread of malware. The automated malware containment activates when a phishing email triggers a CrowdStrike Falcon alert for a suspicious file download.
Accelerated incident response: use Google SecOps to gather contextual data like process trees and network connections, isolate the compromised host, and create a ticket for investigation.
Threat hunting and investigation: use the capabilities of the Google SecOps platform to query CrowdStrike Falcon for specific user actions, file modifications, and network connections over a defined period. Threat hunting and investigation lets your security analysts investigate a potential insider threat and analyze a historical endpoint activity while streamlining the investigation process.
Phishing response and remediation: use Crowdstrike Falcon and the Google SecOps platform to scan the email attachments, open them in a sandbox environment, and automatically block the sender email address if malicious activity is detected.
Vulnerability management: use the capabilities of the Google SecOps platform to automatically create tickets for each vulnerable system, prioritize them based on severity and asset value, and trigger automated patching workflows. The vulnerability management helps you identify a critical vulnerability on multiple endpoints.
Before you begin
Before you configure the integration in Google SecOps, complete the following steps:
Configure the CrowdStrike Falcon API client.
Configure action permissions.
Configure connector permissions.
Configure the CrowdStrike Falcon API client
To define a CrowdStrike API client and view, create, or modify API clients or keys, you need to have a FalconAdministrator role.
Secrets are only shown when you create a new API client or reset the API client.
To configure the CrowdStrike Falcon API client, complete the following steps:
- In the Falcon UI, navigate to Support and resources > Resources and tools > API clients and keys. On this page, you can find existing clients, add new API clients, or view the audit log.
- Click Create API Client.
- Provide a name for your new API client.
- Select appropriate API scopes.
Click Create. The Client ID and Client Secret values appear.
This is the only time when you see the client secret value. Make sure to store it securely. If you lose your client secret, reset your API client and update all applications that rely on the client secret with new credentials.
For more details regarding access to the CrowdStrike API, see the Getting Access to the CrowdStrike API guide at the CrowdStrike blog.
Configure action permissions
Refer to the minimal permissions for actions, as listed in the following table:
Action | Required permissions |
---|---|
Add Comment to Detection | Detections.Read Detection.Write |
Add Identity Protection Detection Comment | Alerts.Read Alerts.Write |
Add Incident Comment | Incidents.Write |
Close Detection | Detections.Read Detection.Write |
Contain Endpoint | Hosts.Read Hosts.Write |
Delete IOC | IOC Management.Read IOC Management.Write |
Download File | Hosts.Read Real time response.Read Real time response.Write |
Execute Command | Hosts.Read Real time response.Read Real time response.Write Real time response (admin).Write* for full privilege commands.
|
Get Event Offset | Event streams.Read |
Get Hosts by IOC | Not available: Deprecated |
Get Host Information | Hosts.Read |
Get Process Name By IOC | Not available: Deprecated |
Lift Contained Endpoint | Hosts.Read Hosts.Write |
List Hosts | Hosts.Read |
List Host Vulnerabilities | Hosts.Read Spotlight vulnerabilities.Read |
List Uploaded IOCs | IOC Management.Read |
On-Demand Scan | On-demand scans (ODS).Read On-demand scans (ODS).Write |
Ping | Hosts.Read |
Submit File | Reports (Falcon Intelligence).Read Sandbox (Falcon Intelligence).Read Sandbox (Falcon Intelligence).Write |
Submit URL | Reports (Falcon Intelligence).Read Sandbox (Falcon Intelligence).Read Sandbox (Falcon Intelligence).Write |
Update Detection | Detections.Read Detection.Write User management.Read |
Update Identity Protection Detection | Alerts.Read Alerts.Write |
Update Incident | Incidents.Write |
Update IOC Information | IOC Management.Read IOC Management.Write |
Upload IOCs | IOC Management.Read IOC Management.Write |
Configure connector permissions
Refer to the minimal permissions for connectors, as listed in the following table:
Connector | Required permissions |
---|---|
CrowdStrike Detections Connector | Detection.Read |
CrowdStrike Falcon Streaming Events Connector | Event streams.Read |
CrowdStrike Identity Protection Detections Connector | Alerts.Read |
CrowdStrike Incidents Connector | Incidents.Read |
Endpoints
The CrowdStrike Falcon integration interacts with the following CrowdStrike Falcon API endpoints:
General API endpoints:
/oauth2/token
Hosts and devices:
/devices/entities/devices/v1
/devices/entities/devices-actions/v2
Detections and events:
/detections/entities/detections/v2
/detections/entities/summaries/GET/v1
/protection/entities/detections/v1
Indicators of compromise (IOCs):
/intel/entities/indicators/v1
/intel/queries/devices/v1
Vulnerabilities:
/devices/combined/devices/vulnerabilities/v1
Response and containment:
/respond/entities/command-queues/v1
/respond/entities/extracted-files/v1
Incidents:
/incidents/entities/incidents/GET/v1
/incidents/entities/incidents/comments/GET/v1
/incidents/entities/incidents/GET/v1
File and URL analysis:
/malware-uploads/entities/submissions/v2
/url/entities/scans/v1
Integration parameters
For the integration to function properly, a premium version of CrowdStrike Falcon with full capabilities is required. Certain actions don't work with a basic version of CrowdStrike Falcon.
The CrowdStrike Falcon integration requires the following parameters:
Parameters | |
---|---|
API Root |
An API root of the CrowdStrike instance. The default value is |
Client API ID |
Required The client ID for CrowdStrike API. |
Client API Secret |
Required The client secret for CrowdStrike API. |
Verify SSL |
If selected, the integration verifies if the SSL certificate for connecting to the CrowdStrike Falcon server is valid. Not selected by default. |
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances.
Actions
Before proceeding with the integration configuration, configure the minimal permissions required for every integration item. For more detail, refer to the Action permissions section of this document.
Add Alert Comment
Use the Add Alert Comment action to add a comment to an alert in Crowdstrike Falcon.
This action doesn't run on entities.
Action inputs
The Add Alert Comment action requires the following parameters:
Parameters | |
---|---|
Alert |
Required The ID of the alert to update. |
Comment |
Required The comment to add to the alert. |
Action outputs
The Add Alert Comment action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Add Alert Comment action provides the following output messages:
Output message | Message description |
---|---|
Successfully added comment to the alert with ID
ALERT_ID in CrowdStrike |
Action succeeded. |
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Add Alert Comment action:
Script result name | Value |
---|---|
is_success |
True or False |
Add Comment to Detection
Use the Add Comment to Detection action to add a comment to the detection in CrowdStrike Falcon.
This action runs on all entities.
Action inputs
The Add Comment to Detection action requires the following parameters:
Parameters | |
---|---|
Detection ID |
Required
The ID of the detection to add a comment to. |
Comment |
Required
The comment to add to the detection. |
Action outputs
The Add Comment to Detection action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Script result | Available |
Script result
The following table describes the values for the script result output when using the Add Comment to Detection action:
Script result name | Value |
---|---|
is_success |
True or False |
Add Identity Protection Detection Comment
Use the Add Identity Protection Detection Comment action to add a comment to the identity protection detection in CrowdStrike.
This action requires an Identity Protection license.
This action doesn't run on entities.
Action inputs
The Add Identity Protection Detection Comment action requires the following parameters:
Parameters | |
---|---|
Detection ID |
Required
The ID of the detection to update. |
Comment |
Required
The comment to add to the detection. |
Action outputs
The Add Identity Protection Detection Comment action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Add Identity Protection Detection Comment action provides the following output messages:
Output message | Message description |
---|---|
Successfully added comment to the
identity protection detection with ID
DETECTION_ID in CrowdStrike |
Action succeeded. |
Error executing action "Add Identity
Protection Detection Comment". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Add Identity
Protection Detection Comment". Reason: identity protection detection with
ID DETECTION_ID wasn't found in
CrowdStrike. Please check the
spelling. |
Action failed. Check the spelling. |
Script result
The following table describes the values for the script result output when using the Add Identity Protection Detection Comment action:
Script result name | Value |
---|---|
is_success |
True or False |
Add Incident Comment
Use the Add Incident Comment action to add a comment to an incident in CrowdStrike.
This action doesn't run on entities.
Action inputs
The Add Incident Comment action requires the following parameters:
Parameters | |
---|---|
Incident ID |
Required
ID of the incident to update. |
Comment |
Required
The comment to add to the incident. |
Action outputs
The Add Incident Comment action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Add Incident Comment action provides the following output messages:
Output message | Message description |
---|---|
Successfully added comment to the
incident INCIDENT_ID in CrowdStrike
|
Action succeeded. |
Error executing action "Add Incident Comment". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Add Incident Comment". Reason: incident
with ID INCIDENT_ID wasn't found in
CrowdStrike. Please check the spelling. |
Action failed. Check the spelling. |
Script result
The following table describes the values for the script result output when using the Add Incident Comment action:
Script result name | Value |
---|---|
is_success |
True or False |
Close Detection
Use the Close Detection action to close a CrowdStrike Falcon detection.
The Update Detection action is the best practice for this use case.
This action runs on all entities.
Action inputs
The Close Detection action requires the following parameters:
Parameters | |
---|---|
Detection ID |
Required
The ID of the detection to close. |
Hide Detection |
Optional
If selected, the action hides the detection in the UI. Selected by default. |
Action outputs
The Close Detection action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Script result | Available |
Script result
The following table describes the values for the script result output when using the Close Detection action:
Script result name | Value |
---|---|
is_success |
True or False |
Contain Endpoint
Use the Contain Endpoint action to contain endpoint in CrowdStrike Falcon.
This action runs on the following entities:
- IP address
- Hostname
Action inputs
The Contain Endpoint action requires the following parameters:
Parameters | |
---|---|
Fail If Timeout |
Required
If selected and not all of the endpoints are contained, the action fails. Selected by default. |
Action outputs
The Contain Endpoint action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Entity enrichment table | Available |
JSON result | Available |
Output messages | Available |
Script result | Available |
Entity enrichment
The Contain Endpoint action supports the following entity enrichment logic:
Enrichment field | Logic |
---|---|
status |
Returns if it exists in the JSON result |
modified_timestamp |
Returns if it exists in the JSON result |
major_version |
Returns if it exists in the JSON result |
policies |
Returns if it exists in the JSON result |
config_id_platform |
Returns if it exists in the JSON result |
bios_manufacturer |
Returns if it exists in the JSON result |
system_manufacturer |
Returns if it exists in the JSON result |
device_policies |
Returns if it exists in the JSON result |
meta |
Returns if it exists in the JSON result |
pointer_size |
Returns if it exists in the JSON result |
last_seen |
Returns if it exists in the JSON result |
agent_local_time |
Returns if it exists in the JSON result |
first_seen |
Returns if it exists in the JSON result |
service_pack_major |
Returns if it exists in the JSON result |
slow_changing_modified_timestamp |
Returns if it exists in the JSON result |
service_pack_minor |
Returns if it exists in the JSON result |
system_product_name |
Returns if it exists in the JSON result |
product_type_desc |
Returns if it exists in the JSON result |
build_number |
Returns if it exists in the JSON result |
cid |
Returns if it exists in the JSON result |
local_ip |
Returns if it exists in the JSON result |
external_ip |
Returns if it exists in the JSON result |
hostname |
Returns if it exists in the JSON result |
config_id_build |
Returns if it exists in the JSON result |
minor_version |
Returns if it exists in the JSON result |
platform_id |
Returns if it exists in the JSON result |
os_version |
Returns if it exists in the JSON result |
config_id_base |
Returns if it exists in the JSON result |
provision_status |
Returns if it exists in the JSON result |
mac_address |
Returns if it exists in the JSON result |
bios_version |
Returns if it exists in the JSON result |
platform_name |
Returns if it exists in the JSON result |
agent_load_flags |
Returns if it exists in the JSON result |
device_id |
Returns if it exists in the JSON result |
product_type |
Returns if it exists in the JSON result |
agent_version |
Returns if it exists in the JSON result |
JSON result
The following example describes the JSON result output received when using the Contain Endpoint action:
{
"EntityResult":
{
"status": "contained",
"modified_timestamp": "2019-06-24T07:47:37Z",
"major_version": "6",
"policies":
[{
"applied": "True",
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": ""
}],
"config_id_platform": "3",
"bios_manufacturer": "Example Inc.",
"system_manufacturer": "Example Corporation",
"device_policies":
{
"global_config":
{
"applied": "True",
"applied_date": "2019-06-03T23:24:04.893780991Z",
"settings_hash": "a75911b0",
"policy_type": "globalconfig",
"assigned_date": "2019-06-03T23:23:17.184432743Z",
"policy_id": ""
},
"Sensor_update":
{
"applied": "True",
"applied_date": "2019-05-30T23:13:55.23597658Z",
"settings_hash": "65994753|3|2|automatic;101",
"uninstall_protection": "ENABLED",
"policy_type": "sensor-update",
"assigned_date": "2019-05-30T23:04:31.485311459Z",
"policy_id": ""
},
"prevention":
{
"applied": "True",
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": ""
},
"device_control":
{
"applied": "True",
"applied_date": "2019-06-03T23:14:29.800434222Z",
"policy_type": "device-control",
"assigned_date": "2019-06-03T23:05:17.425127539Z",
"policy_id": ""
},
"remote_response":
{
"applied": "True",
"applied_date": "2019-04-29T07:40:04.469808388Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-04-29T07:39:55.218642441Z",
"policy_id": ""
}
},
"meta":
{
"Version":"12765"
},
"pointer_size": "8",
"last_seen": "2019-06-24T07:45:34Z",
"agent_local_time": "2019-06-18T12:17:06.259Z",
"first_seen": "2019-04-29T07:39:45Z",
"service_pack_major": "0",
"slow_changing_modified_timestamp": "2019-06-23T11:20:42Z",
"service_pack_minor": "0",
"system_product_name": "Virtual Machine",
"product_type_desc": "Server",
"build_number": "9600",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"local_ip": "192.0.2.1",
"external_ip": "203.0.113.1",
"hostname": "",
"config_id_build": "example-id",
"minor_version": "3",
"platform_id": "x",
"os_version": "Windows Server 2012 R2",
"config_id_base": "example-config",
"provision_status": "Provisioned",
"mac_address": "01:23:45:ab:cd:ef",
"bios_version": "090007 ",
"platform_name": "Windows",
"Agent_load_flags":"1",
"device_id": "",
"product_type": "3",
"agent_version": "5.10.9106.0"
},
"Entity": "198.51.100.255"
}
Output messages
The Contain Endpoint action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Error executing action "Contain
Endpoint". Reason: ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Contain
Endpoint". Reason: the following endpoints initiated containment, but were
not able to finish it during action execution:
ENTITY_ID
|
Action failed. Check the endpoint status and
the |
Script result
The following table describes the values for the script result output when using the Contain Endpoint action:
Script result name | Value |
---|---|
is_success |
True or False |
Delete IOC
Use the Delete IOC action to delete custom IOCs in CrowdStrike Falcon.
