CrowdStrike

CrowdStrike Falcon Host uniquely combines an array of powerful methods to provide prevention against the rapidly changing tactics, techniques and procedures (TTPs) used by adversaries to breach organizations - including commodity malware, zero-day malware and even advanced malware-free attacks.

Integration with LogicHub

Connecting with CrowdStrike

To connect to CrowdStrike following details are required:

  • Label: Connection name.
  • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
  • API ID: API ID of your CrowdStrike instance.
  • API Key: API Key of your CrowdStrike instance.

Actions with CrowdStrike

Get Detection Details

Get detection details action allows you to view details for specific detections given one or more detection IDs.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Detection ID Column Name: Column name from the parent table to lookup value for detection ID.

Output of action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • result: Detection details

Get Device Details

Get device details action allows you to view details for specific devices given one or more device IDs.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Device ID Column Name: Column name from the parent table to lookup value for the device ID.

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • result: Device details

Get Process Details

Retrieve the details of a process that is running or that previously ran, given one or more process IDs.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Process ID Column Name: Column name from the parent table to lookup value for process ID.

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • result: Process details

Search Devices

Search for devices based on a filter.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Devices Filter Template Column Name: Jinja2 template for the device filter. Following are a few examples. Find more on falcon API documentation.
  1. To find devices with host name
    hostname: '{{host_column}}'

  2. To find devices based on prefix or suffix use wildcard ' ' (supported by few fields)
    hostname: '{{host_prefix_column}}
    '

  3. To find devices with local IP
    local_ip: '{{ip_column}}'

  4. To find devices which matches both hostname and platform '+' operator is used Example:
    hostname: '{{host_column}}' + platform_name:'{{platform_column}}'

  5. To find devices which matches either hostname or platform name ' , ' operator is used. Example:
    hostname: '{{host_column}}' , platform_name:'{{platform_column}}'

  • Max Number of Results (Optional): No of results to fetch. (Default is 100 results).

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • result: Device details

Get IOC Details

Get IOC (Indicators of Compromise) details based on value and type.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • IOC Type: Select the value of IOC Type.
  • IOC Value Column Name: Column name from parent table that contains IOC value.

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • result: IOC details

Did this page help you?