This action treats hostname entities as domain IOCs and extracts the domain part out of URLs. This action only supports the MD5 and SHA-256 hashes.
The Delete IOC action runs on the following entities:
- IP Address
- Hostname
- URL
- Hash
Action inputs
None.
Action outputs
The Delete IOC action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Script result
The following table describes the values for the script result output when using the Delete IOC action:
Script result name | Value |
---|---|
is_success |
True or False |
Output messages
On a Case Wall, the Delete IOC action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Error executing action "Delete IOC".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Download File
Use the Download File action to download files from the hosts in CrowdStrike Falcon.
This action requires both the Filename and IP address or a Hostname entity to be in the scope of the Google SecOps alert.
You can find the downloaded file in a password-protected zip package. To access
the file, provide the following password: infected
.
The Download File action runs on the following entities:
- Filename
- IP address
- Host
Action inputs
The Download File action requires the following parameters:
Parameters | |
---|---|
Download Folder Path |
Required
A path to the folder that stores the threat file. |
Overwrite |
Required
If selected, the action overwrites the file with the same name. Not selected by default. |
Action outputs
The Download File action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Entity table | Available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
Entity table
The Download File action provides the following entity table:
Entity | |
---|---|
filepath |
Absolute path to the file. |
JSON result
The following example describes the JSON result output received when using the Download File action:
{
"absolute_paths": ["/opt/file_1", "opt_file_2"]
}
Output messages
The Download File action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Error executing action "Download
File". Reason: ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Download
File". Reason: file with path PATH
already exists. Please delete the file or set "Overwrite" to true.
|
Action failed. Check the |
Waiting for results for the following
entities: ENTITY_ID |
Asynchronous message. |
Script result
The following table describes the values for the script result output when using the Download File action:
Script result name | Value |
---|---|
is_success |
True or False |
Execute Command
Use the Execute Command action to execute commands on the hosts in CrowdStrike Falcon.
This action runs on the following entities:
- IP address
- Hostname
Action inputs
The Execute Command action requires the following parameters:
Parameters | |
---|---|
Command |
Required
A command to execute on hosts. |
Admin Command |
Optional
If
|
Action outputs
The Execute Command action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
On a Case Wall, the Execute Command action provides the following output messages:
Output message | Message description |
---|---|
Successfully executed command
"COMMAND" on the following
endpoints in CrowdStrike Falcon:
ENTITY_ID |
Action succeeded. |
Error executing action "Execute Command". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Waiting for results for the following
entities: ENTITY_ID |
Asynchronous message. |
Script result
The following table describes the values for the script result output when using the Execute Command action:
Script result name | Value |
---|---|
is_success |
True or False |
Get Event Offset
Use the Get Event Offset action to retrieve the event offset used by the Streaming Events Connector.
This action starts processing events from 30 days ago.
This action doesn't run on entities.
Action inputs
The Get Event Offset action requires the following parameters:
Parameters | |
---|---|
Max Events To Process |
Required
The number of events that the action needs to process starting from 30 days ago. The default value is |
Action outputs
The Get Event Offset action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Get Event Offset action:
{
"offset": 100000
"timestamp": "<code><var>EVENT_TIMESTAMP</var></code>"
}
Output messages
The Get Event Offset action provides the following output messages:
Output message | Message description |
---|---|
Successfully retrieved event offset in CrowdStrike Falcon.
|
Action succeeded. |
Error executing action "Get Event
Offset". Reason: ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Get Event Offset action:
Script result name | Value |
---|---|
is_success |
True or False |
Get Host Information
Use the Get Host Information action to retrieve information about the hostname from CrowdStrike Falcon.
This action runs on the following entities:
- Hostname
- IP address
Action inputs
The Get Host Information action requires the following parameters:
Parameters | |
---|---|
Create Insight |
Optional
If selected, the action creates insights containing information about entities. Selected by default. |
Action outputs
The Get Host Information action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Entity enrichment table | Available |
JSON result | Available |
Output messages | Available |
Script result | Available |
Entity enrichment
The Get Host Information action supports the following entity enrichment logic:
Enrichment field | Logic |
---|---|
modified_timestamp |
Returns if it exists in the JSON result |
major_version |
Returns if it exists in the JSON result |
site_name |
Returns if it exists in the JSON result |
platform_id |
Returns if it exists in the JSON result |
config_id_platform |
Returns if it exists in the JSON result |
system_manufacturer |
Returns if it exists in the JSON result |
meta |
Returns if it exists in the JSON result |
first_seen |
Returns if it exists in the JSON result |
service_pack_minor |
Returns if it exists in the JSON result |
product_type_desc |
Returns if it exists in the JSON result |
build_number |
Returns if it exists in the JSON result |
hostname |
Returns if it exists in the JSON result |
config_id_build |
Returns if it exists in the JSON result |
minor_version |
Returns if it exists in the JSON result |
os_version |
Returns if it exists in the JSON result |
provision_status |
Returns if it exists in the JSON result |
mac_address |
Returns if it exists in the JSON result |
bios_version |
Returns if it exists in the JSON result |
agent_load_flags |
Returns if it exists in the JSON result |
status |
Returns if it exists in the JSON result |
bios_manufacturer |
Returns if it exists in the JSON result |
machine_domain |
Returns if it exists in the JSON result |
agent_local_time |
Returns if it exists in the JSON result |
slow_changing_modified_timestamp |
Returns if it exists in the JSON result |
service_pack_major |
Returns if it exists in the JSON result |
device_id |
Returns if it exists in the JSON result |
system_product_name |
Returns if it exists in the JSON result |
product_type |
Returns if it exists in the JSON result |
local_ip |
Returns if it exists in the JSON result |
external_ip |
Returns if it exists in the JSON result |
cid |
Returns if it exists in the JSON result |
platform_name |
Returns if it exists in the JSON result |
config_id_base |
Returns if it exists in the JSON result |
last_seen |
Returns if it exists in the JSON result |
pointer_size |
Returns if it exists in the JSON result |
agent_version |
Returns if it exists in the JSON result |
JSON result
The following example describes the JSON result output received when using the Get Host Information action:
[
{
"EntityResult": [
{
"modified_timestamp": "2019-01-17T13: 44: 57Z",
"major_version": "10",
"site_name": "Default-First-Site-Name",
"platform_id": "0",
"config_id_platform": "3",
"system_manufacturer": "ExampleInc.",
"meta": {
"version": "1111"
},
"first_seen": "2018-04-22T13: 06: 53Z",
"service_pack_minor": "0",
"product_type_desc": "Workstation",
"build_number": "111",
"hostname": "name",
"config_id_build": "8104",
"minor_version": "0",
"os_version": "Windows10",
"provision_status": "Provisioned",
"mac_address": "64-00-6a-2a-43-3f",
"bios_version": "1.2.1",
"agent_load_flags": "1",
"status": "normal",
"bios_manufacturer": "ExampleInc.",
"machine_domain": "Domain name",
"agent_local_time": "2019-01-14T19: 41: 09.738Z",
"slow_changing_modified_timestamp": "2019-01-14T17: 44: 40Z",
"service_pack_major": "0",
"device_id": "example-id",
"system_product_name": "OptiPlex7040",
"product_type": "1",
"local_ip": "192.0.2.1",
"external_ip": "203.0.113.1",
"cid": "example-cid",
"platform_name": "Windows",
"config_id_base": "65994753",
"last_seen": "2019-01-17T13: 44: 46Z",
"pointer_size": "8",
"agent_version": "4.18.8104.0",
"recent_logins": [
{
"user_name": "test",
"login_time": "2022-08-10T07:36:38Z"
},
{
"user_name": "test",
"login_time": "2022-08-10T07:36:35Z"
}
],
"online_status": "offline"
}
],
"Entity": "198.51.100.255"
}
]
Output messages
The Get Host Information action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Error executing action "Get Host
Information". Reason: ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Get Host Information action:
Script result name | Value |
---|---|
is_success |
True or False |
Get Hosts by IOC - Deprecated
List hosts related to the IOCs in CrowdStrike Falcon. Supported entities:
Hostname, URL, IP Address and Hash.
Note: Hostname entities are treated as domain IOCs. The action
extracts the domain part out of URLs. Only the MD5 and SHA-256 hashes are
supported.
Entities
This action runs on the following entities:
- IP Address
- Hostname
- URL
- Hash
Action inputs
N/A
Action outputs
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON result
{
"hash":
[{
"modified_timestamp": "2019-01-17T13: 44: 57Z",
"major_version": "10",
"site_name": "Example-Name",
"platform_id": "ExampleID",
"config_id_platform": "3",
"system_manufacturer": "ExampleInc.",
"meta": {"version": "49622"},
"first_seen": "2018-04-22T13: 06: 53Z",
"service_pack_minor": "0",
"product_type_desc": "Workstation",
"build_number": "14393",
"hostname": "name",
"config_id_build": "ExampleID",
"minor_version": "0",
"os_version": "Windows10",
"provision_status": "Provisioned",
"mac_address": "01:23:45:ab:cd:ef",
"bios_version": "1.2.1",
"agent_load_flags": "1",
"status": "normal",
"bios_manufacturer": "ExampleInc.",
"machine_domain": "Example Domain",
"Device_policies":
{
"sensor_update":
{
"applied": true,
"applied_date": "2018-12-11T23: 09: 18.071417837Z",
"settings_hash": "65994753|3|2|automatic",
"policy_type": "sensor-update",
"assigned_date": "2018-12-11T23: 08: 38.16990705Z",
"policy_id": "Example ID"
}
},
"agent_local_time": "2019-01-14T19: 41: 09.738Z",
"slow_changing_modified_timestamp": "2019-01-14T17: 44: 40Z",
"service_pack_major": "0", "device_id": "2653595a063e4566519ef4fc813fcc56",
"system_product_name": "OptiPlex7040",
"product_type": "1",
"local_ip": "192.0.2.1",
"external_ip": "203.0.113.1",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"platform_name": "Windows",
"config_id_base": "ExampleID",
"policies":
[{
"applied": true,
"applied_date": "2019-01-02T22: 45: 21.315392338Z",
"settings_hash": "18db1203",
"policy_type": "prevention",
"assigned_date": "2019-01-02T22: 45: 11.214774996Z",
"policy_id": "Example ID"
}],
"last_seen": "2019-01-17T13: 44: 46Z",
"pointer_size": "8",
"agent_version": "4.18.8104.0"
}]
}
Entity enrichment
Enrichment field | Logic |
---|---|
modified_timestamp | Returns if it exists in JSON result |
major_version | Returns if it exists in JSON result |
site_name | Returns if it exists in JSON result |
platform_id | Returns if it exists in JSON result |
config_id_platform | Returns if it exists in JSON result |
system_manufacturer | Returns if it exists in JSON result |
meta | Returns if it exists in JSON result |
first_seen | Returns if it exists in JSON result |
service_pack_minor | Returns if it exists in JSON result |
product_type_desc | Returns if it exists in JSON result |
build_number | Returns if it exists in JSON result |
hostname | Returns if it exists in JSON result |
config_id_build | Returns if it exists in JSON result |
minor_version | Returns if it exists in JSON result |
os_version | Returns if it exists in JSON result |
provision_status | Returns if it exists in JSON result |
mac_address | Returns if it exists in JSON result |
bios_version | Returns if it exists in JSON result |
agent_load_flags | Returns if it exists in JSON result |
status | Returns if it exists in JSON result |
bios_manufacturer | Returns if it exists in JSON result |
machine_domain | Returns if it exists in JSON result |
Device_policies | Returns if it exists in JSON result |
agent_local_time | Returns if it exists in JSON result |
slow_changing_modified_timestamp | Returns if it exists in JSON result |
service_pack_major | Returns if it exists in JSON result |
system_product_name | Returns if it exists in JSON result |
product_type | Returns if it exists in JSON result |
local_ip | Returns if it exists in JSON result |
external_ip | Returns if it exists in JSON result |
cid | Returns if it exists in JSON result |
platform_name | Returns if it exists in JSON result |
config_id_base | Returns if it exists in JSON result |
policies | Returns if it exists in JSON result |
last_seen | Returns if it exists in JSON result |
pointer_size | Returns if it exists in JSON result |
agent_version | Returns if it exists in JSON result |
Entity insight
N/A
Case wall
Result Type | Value / Description | Type |
---|---|---|
Output message* | The action shouldn't fail nor stop a playbook execution: If successful and at least one host related to the provided IOCs is found (is_success=true): "Successfully retrieved hosts related to the provided IOCs in CrowdStrike Falcon." If no related hosts are found (is_success=false): "No hosts were related to the provided IOCs in CrowdStrike Falcon." The action should fail and stop a playbook execution: If a critical error is reported: "Error executing action "{action name}". Reason: {traceback}." |
General |
Get Process Name by IOC - Deprecated
Retrieve processes related to the IOCs and provided devices in CrowdStrike
Falcon. Supported entities: Hostname, URL, IP Address and Hash.
Note: Hostname entities are treated as domain IOCs. The action
extracts the domain part out of URLs. Only the MD5, SHA-1 and SHA-256 hashes
are supported. The IP Address entities are treated as IOCs.
Parameters
Parameter Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Devices Names | 11 | N/A | Yes | Specify a comma-separated list of devices for which you want to retrieve processes related to entities. |
Run On
This action runs on the following entities:
- Hostname
- URL
- Hash
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
{
"EntityResult":
[{
"Process Name": "example.exe",
"Indicator": "986a4715113359b527b15efe1ee09306", "Host Name": "example-name"
},{
"Process Name": "example.exe",
"Indicator": "986a4715113359b527b15efe1ee09306",
"Host Name": "example-name"
},{
"Process Name": "example.exe",
"Indicator": "986a4715113359b527b15efe1ee09306",
"Host Name": "example-name"
}],
"Entity": "example_entity"
}
Entity Enrichment
Enrichment Field Name | Logic - When to apply |
---|---|
Process Name | Returns if it exists in JSON result |
Indicator | Returns if it exists in JSON result |
Host Name | Returns if it exists in JSON result |
Entity Insights
N/A
Case Wall
Result Type | Value / Description | Type |
---|---|---|
Output message* | The action shouldn't fail nor stop a playbook execution: If found processes related to entities for at least one endpoint (is_success=true): "Successfully retrieved processes related to the IOCs on the following endpoints in CrowdStrike Falcon: {device name}." If no processes are found for at least one endpoint or the device is not found (is_success=true): "No related processes were found on the following endpoints in CrowdStrike Falcon: {device name}." If no processes are found for all endpoints or none of the devices are found (is_success=false): "No related processes were found on the provided endpoints in CrowdStrike Falcon. The action should fail and stop a playbook execution: If a critical error is reported: "Error executing "{action name}". Reason: {trace back}." |
Get Vertex Details
Use the Get Vertex Details action to list all the properties associated with a particular indicator.
The Google SecOps entities are considered as IOCs.
This action runs on the following entities:
- Hostname
- URL
- Hash
Action inputs
None.
Action outputs
The Get Vertex Details action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Entity enrichment table | Available |
JSON result | Available |
Script result | Available |
Entity enrichment
The Get Vertex Details action supports the following enrichment:
Enrichment field | Logic |
---|---|
vertex_type |
Returns if it exists in the JSON result |
timestamp |
Returns if it exists in the JSON result |
object_id |
Returns if it exists in the JSON result |
properties |
Returns if it exists in the JSON result |
edges |
Returns if it exists in the JSON result |
scope |
Returns if it exists in the JSON result |
customer_id |
Returns if it exists in the JSON result |
id |
Returns if it exists in the JSON result |
device_id |
Returns if it exists in the JSON result |
JSON result
The following example describes the JSON result output received when using the Get Vertex Details action:
[{
"EntityResult":
[{
"vertex_type": "module",
"timestamp": "2019-01-17T10: 52: 40Z",
"object_id":"example_id",
"properties":
{
"SHA256HashData": "7afb56dd48565c3c9804f683c80ef47e5333f847f2d3211ec11ed13ad36061e1",
"MD5HashData": "54cb91395cdaad9d47882533c21fc0e9",
"SHA1HashData": "3b1333f826e5fe36395042fe0f1b895f4a373f1b"
},
"edges":
{
"primary_module":
[{
"direction": "in",
"timestamp": "2019-01-13T10: 58: 51Z",
"object_id": "example-id",
"id": "pid: cb4493e4af2742b068efd16cb48b7260: 3738513791849",
"edge_type": "primary_module",
"path": "example-path",
"scope": "device",
"properties": {},
"device_id": "example-id"
}]
},
"scope": "device",
"customer_id": "example-id",
"id": "mod: cb4493e4af2742b068efd16cb48b7260: 7afb56dd48565c3c9804f683c80ef47e5333f847f2d3211ec11ed13ad36061e1",
"device_id": "example-id"
}],
"Entity": "198.51.100.255"
}]
Script result
The following table describes the values for the script result output when using the Get Vertex Details action:
Script result name | Value |
---|---|
is_success |
True or False |
Lift Contained Endpoint
Use the Lift Contained Endpoint action to lift an endpoint containment in CrowdStrike Falcon.
This action runs on the following entities:
- IP Address
- Hostname
Action inputs
The Lift Contained Endpoint action requires the following parameters:
Parameters | |
---|---|
Fail If Timeout |
Required
If selected and the containment is not lifted on all endpoints, the action fails. Selected by default. |
Action outputs
The Lift Contained Endpoint action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Entity enrichment table | Available |
JSON result | Available |
Output messages | Available |
Script result | Available |
Entity enrichment
The Lift Contained Endpoint action supports the following entity enrichment:
Enrichment field | Logic |
---|---|
status |
Returns if it exists in the JSON result |
modified_timestamp |
Returns if it exists in the JSON result |
major_version |
Returns if it exists in the JSON result |
config_id_platform |
Returns if it exists in the JSON result |
system_manufacturer |
Returns if it exists in the JSON result |
device_policies |
Returns if it exists in the JSON result |
meta |
Returns if it exists in the JSON result |
pointer_size |
Returns if it exists in the JSON result |
last_seen |
Returns if it exists in the JSON result |
agent_local_time |
Returns if it exists in the JSON result |
first_seen |
Returns if it exists in the JSON result |
service_pack_major |
Returns if it exists in the JSON result |
slow_changing_modified_timestamp |
Returns if it exists in the JSON result |
service_pack_minor |
Returns if it exists in the JSON result |
system_product_name |
Returns if it exists in the JSON result |
product_type_desc |
Returns if it exists in the JSON result |
build_number |
Returns if it exists in the JSON result |
cid |
Returns if it exists in the JSON result |
local_ip |
Returns if it exists in the JSON result |
external_ip |
Returns if it exists in the JSON result |
hostname |
Returns if it exists in the JSON result |
config_id_build |
Returns if it exists in the JSON result |
minor_version |
Returns if it exists in the JSON result |
platform_id |
Returns if it exists in the JSON result |
os_version |
Returns if it exists in the JSON result |
config_id_base |
Returns if it exists in the JSON result |
provision_status |
Returns if it exists in the JSON result |
mac_address |
Returns if it exists in the JSON result |
bios_version |
Returns if it exists in the JSON result |
platform_name |
Returns if it exists in the JSON result |
agent_load_flags |
Returns if it exists in the JSON result |
device_id |
Returns if it exists in the JSON result |
product_type |
Returns if it exists in the JSON result |
agent_version |
Returns if it exists in the JSON result |
JSON result
The following example describes the JSON result output received when using the Lift Contained Endpoint action:
{
"EntityResult":
{
"status": "contained",
"modified_timestamp": "2019-06-24T07:47:37Z",
"major_version": "6", "policies":
[{
"applied": "True",
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": ""
}],
"config_id_platform": "example-id",
"bios_manufacturer": "Example Inc.",
"system_manufacturer": "Example Corporation",
"Device_policies":
{
"global_config":
{
"applied": "True",
"applied_date": "2019-06-03T23:24:04.893780991Z",
"settings_hash": "a75911b0",
"policy_type": "globalconfig",
"assigned_date": "2019-06-03T23:23:17.184432743Z",
"policy_id": ""
},
"Sensor_update":
{
"applied": "True",
"applied_date": "2019-05-30T23:13:55.23597658Z",
"settings_hash": "65994753|3|2|automatic;101",
"uninstall_protection": "ENABLED",
"policy_type": "sensor-update",
"assigned_date": "2019-05-30T23:04:31.485311459Z",
"policy_id": "9d1e405846de4ebdb63f674866d390dc"
},
"Prevention":
{
"applied": "True",
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": ""
},
"device_control":
{
"applied": "True",
"applied_date": "2019-06-03T23:14:29.800434222Z",
"policy_type": "device-control",
"assigned_date": "2019-06-03T23:05:17.425127539Z",
"policy_id": ""
},
"Remote_response":
{
"applied": "True",
"applied_date": "2019-04-29T07:40:04.469808388Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-04-29T07:39:55.218642441Z",
"policy_id": ""
}
},
"meta":
{"version": "12765"},
"pointer_size": "8",
"last_seen": "2019-06-24T07:45:34Z",
"agent_local_time": "2019-06-18T12:17:06.259Z",
"first_seen": "2019-04-29T07:39:45Z",
"service_pack_major": "0",
"slow_changing_modified_timestamp": "2019-06-23T11:20:42Z",
"service_pack_minor": "0",
"system_product_name":"Virtual Machine",
"product_type_desc": "Server",
"build_number": "9600",
"cid": "",
"local_ip": "192.0.2.1",
"external_ip": "203.0.113.1",
"hostname": "example-hostname",
"config_id_build": "9106",
"minor_version": "3",
"platform_id": "0",
"os_version": "Windows Server 2012 R2",
"config_id_base": "example-id",
"provision_status": "Provisioned",
"mac_address": "01-23-45-ab-cd-ef",
"bios_version": "090007 ",
"platform_name": "Windows",
"agent_load_flags": "1",
"device_id": "",
"product_type": "3",
"agent_version": "5.10.9106.0"
},
"Entity": "198.51.100.255"
}
Output messages
The Lift Contained Endpoint action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Waiting for containment lift to finish for the following
endpoints: ENTITY_ID |
Asynchronous message. |
Error executing action "Lift
Contained Endpoint". Reason: the following endpoints initiated containment
lift, but were not able to finish it during action execution:
ENTITY_ID |
Action failed. Check the endpoint status and
the |
Error executing action "Lift Contained Endpoint". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Lift Contained Endpoint action:
Script result name | Value |
---|---|
is_success |
True or False |
List Host Vulnerabilities
Use the List Host Vulnerabilities action to list vulnerabilities found on the host in CrowdStrike Falcon.
This action requires a Falcon Spotlight license and permissions.
This action runs on the following entities:
- IP address
- Hostname
Action inputs
The List Host Vulnerabilities action requires the following parameters:
Parameters | |
---|---|
Severity Filter |
Optional
A comma-separated list of vulnerability severities. If you provide no value, the action ingests all related vulnerabilities. The possible values are as follows:
|
Create Insight |
Optional
If selected, the action creates an insight for every entity containing statistical information about related vulnerabilities. Selected by default. |
Max Vulnerabilities To Return |
Optional
The number of vulnerabilities to return for a single host. If you provide no value, the action processes all of the related vulnerabilities. The default value is |
Action outputs
The List Host Vulnerabilities action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
Case wall table
On a Case Wall, the List Host Vulnerabilities action provides the following table:
Type: Entity
Columns:
- Name
- Score
- Severity
- Status
- App
- Has Remediation
JSON result
The following example describes the JSON result output received when using the List Host Vulnerabilities action:
{
"statistics": {
"total": 123,
"severity": {
"critical": 1,
"high": 1,
"medium": 1,
"low": 1,
"unknown": 1
},
"status": {
"open": 1,
"reopened": 1
},
"has_remediation": 1
},
"details": [
{
"id": "74089e36ac3a4271ab14abc076ed18eb_fff6de34c1b7352babdf7c7d240749e7",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"aid": "74089e36ac3a4271ab14abc076ed18eb",
"created_timestamp": "2021-05-12T22:45:47Z",
"updated_timestamp": "2021-05-12T22:45:47Z",
"status": "open",
"cve": {
"id": "CVE-2021-28476",
"base_score": 9.9,
"severity": "CRITICAL",
"exploit_status": 0
},
"app": {
"product_name_version": "Example 01"
},
"apps": [
{
"product_name_version": "Example 01",
"sub_status": "open",
"remediation": {
"ids": [
"acc34cd461023ff8a966420fa8839365"
]
}
}
],
"host_info": {
"hostname": "example-hostname",
"local_ip": "192.0.2.1",
"machine_domain": "",
"os_version": "Windows 10",
"ou": "",
"site_name": "",
"system_manufacturer": "Example Inc.",
"groups": [],
"tags": [],
"platform": "Windows"
},
"remediation": [
{
"id": "acc34cd461023ff8a966420fa8839365",
"reference": "KB5003169",
"title": "Update Microsoft Windows 10 1909",
"action": "Install patch for Microsoft Windows 10 1909 x64 (Workstation): Security Update ABCDEF",
"link": "https://example.com/ABCDEF"
}
]
}
]
}
Output messages
The List Host Vulnerabilities action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Error executing action "List Host Vulnerabilities". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "List Host
Vulnerabilities". Reason: Invalid value provided in the Severity Filter
parameter. Possible values: Critical, High, Medium, Low, Unknown.
|
Action failed. Check the |
Script result
The following table describes the values for the script result output when using the List Host Vulnerabilities action:
Script result name | Value |
---|---|
is_success |
True or False |
List Hosts
Use the List Hosts action to list available hosts in CrowdStrike Falcon.
This action runs on all entities.
Action inputs
The List Hosts action requires the following parameters:
Parameters | |
---|---|
Filter Logic |
Optional
A logic to use when searching for hosts. The default value is
|
Filter Value |
Optional
A value to use for host filtering. |
Max Hosts To Return |
Optional
The number of hosts to return. The default value is
The maximum value is |
Action outputs
The List Hosts action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the List Hosts action:
[{
"modified_timestamp": "2019-05-15T15:03:12Z",
"platform_id": "0",
"config_id_platform": "3",
"system_manufacturer": "Example Corporation",
"meta": {"version": "4067"},
"first_seen": "2019-04-29T07:39:45Z",
"service_pack_minor": "0",
"product_type_desc": "Server",
"build_number": "9600",
"hostname": "example-hostname",
"config_id_build": "8904",
"minor_version": "3",
"os_version": "Windows Server 2012 R2",
"provision_status": "Provisioned",
"mac_address": "01:23:45:ab:cd:ef",
"bios_version": "090007 ",
"agent_load_flags": "0",
"status": "normal",
"bios_manufacturer": "Example Inc.",
"device_policies":
{
"Sensor_update":
{
"applied": true,
"applied_date": "2019-05-02T22:05:09.577000651Z",
"settings_hash": "65994753|3|2|automatic",
"policy_type": "sensor-update",
"assigned_date": "2019-05-02T22:03:36.804382667Z",
"policy_id": "9d1e405846de4ebdb63f674866d390dc"
},
"remote_response":
{
"applied": true,
"applied_date": "2019-04-29T07:40:04.469808388Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-04-29T07:39:55.218642441Z",
"policy_id": "21e4fb4dedd74c6fb0bcd6a348aa046c"
},
"device_control":
{
"applied": true,
"applied_date": "2019-04-29T07:40:06.896362608Z",
"assigned_date": "2019-04-29T07:39:55.218637999Z",
"policy_type": "device-control",
"policy_id": "c360df7193364b23aa4fc47f0238c899"
},
"prevention":
{
"applied": true,
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
},
"global_config":
{
"applied": true,
"applied_date": "2019-04-29T07:45:18.94807838Z",
"settings_hash": "3d78f9ab",
"policy_type": "globalconfig",
"assigned_date": "2019-04-29T07:45:08.165941325Z",
"policy_id": "985b1a25afcb489ea442d2d1430b1679"
}
},
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_local_time": "2019-05-02T22:05:00.015Z",
"slow_changing_modified_timestamp": "2019-05-02T22:05:09Z",
"service_pack_major": "0",
"device_id": "0ab8bc6d968b473b72a5d11a41a24c21",
"system_product_name": "Virtual Machine",
"product_type": "3",
"local_ip": "192.0.2.1",
"external_ip": "203.0.113.1",
"major_version": "6",
"platform_name": "Windows",
"config_id_base": "65994753",
"policies":
[{
"applied": true,
"applied_date": "2019-04-29T07:40:06.876850888Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-29T07:39:55.218651583Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
}],
"agent_version": "4.26.8904.0",
"pointer_size": "8",
"last_seen": "2019-05-15T15:01:23Z"
},
{
"modified_timestamp": "2019-05-13T07:24:36Z",
"site_name": "Example-Site-Name",
"config_id_platform": "3",
"system_manufacturer": "Example Inc.",
"meta": {"version": "14706"},
"first_seen": "2018-04-17T11:02:20Z",
"platform_name": "Windows",
"service_pack_minor": "0",
"product_type_desc": "Workstation",
"build_number": "17134",
"hostname": "example-hostname",
"config_id_build": "8904",
"minor_version": "0",
"os_version": "Windows 10",
"provision_status": "Provisioned",
"mac_address": "01:23:45:ab:cd:ef",
"bios_version": "1.6.5",
"agent_load_flags": "0",
"status": "normal",
"bios_manufacturer": "Example Inc.",
"machine_domain": "example.com",
"device_policies":
{
"sensor_update":
{
"applied": true,
"applied_date": "2019-05-05T12:52:23.121596885Z",
"settings_hash": "65994753|3|2|automatic",
"policy_type": "sensor-update",
"assigned_date": "2019-05-05T12:51:37.544605747Z",
"policy_id": "9d1e405846de4ebdb63f674866d390dc"
},
"Remote_response":
{
"applied": true,
"applied_date": "2019-02-10T07:57:59.064362539Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-02-10T07:57:50.610924385Z",
"policy_id": "21e4fb4dedd74c6fb0bcd6a348aa046c"
},
"device_control":
{
"applied": true,
"applied_date": "2019-03-25T15:01:28.51681072Z",
"assigned_date": "2019-03-25T15:00:22.442519168Z",
"policy_type": "device-control",
"policy_id": "c360df7193364b23aa4fc47f0238c899"
},
"Prevention":
{
"applied": true,
"applied_date": "2019-04-04T06:54:06.909774295Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-04T06:53:57.135897343Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
},
"global_config":
{
"applied": true,
"applied_date": "2019-02-10T07:57:53.70275875Z",
"settings_hash": "3d78f9ab",
"policy_type": "globalconfig",
"assigned_date": "2019-02-10T07:57:50.610917888Z",
"policy_id": "985b1a25afcb489ea442d2d1430b1679"
}
},
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_local_time": "2019-05-05T15:52:08.172Z",
"slow_changing_modified_timestamp": "2019-05-12T12:37:35Z",
"service_pack_major": "0",
"device_id": "cb4493e4af2742b068efd16cb48b7260",
"system_product_name": "example-name",
"product_type": "1",
"local_ip": "192.0.2.1",
"external_ip": "203.0.113.1",
"major_version": "10",
"platform_id": "0",
"config_id_base": "65994753",
"policies":
[{
"applied": true,
"applied_date": "2019-04-04T06:54:06.909774295Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-04T06:53:57.135897343Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
}],
"agent_version": "4.26.8904.0",
"pointer_size": "8",
"last_seen": "2019-05-13T07:21:30Z"
},
{
"modified_timestamp": "2019-05-09T14:22:50Z",
"site_name": "Example-Site-Name",
"config_id_platform": "3",
"system_manufacturer": "Dell Inc.",
"meta": {"version": "77747"},
"first_seen": "2018-07-01T12:19:23Z",
"platform_name": "Windows",
"service_pack_minor": "0",
"product_type_desc": "Workstation",
"build_number": "17134",
"hostname":"example-hostname",
"config_id_build": "8904",
"minor_version": "0",
"os_version": "Windows 10",
"provision_status": "Provisioned",
"mac_address": "01:23:45:ab:cd:ef",
"bios_version": "1.2.1",
"agent_load_flags": "0",
"status": "normal",
"bios_manufacturer": "Example Inc.",
"machine_domain": "example.com",
"device_policies":
{
"sensor_update":
{
"applied": true,
"applied_date": "2019-05-02T22:10:50.336101107Z",
"settings_hash": "65994753|3|2|automatic",
"policy_type": "sensor-update",
"assigned_date": "2019-05-02T22:10:50.336100731Z",
"policy_id": "9d1e405846de4ebdb63f674866d390dc"
},
"remote_response":
{
"applied": true,
"applied_date": "2019-02-08T02:46:31.919442939Z",
"settings_hash": "f472bd8e",
"policy_type": "remote-response",
"assigned_date": "2019-02-08T02:46:22.219718098Z",
"policy_id": "21e4fb4dedd74c6fb0bcd6a348aa046c"
},
"device_control":
{
"applied": true,
"applied_date": "2019-03-24T16:43:31.777981725Z",
"assigned_date": "2019-03-24T16:42:21.395540493Z",
"policy_type": "device-control",
"policy_id": "c360df7193364b23aa4fc47f0238c899"
},
"prevention":
{
"applied": true,
"applied_date": "2019-04-03T23:58:50.870694195Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-03T23:57:22.534513932Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
},
"global_config":
{
"applied": true,
"applied_date": "2019-02-08T01:14:14.810607774Z",
"settings_hash": "3d78f9ab",
"policy_type": "globalconfig",
"assigned_date": "2019-02-08T01:14:05.585922067Z",
"policy_id": "985b1a25afcb489ea442d2d1430b1679"
}
},
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_local_time": "2019-05-03T01:10:29.340Z",
"slow_changing_modified_timestamp": "2019-05-02T22:10:46Z",
"service_pack_major": "0",
"device_id": "1c2f1a7f88f8457f532f1c615f07617b",
"system_product_name": "Example Name",
"product_type": "1",
"local_ip": "192.0.2.1",
"external_ip": "203.0.113.1",
"major_version": "10",
"platform_id": "0",
"config_id_base": "65994753",
"policies":
[{
"applied": true,
"applied_date": "2019-04-03T23:58:50.870694195Z",
"settings_hash": "ce17279e",
"policy_type": "prevention",
"assigned_date": "2019-04-03T23:57:22.534513932Z",
"policy_id": "7efdf97d7805402186b61151e8abd745"
}],
"agent_version": "4.26.8904.0",
"pointer_size": "8",
"last_seen": "2019-05-09T14:20:53Z"
}]
Output messages
The List Hosts action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Error executing action "List Hosts".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the List Hosts action:
Script result name | Value |
---|---|
is_success |
True or False |
List Uploaded IOCs
Use the List Uploaded IOCs action ton list available custom IOCs in CrowdStrike Falcon.
This action runs on all entities.
Action inputs
The List Uploaded IOCs action requires the following parameters:
Parameters | |
---|---|
IOC Type Filter |
Optional
A comma-separated list of IOC types to return. The default value is
|
Value Filter Logic |
Optional
A value of the filter logic. The default value is
If |
Value Filter String |
Optional
A string to search among IOCs. |
Max IOCs To Return |
Optional
The number of IOCs to return. The default value is
The maximum value is 500. |
Action outputs
The List Uploaded IOCs action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
Case wall table
On a Case Wall, the List Uploaded IOCs action provides the following table:
Columns:
- Action
- Severity
- Signed
- AV Hits
- Platforms
- Tags
- Created At
- Created By
JSON result
The following example describes the JSON result output received when using the List Uploaded IOCs action:
{
"id": "fbe8c2739f3c6df95e62e0ae54569974437b2d9306eaf6740134ccf1a05e23d3",
"type": "sha256",
"value": "8a86c4eecf12446ff273afc03e1b3a09a911d0b7981db1af58cb45c439161295",
"action": "no_action",
"severity": "",
"metadata": {
"signed": false,
"av_hits": -1
},
"platforms": [
"windows"
],
"tags": [
"Hashes 22.Nov.20 15:29 (Windows)"
],
"expired": false,
"deleted": false,
"applied_globally": true,
"from_parent": false,
"created_on": "2021-04-22T03:54:09.235120463Z",
"created_by": "internal@example.com",
"modified_on": "2021-04-22T03:54:09.235120463Z",
"modified_by": "internal@example.com"
}
Output messages
The List Uploaded IOCs action provides the following output messages:
Output message | Message description |
---|---|
Successfully found custom IOCs for the provided criteria in
CrowdStrike Falcon. |
Action succeeded. |
Error executing action "List Uploaded IOCs". Reason:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "List Uploaded IOCs". Reason: "IOC Type
Filter" contains an invalid value. Please check the spelling. Possible
values: ipv4, ipv6, md5, sha1, sha256, domain. |
Action failed. Check the spelling and the |
Script result
The following table describes the values for the script result output when using the List Uploaded IOCs action:
Script result name | Value |
---|---|
is_success |
True or False |
On-Demand Scan
Use the On-Demand Scan action to scan the endpoint on demand in Crowdstrike.
This action only runs on Windows hosts and the following entities:
- IP address
- Hostname
The On-Demand Scan action runs asynchronously. Adjust the script timeout value in the Google SecOps IDE, if necessary.
Action inputs
The On-Demand Scan action requires the following parameters:
Parameters | |
---|---|
File Paths To Scan |
Required A comma-separated list of paths to scan. The default value is |
File Paths To Exclude From Scan |
Optional A comma-separated list of paths to exclude from scanning. |
Host Group Name |
Optional A comma-separated list of host group names to initiate the scanning for. The action creates a separate scanning process for each host group. |
Scan Description |
Optional A description to use for the scanning process. If you
set no value, the action sets the description to the following:
|
CPU Priority |
Optional The amount of CPU to use for the underlying host during scanning. Possible values are as follows:
The default value is |
Sensor Anti-malware Detection Level |
Optional The value of the sensor anti-malware detection level. The detection level must be equal to or higher than the prevention level. Possible values are as follows:
The default value is |
Sensor Anti-malware Prevention Level |
Optional The value of the sensor anti-malware prevention level. The detection level must be equal to or higher than the prevention level. Possible values are as follows:
The default value is |
Cloud Anti-malware Detection Level |
Optional The value of the cloud anti-malware detection level. The detection level must be equal to or higher than the prevention level. Possible values are as follows:
The default value is |
Cloud Anti-malware Prevention Level |
Optional The value of the cloud anti-malware prevention level. The detection level must be equal to or higher than the prevention level. Possible values are as follows:
The default value is |
Quarantine Hosts |
Optional If selected, the action quarantines the underlying hosts as part of scanning. Not selected by default. |
Create Endpoint Notification |
Optional If selected, the scanning process creates an endpoint notification. Selected by default. |
Max Scan Duration |
Optional The number of hours for a scan to run. If you provide no value, the scan runs continuously. |
Action outputs
The On-Demand Scan action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the On-Demand Scan action:
{
"id": "ID",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"profile_id": "c94149b9a52d4c76b027e63a88dcc710",
"description": "test APIS ",
"file_paths": [
"C:\\Windows"
],
"initiated_from": "falcon_adhoc",
"quarantine": true,
"cpu_priority": 1,
"preemption_priority": 1,
"metadata": [
{
"host_id": "HOST_ID",
"host_scan_id": "909262bd2fff664282a46464d8625a62",
"scan_host_metadata_id": "815dae51d8e543108ac01f6f139f42b1",
"filecount": {
"scanned": 16992,
"malicious": 0,
"quarantined": 0,
"skipped": 124998,
"traversed": 198822
},
"status": "completed",
"started_on": "2024-02-05T13:55:45.25066635Z",
"completed_on": "2024-02-05T14:11:18.092427363Z",
"last_updated": "2024-02-05T14:11:18.092431457Z"
}
],
"filecount": {
"scanned": 16992,
"malicious": 0,
"quarantined": 0,
"skipped": 124998,
"traversed": 198822
},
"targeted_host_count": 1,
"completed_host_count": 1,
"status": "completed",
"hosts": [
"86db81f390394cb080417a1ffb7d46fd"
],
"endpoint_notification": true,
"pause_duration": 2,
"max_duration": 1,
"max_file_size": 60,
"sensor_ml_level_detection": 2,
"sensor_ml_level_prevention": 2,
"cloud_ml_level_detection": 2,
"cloud_ml_level_prevention": 2,
"policy_setting": [
26439818674573,
],
"scan_started_on": "2024-02-05T13:55:45.25Z",
"scan_completed_on": "2024-02-05T14:11:18.092Z",
"created_on": "2024-02-05T13:55:43.436807525Z",
"created_by": "88f5d9e8284f4b85b92dab2389cb349d",
"last_updated": "2024-02-05T14:14:18.776620391Z"
}
Output messages
The On-Demand Scan action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the On-Demand Scan action:
Script result name | Value |
---|---|
is_success |
True or False |
Ping
Use the Ping action to test connectivity to the CrowdStrike Falcon.
This action runs on all entities.
Action inputs
None.
Action outputs
The Ping action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Script result | Available |
Script result
The following table describes the values for the script result output when using the Ping action:
Script result name | Value |
---|---|
is_success |
True or False |
Run Script
Use the Run Script action to execute a PowerShell script on the endpoints in Crowdstrike.
This action is asynchronous. Adjust the script timeout value in the Google SecOps IDE, if necessary.
This action runs on the IP address and Hostname entities.
Action inputs
The Run Script action requires the following parameters:
Parameters | |
---|---|
Customer ID |
Optional The ID of the customer to execute the action for. |
Script Name |
Optional The name of the script file to execute. Configure either the |
Raw Script |
Optional A raw PowerShell script payload to execute on endpoints. Configure either the |
Action outputs
The Run Script action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
On a Case Wall, the Run Script action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Run Script action:
Script result name | Value |
---|---|
is_success |
True or False |
Submit File
Use the Submit File action to submit files to a sandbox in CrowdStrike.
This action requires a Falcon Sandbox license.
This action doesn't run on entities.
Supported file and archive formats
According to the CrowdStrike portal, the sandbox supports the following file formats:
Supported file formats | |
---|---|
.exe , .scr , .pif ,
.dll , .com , .cpl |
Portable executables |
.doc , .docx , .ppt ,
.pps , .pptx , .ppsx ,
.xls , .xlsx , .rtf ,
.pub |
Office documents |
.pdf |
|
.apk |
APK |
.jar |
Executable JAR |
.sct |
Windows script component |
.lnk |
Windows shortcut |
.chm |
Windows help |
.hta |
HTML application |
.wsf |
Windows script file |
.js |
JavaScript |
.vbs , .vbe |
Visual Basic |
.swf |
Shockwave Flash |
.pl |
Perl |
.ps1 , .psd1 , .psm1 |
Powershell |
.svg |
Scalable vector graphics |
.py |
Python |
.elf |
Linux ELF executables |
.eml |
Email files: MIME RFC 822 |
.msg |
Email files: Outlook |
According to the CrowdStrike portal, the sandbox supports the following archive formats:
.zip
.7z
Action inputs
The Submit File action requires the following parameters:
Parameters | |
---|---|
File Paths |
Required
Paths to the files to submit. For a list of the supported file formats, refer to the Supported file and archive formats section of this document. |
Sandbox Environment |
Optional
A sandbox environment to analyze. The default value is
|
Network Environment |
Optional
A network environment to analyze. The default value is
|
Archive Password |
Optional
A password to use when working with archive files. |
Document Password |
Optional
A password to use when working with Adobe or Office files. The maximum password length is 32 characters. |
Check Duplicate |
Optional
If selected, the action checks if the file was already submitted previously and returns the available report. During
validation, the action doesn't consider the Selected by default. |
Comment |
Optional
A comment to submit. |
Confidential Submission |
Optional
If selected, the file is only shown to users within your customer account. Not selected by default. |
Action outputs
The Submit File action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Case wall table
On a Case Wall, the Submit File action provides the following table:
Columns:
- Results
- Name
- Threat Score
- Verdict
- Tags
Output messages
The Submit File action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
|
The action returned an error. Check the supported file formats for this action. |
Waiting for results for the following
files: PATHS |
Asynchronous message. |
Error executing action "Submit File".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Submit File".
Reason: action ran into a timeout during execution. Pending files:
FILES_IN_PROGRESS. Please increase
the timeout in IDE.
|
Action failed. Increase the timeout in IDE. |
Script result
The following table describes the values for the script result output when using the Submit File action:
Script result name | Value |
---|---|
is_success |
True or False |
Submit URL
Use the Submit URL action to submit URLs to a sandbox in CrowdStrike.
This action requires a Falcon Sandbox license. To check what file formats the sandbox supports, refer to the Supported file and archive formats section of this document.
This action doesn't run on entities.
Action inputs
The Submit URL action requires the following parameters:
Parameters | |
---|---|
URLs |
Required
URLs to submit. |
Sandbox Environment |
Optional
A sandbox environment to analyze. The default value is
|
Network Environment |
Optional
A network environment to analyze. The default value is
|
Check Duplicate |
Optional
If selected, the action checks if the URL was already submitted previously and returns the available report. During
validation, the action doesn't consider the Selected by default. |
Action outputs
The Submit URL action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Submit URL action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Waiting for results for the following
URLs: PATHS |
Asynchronous message. |
Error executing action "Submit URL".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Submit URL".
Reason: action ran into a timeout during execution. Pending files:
FILES_IN_PROGRESS. Please increase
the timeout in IDE. |
Action failed. Increase the timeout in IDE. |
Script result
The following table describes the values for the script result output when using the Submit URL action:
Script result name | Value |
---|---|
is_success |
True or False |
Update Alert
Use the Update Alert action to update alerts in CrowdStrike Falcon.
This action doesn't run on entities.
Action inputs
The Update Alert action requires the following parameters:
Parameters | |
---|---|
Alert ID |
Required The ID of the alert to update. |
Status |
Optional The status of the alert. Possible values are as follows:
|
Verdict |
Optional The verdict for the alert. Possible values are as follows:
|
Assign To |
Optional The name of the analyst to assign the alert to. If you provide The API accepts any value even if the provided user doesn't exist in the system. |
Action outputs
The Update Alert action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Update Alert action:
{
"added_privileges": [
"DomainAdminsRole"
],
"aggregate_id": "aggind:ID",
"assigned_to_uid": "example@example.com",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"composite_id": "27fe4e476ca3490b8476b2b6650e5a74:ind:ID",
"confidence": 20,
"context_timestamp": "2022-11-15T12:58:15.629Z",
"crawl_edge_ids": {
"Sensor": [
"N6KIZ`%V`&d#&#sRaHNV[f3[CA4lr/C_N;.JnbglJpdg8TCCTqnr!9D\\['ALM&eNbPq?kt$#@]+01Ac[&th0-0]E'J8:]mFV?'g5HZ/$B.%BC29_`4U_?%a)_&#k>,G>:=E>%[7^<aLSVj=`UCMcRUH[a9/*^hO_7Ft(js#P<M<(eG3(B=I8rr",
"XNXnKK.mi:ckQ^2c7AGRMK^'rd:p[_JkD_5ZM$W:d'J8oN:42nj.Ho1-^E5D16b0VALJ`2cDEEJTVdY\\n.-WQ^_B[7$1pH[Glgm@go]-LB%M1,c#2F)nli-Ge#V<=[!c_jh8e3D8E-S0FheDm*BHh-P/s6q!!*'!",
"N6L*L\">LGfi/.a$IkpaFlWjT.YU#P@Gu8Qe6'0SK=M]ChI,FQXqo=*M(QR+@6c8@m1pIc)Dqs+WLXjbpom5@$T+oqC5RJk!9atPF/<mG'H`V9P0YII;!>C8YL)XS&ATORi>!U.7<Ds\"<dT/Mkp\\V%!U[RS_YC/Wrn[Z`S(^4NU,lV#X3/#pP7K*>g!<<'"
]
},
"crawl_vertex_ids": {
"Sensor": [
"aggind:ID",
"idpind:ID",
"ind:ID",
"uid:ID"
]
},
"crawled_timestamp": "2022-11-15T13:58:17.251061883Z",
"created_timestamp": "2022-11-15T12:59:17.239585706Z",
"description": "A user received new privileges",
"display_name": "Privilege escalation (user)",
"end_time": "2022-11-15T12:58:15.629Z",
"falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/ID",
"id": "ind:ID",
"name": "IdpEntityPrivilegeEscalationUser",
"objective": "Gain Access",
"pattern_id": 51113,
"previous_privileges": "0",
"privileges": "8321",
"product": "idp",
"scenario": "privilege_escalation",
"severity": 2,
"show_in_ui": true,
"source_account_domain": "EXAMPLE.EXAMPLE",
"source_account_name": "ExampleMailbox",
"source_account_object_sid": "S-1-5-21-3479765008-4256118348-3151044947-3595",
"start_time": "2022-11-15T12:58:15.629Z",
"status": "new",
"tactic": "Privilege Escalation",
"tactic_id": "TA0004",
"tags": [
"red_team"
],
"technique": "Valid Accounts",
"technique_id": "T1078",
"timestamp": "2022-11-15T12:58:17.239Z",
"type": "idp-user-endpoint-app-info",
"updated_timestamp": "2022-11-23T15:22:20.271100181Z"
}
Output messages
The Update Alert action provides the following output messages:
Output message | Message description |
---|---|
Successfully updated alert with ID
ALERT_ID in CrowdStrike |
Action succeeded. |
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Update Alert action:
Script result name | Value |
---|---|
is_success |
True or False |
Update Detection
Use the Update Detection action to update detections in CrowdStrike Falcon.
This action runs on all entities.
Action inputs
The Update Detection action requires the following parameters:
Parameters | |
---|---|
Detection ID |
Required
The ID of the detection to update. |
Status |
Required
A detection status. The default value is
|
Assign Detection to |
Optional
An email address of the CrowdStrike Falcon user who is the assignee of the detection. |
Action outputs
The Update Detection action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Update Detection action provides the following output messages:
Output message | Message description |
---|---|
Successfully updated detection
DETECTION_ID in CrowdStrike Falcon.
|
Action succeeded. |
Error executing action "Update
Detection". Reason: ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Update
Detection". Reason: Either "Status" or "Assign Detection To" should have a
proper value. |
Action failed. Check the values of the |
Script result
The following table describes the values for the script result output when using the Update Detection action:
Script result name | Value |
---|---|
is_success |
True or False |
Update Identity Protection Detection
Use the Update Identity Protection Detection to update an identity protection detection in CrowdStrike.
This action requires an Identity Protection license.
This action doesn't run on entities.
Action inputs
The Update Identity Protection Detection action requires the following parameters:
Parameters | |
---|---|
Detection ID |
Required
The ID of the detection to update. |
Status |
Optional
A status of the detection. The default value is
Th possible values are as follows:
|
Assign to |
Optional
The name of the assigned analyst. If If an invalid value is provided, the action does not change the current assignee. |
Action outputs
The Update Identity Protection Detection action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Update Identity Protection Detection action:
{
"added_privileges": [
"DomainAdminsRole"
],
"aggregate_id": "aggind:ID",
"assigned_to_uid": "example@example.com",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"composite_id": "27fe4e476ca3490b8476b2b6650e5a74:ind:ID",
"confidence": 20,
"context_timestamp": "2022-11-15T12:58:15.629Z",
"crawl_edge_ids": {
"Sensor": [
"N6KIZ`%V`&d#&#sRaHNV[f3[CA4lr/C_N;.JnbglJpdg8TCCTqnr!9D\\['ALM&eNbPq?kt$#@]+01Ac[&th0-0]E'J8:]mFV?'g5HZ/$B.%BC29_`4U_?%a)_&#k>,G>:=E>%[7^<aLSVj=`UCMcRUH[a9/*^hO_7Ft(js#P<M<(eG3(B=I8rr",
"XNXnKK.mi:ckQ^2c7AGRMK^'rd:p[_JkD_5ZM$W:d'J8oN:42nj.Ho1-^E5D16b0VALJ`2cDEEJTVdY\\n.-WQ^_B[7$1pH[Glgm@go]-LB%M1,c#2F)nli-Ge#V<=[!c_jh8e3D8E-S0FheDm*BHh-P/s6q!!*'!",
"N6L*L\">LGfi/.a$IkpaFlWjT.YU#P@Gu8Qe6'0SK=M]ChI,FQXqo=*M(QR+@6c8@m1pIc)Dqs+WLXjbpom5@$T+oqC5RJk!9atPF/<mG'H`V9P0YII;!>C8YL)XS&ATORi>!U.7<Ds\"<dT/Mkp\\V%!U[RS_YC/Wrn[Z`S(^4NU,lV#X3/#pP7K*>g!<<'"
]
},
"crawl_vertex_ids": {
"Sensor": [
"aggind:ID",
"idpind:ID",
"ind:ID",
"uid:ID"
]
},
"crawled_timestamp": "2022-11-15T13:58:17.251061883Z",
"created_timestamp": "2022-11-15T12:59:17.239585706Z",
"description": "A user received new privileges",
"display_name": "Privilege escalation (user)",
"end_time": "2022-11-15T12:58:15.629Z",
"falcon_host_link": "https://example.com/",
"id": "ind:ID",
"name": "IdpEntityPrivilegeEscalationUser",
"objective": "Gain Access",
"pattern_id": 51113,
"previous_privileges": "0",
"privileges": "8321",
"product": "idp",
"scenario": "privilege_escalation",
"severity": 2,
"show_in_ui": true,
"source_account_domain": "EXAMPLE.COM",
"source_account_name": "ExampleName",
"source_account_object_sid": "S-1-5-21-3479765008-4256118348-3151044947-3595",
"start_time": "2022-11-15T12:58:15.629Z",
"status": "new",
"tactic": "Privilege Escalation",
"tactic_id": "TA0004",
"tags": [
"red_team"
],
"technique": "Valid Accounts",
"technique_id": "T1078",
"timestamp": "2022-11-15T12:58:17.239Z",
"type": "idp-user-endpoint-app-info",
"updated_timestamp": "2022-11-23T15:22:20.271100181Z"
}
Output messages
On a Case Wall, the Update Identity Protection Detection action provides the following output messages:
Output message | Message description |
---|---|
Successfully updated identity protection detection with ID
DETECTION_ID in CrowdStrike.
|
Action succeeded. |
Error executing action "Update Identity Protection Detection".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Update Identity Protection Detection".
Reason: identity protection detection with ID
DETECTION_ID wasn't found in
CrowdStrike. Please check the spelling. |
Action failed. Check the spelling. |
Error executing action "Update
Identity Protection Detection". Reason: at least one of the "Status" or
"Assign To" parameters should have a value. |
Action failed. Check the values of the |
Script result
The following table describes the values for the script result output when using the Update Identity Protection Detection action:
Script result name | Value |
---|---|
is_success |
True or False |
Update Incident
Use the Update Incident action to update incidents in CrowdStrike.
This action doesn't run on entities.
Action inputs
The Update Incident action requires the following parameters:
Parameters | |
---|---|
Incident ID |
Required
The ID of the incident to update. |
Status |
Optional
The status of the incident. The possible values are as follows:
|
Assign to |
Optional
The name or email address of the assigned analyst. If To specify a name, provide the first and
last name of the analyst in the following format:
|
Action outputs
The Update Incident action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Update Incident action:
{
"data_type": "Incident"
"incident_id": "inc:fee8a6ef0cb3412e9a781dcae0287c85:9dfa480ae6214309bff0c8dc2ad8af7c",
"incident_type": 1,
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"host_ids": [
"fee8a6ef0cb3412e9a781dcae0287c85"
],
"hosts": [
{
"device_id": "fee8a6ef0cb3412e9a781dcae0287c85",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_load_flags": "1",
"agent_local_time": "2023-01-09T11:28:59.170Z",
"agent_version": "6.48.16207.0",
"bios_manufacturer": "Example Inc.",
"bios_version": "1.20.0",
"config_id_base": "65994753",
"config_id_build": "16207",
"config_id_platform": "3",
"external_ip": "198.51.100.1",
"hostname": "DESKTOP-EXAMPLE",
"first_seen": "2022-09-26T09:56:42Z",
"last_seen": "2023-01-09T12:11:35Z",
"local_ip": "192.0.2.1",
"mac_address": "00-15-5d-65-39-86",
"major_version": "10",
"minor_version": "0",
"os_version": "Windows 10",
"platform_id": "0",
"platform_name": "Windows",
"product_type": "1",
"product_type_desc": "Workstation",
"status": "contained",
"system_manufacturer": "Example Inc.",
"system_product_name": "G5 5500",
"modified_timestamp": "2023-01-09T12:11:48Z"
}
],
"created": "2023-01-09T12:12:51Z",
"start": "2023-01-09T11:23:27Z",
"end": "2023-01-09T12:52:01Z",
"state": "closed",
"status": 20,
"tactics": [
"Defense Evasion",
"Privilege Escalation",
"Credential Access"
],
"techniques": [
"Disable or Modify Tools",
"Access Token Manipulation",
"Input Capture",
"Bypass User Account Control"
],
"objectives": [
"Keep Access",
"Gain Access"
],
"users": [
"DESKTOP-EXAMPLE$",
"EXAMPLE"
],
"fine_score": 21
}
Output messages
The Update Incident action provides the following output messages:
Output message | Message description |
---|---|
Successfully Successfully updated incident with ID
INCIDENT_ID in
CrowdStrike |
Action succeeded. |
Error executing action "Update
Incident". Reason: ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Update Incident". Reason: incident with
ID INCIDENT_ID wasn't found in
CrowdStrike. Please check the spelling. |
Action failed. Check the spelling. |
Error executing action "Update
Incident". Reason: user USER_ID
wasn't found in CrowdStrike. Please check the spelling. |
Action failed. Check the spelling. |
Error executing action "Update
Incident". Reason: at least one of the "Status" or "Assign To" parameters
should have a value. |
Action failed. Check input parameters. |
Script result
The following table describes the values for the script result output when using the Update Incident action:
Script result name | Value |
---|---|
is_success |
True or False |
Update IOC Information
Use the Update IOC Information action to update information about custom IOCs in CrowdStrike Falcon.
This action treats Hostname entities as domain IOCs and extracts the domain part out of URLs. This action only supports the MD5 and SHA-256 hashes.
The Update IOC Information action runs on the following entities:
- Hostname
- URL
- IP address
- Hash
Action inputs
The Update IOC Information action requires the following parameters:
Parameters | |
---|---|
Description |
Optional
A new description for custom IOCs. |
Source |
Optional
A source for custom IOCs. |
Expiration days |
Optional
The number of days left until expiration. This parameter only affects the URL, IP address, and Hostname entities. |
Detect policy |
Optional
If selected, the action sends a notification for the identified IOCs. If not selected, the action sends no notification. Selected by default. |
Action outputs
The Update IOC Information action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Update IOC Information action:
{
"id": "563df6a812f2e7020a17f77ccd809176ca3209cf7c9447ee36c86b4215860856",
"type": "md5",
"value": "7e4b0f81078f27fde4aeb87b78b6214c",
"source": "testSource",
"action": "detect",
"severity": "high",
"description": "test description update",
"platforms": [
"example"
],
"tags": [
"Hashes 17.Apr.18 12:20 (Example)"
],
"expiration": "2022-05-01T12:00:00Z",
"expired": false,
"deleted": false,
"applied_globally": true,
"from_parent": false,
"created_on": "2021-04-22T03:54:09.235120463Z",
"created_by": "internal@example.com",
"modified_on": "2021-09-16T10:09:07.755804336Z",
"modified_by": "c16fd3a055eb46eda81e064fa6dd43de"
}
Output messages
On a Case Wall, the Update IOC Information action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Error executing action "Update IOC
Information". Reason: ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Update IOC Information action:
Script result name | Value |
---|---|
is_success |
True or False |
Upload IOCs
Use the Upload IOCs action to add custom IOCs in CrowdStrike Falcon.
This action treats Hostname entities as domain IOCs and extracts the domain part out of URLs. This action only supports the MD5 and SHA-256 hashes.
The Upload IOCs action runs on the following entities:
- IP address
- Hostname
- URL
- Hash
Action inputs
The Upload IOCs action requires the following parameters:
Parameters | |
---|---|
Platform |
Required
A comma-separated list of platforms related to the IOC. The default value is
|
Severity |
Required
A severity of the IOC. The default value is
|
Comment |
Optional
A comment containing more context related to the IOC. |
Host Group Name |
Required
The name of the host group. |
Action |
Optional
An action for uploaded IOCs. The default value is The possible values are as follows:
The |
Action outputs
The Upload IOCs action provides the following outputs:
Action output type | |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Upload IOCs action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Error executing action "Upload IOCs".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Error executing action "Upload IOCs". Reason: Host group
"HOST_GROUP_NAME" was not found.
Please check the spelling. |
Action failed. Check the |
Error executing action "Upload IOCs".
Invalid value provided for the parameter "Platform". Possible values:
Windows, Linux, Mac. |
Action failed. Check the |
Script result
The following table describes the values for the script result output when using the Upload IOCs action:
Script result name | Value |
---|---|
is_success |
True or False |
Connectors
Make sure you've configured the minimal permissions for every CrowdStrike connector. For more details, refer to the Connector permissions section of this document.
For instructions on how to configure a connector in Google SecOps, see Ingest your data (connectors).
CrowdStrike events
Events are pieces of information gathered by the Falcon sensors on your hosts. There are four types of events in CrowdStrike:
CrowdStrike event types | |
---|---|
Auth activity audit events | Events generated every time the authorization is requested, allowed, or completed on endpoints. |
Detection summary events | Events generated when threats are detected on endpoints. |
Remote response session end events | Events generated from remote sessions on endpoints. |
User activity audit events | Events generated to monitor activities carried out by active users on endpoints. |
Connectors ingest events into Google SecOps to create alerts and enrich cases with event data. You can select what events to ingest into Google SecOps: all event types or selected ones.
CrowdStrike Detections Connector
Use the CrowdStrike Detections Connector to pull detections from CrowdStrike.
The dynamic list works with filters supported by the CrowdStrike API.
How to work with the dynamic list
When working with the dynamic list, adhere to the following recommendations:
- Use the CrowdStrike FQL language to modify the filter sent by the connector.
- Provide a separate entry in the dynamic list for each filter.
To ingest all detections assigned to a specific analyst, make sure that the analyst provides the following dynamic list entry:
assigned_to_name:'ANALYST_USER_NAME'
The dynamic list supports the following parameters:
Supported parameters | |
---|---|
q |
A full text search across all metadata fields. |
date_updated |
A date of the most recent detection update. |
assigned_to_name |
The human-readable username of the detection assignee. |
max_confidence |
When a detection has more than one associated behavior with varying confidence levels, this field captures the highest confidence value of all behaviors. The parameter value can be any integer from 1 to 100. |
detection_id |
The detection ID that can be used in conjunction with other APIs, such as the Detection Details API or Resolve Detection API. |
max_severity |
When a detection has more than one associated behavior with varying severity levels, this field captures the highest severity value of all behaviors. The parameter value can be any integer from 1 to 100. |
max_severity_displayname |
The name used in UI to determine the detection severity. The possible values are as follows:
|
seconds_to_triaged |
The time required for a detection to change its status from
new to in_progress . |
seconds_to_resolved |
The time required for a detection to change its status from
new to any of the resolved states (true_positive ,
false_positive , ignored , and
closed ). |
status |
A current status of the detection. The possible values are as follows:
|
adversary_ids |
The adversary tracked by CrowdStrike Falcon Intelligence possesses an ID associated with the attributed behaviors or indicators in a detection. These IDs are located in a detection metadata accessible through the Detection Details API. |
cid |
The customer ID (CID) of your organization. |
Connector parameters
The CrowdStrike Detections Connector requires the following parameters:
Parameters | |
---|---|
Product Field Name |
Required
The source field name that contains the The default value is |
Event Field Name |
Required
The source field name that contains the The default value is |
Environment Field Name |
Optional
The name of the field where the environment name is stored. If the environment field isn't found, the default environment is used. Default value is |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) |
Required The timeout limit in seconds for the Python process running the current script. The default value is |
API Root |
Required
The API root of the CrowdStrike instance. The default value is |
Client ID |
Required
The client ID of the CrowdStrike account. |
Client Secret |
Required
The client Secret of the CrowdStrike account. |
Lowest Severity Score To Fetch |
Optional
The lowest severity score of the detections to fetch. If no value is provided, the connector doesn't apply this filter. The maximum value is The default value is
|
Lowest Confidence Score To Fetch |
Optional
The lowest confidence score of the detections to fetch. If no value is provided, the connector doesn't apply this filter. The maximum value is The default value is
|
Max Hours Backwards |
Optional
The amount of hours to fetch detections from. The default value is |
Max Detections To Fetch |
Optional
The number of detections to process in a single connector iteration. The default value is |
Disable Overflow |
Optional If selected, the connector ignores the overflow mechanism. Not selected by default. |
Verify SSL |
Required
If selected, the integration verifies that the SSL certificate for the connection to the CrowdStrike server is valid. Not selected by default. |
Proxy Server Address |
Optional
An address of the proxy server to use. |
Proxy Username |
Optional
A proxy username to authenticate with. |
Proxy Password |
Optional
A proxy password to authenticate with. |
Alert Name Template |
Optional
If provided, the connector uses this value for the Google SecOps alert name. You can provide placeholders
in the following format: [ If you provide no value or an invalid template, the connector uses the default alert name. The connector uses the first Google SecOps event for placeholders. This parameter allows only keys with a string value. |
Padding Period |
Optional
The number of hours that the connector uses for padding. The maximum value is |
Connector rules
The connector supports proxies.
Connector events
An example of the connector event is as follows:
{
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"created_timestamp": "2021-01-12T16:19:08.651448357Z",
"detection_id": "ldt:74089e36ac3a4271ab14abc076ed18eb:4317290676",
"device": {
"device_id": "74089e36ac3a4271ab14abc076ed18eb",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_load_flags": "0",
"agent_local_time": "2021-01-12T16:07:16.205Z",
"agent_version": "6.13.12708.0",
"bios_manufacturer": "Example LTD",
"bios_version": "6.00",
"config_id_base": "65994753",
"config_id_build": "12708",
"config_id_platform": "3",
"external_ip": "203.0.113.1",
"hostname": "EXAMPLE-01",
"first_seen": "2021-01-12T16:01:43Z",
"last_seen": "2021-01-12T16:17:21Z",
"local_ip": "192.0.2.1",
"mac_address": "00-50-56-a2-5d-a3",
"major_version": "10",
"minor_version": "0",
"os_version": "Windows 10",
"platform_id": "0",
"platform_name": "Windows",
"product_type": "1",
"product_type_desc": "Workstation",
"status": "normal",
"system_manufacturer": "Example, Inc.",
"system_product_name": "Example ",
"modified_timestamp": "2021-01-12T16:17:29Z",
"behaviors":
{
"device_id": "74089e36ac3a4271ab14abc076ed18eb",
"timestamp": "2021-01-12T16:17:19Z",
"template_instance_id": "10",
"behavior_id": "10146",
"filename": "reg.exe",
"filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\reg.exe",
"alleged_filetype": "exe",
"cmdline": "REG ADD HKCU\\Environment /f /v UserInitMprLogonScript /t REG_MULTI_SZ /d \"C:\\TMP\\mim.exe sekurlsa::LogonPasswords > C:\\TMP\\o.txt\"",
"scenario": "credential_theft",
"objective": "Gain Access",
"tactic": "Credential Access",
"tactic_id": "TA0006",
"technique": "Credential Dumping",
"technique_id": "T1003",
"display_name": "Example-Name",
"severity": 70,
"confidence": 80,
"ioc_type": "hash_sha256",
"ioc_value": "b211c25bf0b10a82b47e9d8da12155aad95cff14cebda7c4acb35a94b433ddfb",
"ioc_source": "library_load",
"ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\reg.exe",
"user_name": "Admin",
"user_id": "example-id",
"control_graph_id": "ctg:74089e36ac3a4271ab14abc076ed18eb:4317290676",
"triggering_process_graph_id": "pid:74089e36ac3a4271ab14abc076ed18eb:4746437404",
"sha256": "b211c25bf0b10a82b47e9d8da12155aad95cff14cebda7c4acb35a94b433ddfb",
"md5": "05cf3ce225b05b669e3118092f4c8eab",
"parent_details": {
"parent_sha256": "d0ceb18272966ab62b8edff100e9b4a6a3cb5dc0f2a32b2b18721fea2d9c09a5",
"parent_md5": "9d59442313565c2e0860b88bf32b2277",
"parent_cmdline": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Admin\\Desktop\\APTSimulator-master\\APTSimulator-master\\APTSimulator.bat\" \"",
"parent_process_graph_id": "pid:74089e36ac3a4271ab14abc076ed18eb:4520199381"
},
"pattern_disposition": 2048,
"pattern_disposition_details": {
"indicator": false,
"detect": false,
"inddet_mask": false,
"sensor_only": false,
"rooting": false,
"kill_process": false,
"kill_subprocess": false,
"quarantine_machine": false,
"quarantine_file": false,
"policy_disabled": false,
"kill_parent": false,
"operation_blocked": false,
"process_blocked": true,
"registry_operation_blocked": false,
"critical_process_disabled": false,
"bootup_safeguard_enabled": false,
"fs_operation_blocked": false,
"handle_operation_downgraded": false
}
}
},
"email_sent": false,
"first_behavior": "2021-01-12T16:17:19Z",
"last_behavior": "2021-01-12T16:17:19Z",
"max_confidence": 80,
"max_severity": 70,
"max_severity_displayname": "High",
"show_in_ui": true,
"status": "new",
"hostinfo": {
"domain": ""
},
"seconds_to_triaged": 0,
"seconds_to_resolved": 0,
}
CrowdStrike Falcon Streaming Events Connector
The CrowdStrike Falcon Streaming Events Connector addresses the following use cases:
Detection events data ingestion.
CrowdStrike Falcon detects an attempt to execute the malicious
SophosCleanM.exe
file on an endpoint. CrowdStrike stops the operation and creates an alert containing file hashes in the event data.An analyst interested in file reputation runs discovered hashes in VirusTotal and finds out that a hash is malicious. As a following step, the Mcafee EDR action quarantines the malicious file.
User activity audit events data ingestion.
A CrowdStrike user, Dani, updates the detection status from
new
tofalse-positive
. This user action creates an event named detection_update.The analyst performs a follow up to understand why Dani has marked the action false positive and checks the ingested event containing the information about Dani's identity.
As a following step, the analyst runs the Active Directory Enrich Entities action to obtain more details about the incident and simplify tracking Dani down.
Auth activity audit events data ingestion.
An event indicates that Dani has created a new user account and granted user roles to it.
To investigates the event and understand why the user was created, the analyst uses Dani's user ID to run the Active Directory Enrich Entities action and find out Dani's user role to confirm if they are authorized to add new users.
Remote response end events data ingestion.
A remote event indicates that Dani had a remote connection to a specific host and executed commands as a root user to access a web server directory.
To get more information about both Dani and the host involved, the analyst runs the Active Directory action to enrich both the user and the host. Based on the information returned, the analyst might decide to suspend Dani until the purpose of the remote connection is clarified.
Connector inputs
The CrowdStrike Falcon Streaming Event Connector requires the following parameters:
Parameters | |
---|---|
Product Field Name |
Required
The source field name that contains the The default value is |
Event Field Name |
Required
The source field name that contains the The default value is |
Environment Field Name |
Optional
The name of the field where the environment name is stored. If the environment field isn't found, the default environment is used. Default value is |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
API Root |
Required
The API root of the CrowdStrike instance. The default value is |
Client ID |
Required
The client ID of the CrowdStrike account. |
Client Secret |
Required
The client secret of the CrowdStrike account. |
Event types |
Optional
A comma-separated list of event types. Examples of the event types are as follows:
|
Max Days Backwards |
Optional
The number of days before today to retrieve detections from. The default value is |
Max Events Per Cycle |
Optional
The number of events to process in a single connector iteration. The default value is |
Min Severity |
Optional Events to ingest based on the event severity (detection events). The value ranges from 0 to 5. If other event types besides detections are ingested, their severity is
set to |
Disable Overflow |
Optional If selected, the connector ignores the overflow mechanism. Not selected by default. |
Verify SSL |
Required
If selected, the integration verifies that the SSL certificate for the connection to the CrowdStrike server is valid. Not selected by default. |
Script Timeout (Seconds) |
Required The timeout limit for the Python process running the current script. Default value is 60 seconds. |
Proxy Server Address |
Optional
An address of the proxy server to use. |
Proxy Username |
Optional
A proxy username to authenticate with. |
Proxy Password |
Optional
A proxy password to authenticate with. |
Rule Generator Template |
Optional
If provided, the connector uses this value for the Google SecOps rule generator. You can provide
placeholders
in the following format: [ If you provide no value or an invalid template, the connector uses the default rule generator. The connector uses the first Google SecOps event for placeholders. This parameter allows only keys with a string value. |
Connector rules
This connector supports proxies.
This connector doesn't support the dynamic list.
CrowdStrike Identity Protection Detections Connector
Use the CrowdStrike Identity Protection Detections Connector to pull the
identity protection detections from CrowdStrike. The dynamic list works with
the display_name
parameter.
This connector requires an Identity Protection license.
Connector inputs
The CrowdStrike Identity Protection Detections Connector requires the following parameters:
Parameters | |
---|---|
Product Field Name |
Required
The source field name that contains the The default value is |
Event Field Name |
Required
The source field name that contains the The default value is |
Environment Field Name |
Optional
The name of the field where the environment name is stored. If the environment field isn't found, the default environment is used. Default value is |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) |
Required The timeout limit in seconds for the Python process running the current script. The default value is |
API Root |
Required
The API root of the CrowdStrike instance. The default value is |
Client ID |
Required
The client ID of the CrowdStrike account. |
Client Secret |
Required
The client secret of the CrowdStrike account. |
Lowest Severity Score To Fetch |
Optional
The lowest severity score of the detections to fetch. If no value is provided, the connector doesn't apply this filter. The maximum value is The default value is
The connector also supports the following values for this parameter:
|
Lowest Confidence Score To Fetch |
Optional
the lowest confidence score of the detections to fetch. If no value is provided, the connector doesn't apply this filter. The maximum value is The default value is
|
Max Hours Backwards |
Optional
The number of hours prior to now to retrieve detections from. The default value is |
Max Detections To Fetch |
Optional
The number of detections to process in a single connector iteration. The default value is |
Disable Overflow |
Optional If selected, the connector ignores the overflow mechanism. Not selected by default. |
Verify SSL |
Required
If selected, the integration verifies that the SSL certificate for the connection to the CrowdStrike server is valid. Not selected by default. |
Proxy Server Address |
Optional
An address of the proxy server to use. |
Proxy Username |
Optional
A proxy username to authenticate with. |
Proxy Password |
Optional
A proxy password to authenticate with. |
Connector rules
This connector supports proxies.
Connector event
An example of the connector event is as follows:
{
"added_privileges": [
"DomainAdminsRole"
],
"aggregate_id": "aggind:27fe4e476ca3490b8476b2b6650e5a74:C34185DF-C3BA-4F69-93EB-1B61A213AF86",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"composite_id": "27fe4e476ca3490b8476b2b6650e5a74:ind:27fe4e476ca3490b8476b2b6650e5a74:C34185DF-C3BA-4F69-93EB-1B61A213AF86",
"confidence": 20,
"context_timestamp": "2022-11-15T12:58:13.155Z",
"crawl_edge_ids": {
"Sensor": [
"N6Fq4_]TKjckDDWI$fKO`l>_^KFO4!,Z/&o<H7_)4[Ip*h@KUG8%Xn3Fm3@]<gF_c,c1eeW\\O-J9l;HhVHA\"DH#\\pO1M#>X^dZWWg%V:`[+@g9@3h\"Q\"7r8&lj-o[K@24f;Xl.rlhgWC8%j5\\O7p/G7iQ*ST&12];a_!REjkIUL.R,/U^?]I!!*'!",
"XNXPaK.m]6i\"HhDPGX=XlMl2?8Mr#H;,A,=7aF9N)>5*/Hc!D_>MmDTO\\t1>Oi6ENO`QkWK=@M9q?[I+pm^)mj5=T_EJ\"4cK99U+!/ERSdo(X^?.Z>^]kq!ECXH$T.sfrJpT:TE+(k]<'Hh]..+*N%h_5<Z,63,n!!*'!",
"N6L$J`'>\":d#'I2pLF4-ZP?S-Qu#75O,>ZD+B,m[\"eGe@(]>?Nqsh8T3*q=L%=`KI_C[Wmj3?D!=:`(K)7/2g&8cCuB`r9e\"jTp/QqK7.GocpPSq4\\-#t1Q*%5C0%S1$f>KT&a81dJ!Up@EZY*;ssFlh8$cID*qr1!)S<!m@A@s%JrG9Go-f^B\"<7s8N"
]
},
"crawl_vertex_ids": {
"Sensor": [
"uid:27fe4e476ca3490b8476b2b6650e5a74:S-1-5-21-3479765008-4256118348-3151044947-3195",
"ind:27fe4e476ca3490b8476b2b6650e5a74:C34185DF-C3BA-4F69-93EB-1B61A213AF86",
"aggind:27fe4e476ca3490b8476b2b6650e5a74:C34185DF-C3BA-4F69-93EB-1B61A213AF86",
"idpind:27fe4e476ca3490b8476b2b6650e5a74:715224EE-7AD6-33A1-ADA9-62C4608DA546"
]
},
"crawled_timestamp": "2022-11-15T14:33:50.641703679Z",
"created_timestamp": "2022-11-15T12:59:15.444106807Z",
"description": "A user received new privileges",
"display_name": "Privilege escalation (user)",
"end_time": "2022-11-15T12:58:13.155Z",
"falcon_host_link": "https://example.com/identity-protection/detections/",
"id": "ind:27fe4e476ca3490b8476b2b6650e5a74:C34185DF-C3BA-4F69-93EB-1B61A213AF86",
"name": "IdpEntityPrivilegeEscalationUser",
"objective": "Gain Access",
"pattern_id": 51113,
"previous_privileges": "0",
"privileges": "8321",
"product": "idp",
"scenario": "privilege_escalation",
"severity": 2,
"show_in_ui": true,
"source_account_domain": "EXAMPLE.COM",
"source_account_name": "ExampleName",
"source_account_object_sid": "S-1-5-21-3479765008-4256118348-3151044947-3195",
"start_time": "2022-11-15T12:58:13.155Z",
"status": "new",
"tactic": "Privilege Escalation",
"tactic_id": "TA0004",
"technique": "Valid Accounts",
"technique_id": "T1078",
"timestamp": "2022-11-15T12:58:15.397Z",
"type": "idp-user-endpoint-app-info",
"updated_timestamp": "2022-11-15T14:33:50.635238527Z"
}
CrowdStrike Incidents Connector
Use the CrowdStrike Incidents Connector to pull incident and related behaviors from CrowdStrike.
The dynamic list works with the incident_type
parameter.
Connector parameters
The CrowdStrike Incidents Connector requires the following parameters:
Parameters | |
---|---|
Product Field Name |
Required
The source field name that contains the The default value is |
Event Field Name |
Required
The source field name that contains the The default value is |
Environment Field Name |
Optional
The name of the field where the environment name is stored. If the environment field isn't found, the default environment is used. Default value is |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) |
Required The timeout limit in seconds for the Python process running the current script. The default value is |
API Root |
Required
The API root of the CrowdStrike instance. The default value is |
Client ID |
Required
The client ID of the CrowdStrike account. |
Client Secret |
Required
The client secret of the CrowdStrike account. |
Lowest Severity Score To Fetch |
Optional
The lowest severity score of the incidents to fetch. If no value is provided, the connector ingests incidents with all severities. The maximum value is
|
Max Hours Backwards |
Optional
The number of hours before now to retrieve incidents from. The default value is |
Max Incidents To Fetch |
Optional
The number of incidents to process in a single connector iteration. The maximum value is The default value is
|
Use dynamic list as a blocklist |
Required
If selected, the dynamic list is used as a blocklist. Not selected by default. |
Disable Overflow |
Optional If selected, the connector ignores the overflow mechanism. Not selected by default. |
Verify SSL |
Required
If selected, the integration verifies that the SSL certificate for the connection to the CrowdStrike server is valid. Not selected by default. |
Proxy Server Address |
Optional
An address of the proxy server to use. |
Proxy Username |
Optional
A proxy username to authenticate with. |
Proxy Password |
Optional
A proxy password to authenticate with. |
Connector rules
This connector supports proxies.
Connector events
The CrowdStrike Incidents Connector has two types of events: one is based on incident and the other on behavior.
The example of an event based on incident is as follows:
{
"data_type": "Incident"
"incident_id": "inc:fee8a6ef0cb3412e9a781dcae0287c85:9dfa480ae6214309bff0c8dc2ad8af7c",
"incident_type": 1,
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"host_ids": [
"fee8a6ef0cb3412e9a781dcae0287c85"
],
"hosts": [
{
"device_id": "fee8a6ef0cb3412e9a781dcae0287c85",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"agent_load_flags": "1",
"agent_local_time": "2023-01-09T11:28:59.170Z",
"agent_version": "6.48.16207.0",
"bios_manufacturer": "Example Inc.",
"bios_version": "1.20.0",
"config_id_base": "65994753",
"config_id_build": "16207",
"config_id_platform": "3",
"external_ip": "203.0.113.1",
"hostname": "DESKTOP-EXAMPLE",
"first_seen": "2022-09-26T09:56:42Z",
"last_seen": "2023-01-09T12:11:35Z",
"local_ip": "192.0.2.1",
"mac_address": "00-15-5d-65-39-86",
"major_version": "01",
"minor_version": "0",
"os_version": "Windows 10",
"platform_id": "0",
"platform_name": "Windows",
"product_type": "1",
"product_type_desc": "Workstation",
"status": "contained",
"system_manufacturer": "Example Inc.",
"system_product_name": "G5 5500",
"modified_timestamp": "2023-01-09T12:11:48Z"
}
],
"created": "2023-01-09T12:12:51Z",
"start": "2023-01-09T11:23:27Z",
"end": "2023-01-09T12:52:01Z",
"state": "closed",
"status": 20,
"tactics": [
"Defense Evasion",
"Privilege Escalation",
"Credential Access"
],
"techniques": [
"Disable or Modify Tools",
"Access Token Manipulation",
"Input Capture",
"Bypass User Account Control"
],
"objectives": [
"Keep Access",
"Gain Access"
],
"users": [
"DESKTOP-EXAMPLE$",
"EXAMPLE"
],
"fine_score": 21
}
The example of an event based on behavior is as follows:
{
"behavior_id": "ind:fee8a6ef0cb3412e9a781dcae0287c85:1298143147841-372-840208",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"aid": "fee8a6ef0cb3412e9a781dcae0287c85",
"incident_id": "inc:fee8a6ef0cb3412e9a781dcae0287c85:9dfa480ae6214309bff0c8dc2ad8af7c",
"incident_ids": [
"inc:fee8a6ef0cb3412e9a781dcae0287c85:9dfa480ae6214309bff0c8dc2ad8af7c"
],
"pattern_id": 372,
"template_instance_id": 0,
"timestamp": "2023-01-09T11:24:25Z",
"cmdline": "\"C:\\WINDOWS\\system32\\SystemSettingsAdminFlows.exe\" SetNetworkAdapter {4ebe49ef-86f5-4c15-91b9-8da03d796416} enable",
"filepath": "\\Device\\HarddiskVolume3\\Windows\\System32\\SystemSettingsAdminFlows.exe",
"domain": "DESKTOP-EXAMPLE",
"pattern_disposition": -1,
"sha256": "78f926520799565373b1a8a42dc4f2fa328ae8b4de9df5eb885c0f7c971040d6",
"user_name": "EXAMPLE",
"tactic": "Privilege Escalation",
"tactic_id": "TA0004",
"technique": "Bypass User Account Control",
"technique_id": "T1548.002",
"display_name": "ProcessIntegrityElevationTarget",
"objective": "Gain Access",
"compound_tto": "GainAccess__PrivilegeEscalation__BypassUserAccountControl__1__0__0__0"
}
CrowdStrike – Alerts Connector
Use the CrowdStrike – Alerts Connector to pull alerts from Crowdstrike.
The dynamic list works with the display_name
parameter.
To fetch identity protection detections, use the Identity Protection Detections Connector.
Connector inputs
The CrowdStrike – Alerts Connector requires the following parameters:
Parameters | |
---|---|
Product Field Name |
Required
The source field name that contains the The default value is |
Event Field Name |
Required
The source field name that contains the The default value is |
Environment Field Name |
Optional
The name of the field where the environment name is stored. If the environment field isn't found, the default environment is used. Default value is |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) |
Required Timeout limit in seconds for the Python process running the current script. The default value is |
API Root |
Required
The API root of the CrowdStrike instance. The default value is |
Client ID |
Required
The client ID of the CrowdStrike account. |
Client Secret |
Required
The client secret of the CrowdStrike account. |
Lowest Severity Score To Fetch |
Optional
The lowest severity score of the incidents to fetch. If no value is provided, the connector ingests incidents with all severities. The maximum value is
In the CrowdStrike UI, the same value is presented as divided by 10. |
Max Hours Backwards |
Optional
The number of hours before now to retrieve incidents from. The default value is |
Max Alerts To Fetch |
Optional
The number of alerts to process in a single connector iteration. The maximum value is The default value is
|
Use dynamic list as a blocklist |
Required
If selected, the connector uses the dynamic list as a blocklist. Not selected by default. |
Disable Overflow |
Optional If selected, the connector ignores the overflow mechanism. Not selected by default. |
Verify SSL |
Required
If selected, the integration verifies that the SSL certificate for the connection to the CrowdStrike server is valid. Not selected by default. |
Proxy Server Address |
Optional
An address of the proxy server to use. |
Proxy Username |
Optional
A proxy username to authenticate with. |
Proxy Password |
Optional
A proxy password to authenticate with. |
Connector rules
This connector supports proxies.
Connector events
The example of an event based on alerts is as follows:
{
"added_privileges": [
"DomainAdminsRole"
],
"aggregate_id": "aggind:27fe4e476ca3490b8476b2b6650e5a74",
"cid": "27fe4e476ca3490b8476b2b6650e5a74",
"composite_id": "27fe4e476ca3490b8476b2b6650e5a74:ind:27fe4e476ca3490b8476b2b6650e5a74",
"confidence": 20,
"context_timestamp": "2022-11-15T12:58:13.155Z",
"crawl_edge_ids": {
"Sensor": [
"N6Fq4_]TKjckDDWI$fKO`l>_^KFO4!,Z/&o<H7_)4[Ip*h@KUG8%Xn3Fm3@]<gF_c,c1eeW\\O-J9l;HhVHA\"DH#\\pO1M#>X^dZWWg%V:`[+@g9@3h\"Q\"7r8&lj-o[K@24f;Xl.rlhgWC8%j5\\O7p/G7iQ*ST&12];a_!REjkIUL.R,/U^?]I!!*'!",
"XNXPaK.m]6i\"HhDPGX=XlMl2?8Mr#H;,A,=7aF9N)>5*/Hc!D_>MmDTO\\t1>Oi6ENO`QkWK=@M9q?[I+pm^)mj5=T_EJ\"4cK99U+!/ERSdo(X^?.Z>^]kq!ECXH$T.sfrJpT:TE+(k]<'Hh]..+*N%h_5<Z,63,n!!*'!",
"N6L$J`'>\":d#'I2pLF4-ZP?S-Qu#75O,>ZD+B,m[\"eGe@(]>?Nqsh8T3*q=L%=`KI_C[Wmj3?D!=:`(K)7/2g&8cCuB`r9e\"jTp/QqK7.GocpPSq4\\-#t1Q*%5C0%S1$f>KT&a81dJ!Up@EZY*;ssFlh8$cID*qr1!)S<!m@A@s%JrG9Go-f^B\"<7s8N"
]
},
"crawl_vertex_ids": {
"Sensor": [
"uid:27fe4e476ca3490b8476b2b6650e5a74:S-1-5-21-3479765008-4256118348-3151044947-3195",
"ind:27fe4e476ca3490b8476b2b6650e5a74",
"aggind:27fe4e476ca3490b8476b2b6650e5a74",
"idpind:27fe4e476ca3490b8476b2b6650e5a74:715224EE-7AD6-33A1-ADA9-62C4608DA546"
]
},
"crawled_timestamp": "2022-11-15T14:33:50.641703679Z",
"created_timestamp": "2022-11-15T12:59:15.444106807Z",
"description": "A user received new privileges",
"display_name": "Privilege escalation (user)",
"end_time": "2022-11-15T12:58:13.155Z",
"falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/27fe4e476ca3490b8476b2b6650e5a74:ind:27fe4e476ca3490b8476b2b6650e5a74?cid=27fe4e476ca3490b8476b2b6650e5a74",
"id": "ind:27fe4e476ca3490b8476b2b6650e5a74",
"name": "IdpEntityPrivilegeEscalationUser",
"objective": "Gain Access",
"pattern_id": 51113,
"previous_privileges": "0",
"privileges": "8321",
"product": "idp",
"scenario": "privilege_escalation",
"severity": 2,
"show_in_ui": true,
"source_account_domain": "EXAMPLE.EXAMPLE",
"source_account_name": "ExampleMailbox",
"source_account_object_sid": "S-1-5-21-3479765008-4256118348-3151044947-3195",
"start_time": "2022-11-15T12:58:13.155Z",
"status": "new",
"tactic": "Privilege Escalation",
"tactic_id": "TA0004",
"technique": "Valid Accounts",
"technique_id": "T1078",
"timestamp": "2022-11-15T12:58:15.397Z",
"type": "idp-user-endpoint-app-info",
"updated_timestamp": "2022-11-15T14:33:50.635238527Z"
}