CrowdStrike Falcon Host (OAuth Based)

CrowdStrike Falcon Host uniquely combines an array of powerful methods to provide prevention against the rapidly changing tactics, techniques and procedures (TTPs) used by adversaries to breach organizations - including commodity malware, zero-day malware and even advanced malware-free attacks.

Integration with LogicHub

Connecting with CrowdStrike

To connect to CrowdStrike following details are required:

  • URL: URL to your CrowdStrike Falcon Host (OAuth Based) instance. Example: https://api.crowdstrike.com
  • Client ID: Client ID of your CrowdStrike Falcon Host.
  • Client Secret: Client Secret of your CrowdStrike Falcon Host.

Actions with CrowdStrike

Search Detections

Search for detection IDs that match a given query.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Query (Optional): Search all detection metadata for the provided string. Eg: 'malicious'
  • Sort (Optional): Sort detections using these options. (Default is 'Max Severity: Descending')
  • Filter (Optional): Filter detections using a query in Falcon Query Language (FQL) An asterisk wildcard * includes all results. Example: 'behaviors.behavior_id: {{behavior_id_column}}'
  • Offset (Optional): The first detection to return, where 0 is the latest detection. Use with 'Limit' to manage pagination of results.
  • Limit (Optional): The maximum number of detections to return in this response (default: 9999; max: 9999). Use with 'Offset' to manage pagination of results.

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • result: Detection details

Get Detection Details

Get detection details action allows you to view details for specific detections given one or more detection IDs.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Detection ID Column Name: Column name from the parent table to lookup value for detection ID.

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • other fields of detections

Modify Detection

Change the state and assignee of one or more detections.

📘

Note

In addition to FalconX Scope, User Management [Read] Scope is also required for this integration action to work. This is required to create a mapping of the assignee uid (email) vs. the corresponding UUID to supply it to the remote API.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Detection ID: Column name from the parent table to lookup value for detection id to modify.
  • Assignee (Optional): Column name from the parent table to lookup value for uid of the assignee (typically an email id) to modify the detection with. An empty value will ignore the updation of the assignee for that detection.
  • Status (Optional): Status to modify all the detection with among New/InProgress/TruePositive/FalsePositive/Ignored/Closed/Reopened.

📘

Note

One of Assignee or Status must be provided.

  • Comment (Optional): Jinja-templated comment to add to the detection. Comments are displayed with the detection in Falcon and usually used to provide context or notes for other Falcon users. A detection can have multiple comments over time. Example: Changed assignee of Detection: {{dection_id_column}} to {{assignee_uuid_column}} by LogicHub.

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • result: Successfully Updated
{
  "result": "Successfully updated",
  "error": null,
  "has_error": false
}

Search Devices

Search for devices based on a filter.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Devices Filter Template Column Name: Jinja2 template for the device filter. Following are a few examples. Find more on falcon API documentation.
  1. To find devices with host name
    hostname: '{{host_column}}'

  2. To find devices based on prefix or suffix use wildcard ' ' (supported by few fields)
    hostname: '{{host_prefix_column}}
    '

  3. To find devices with local IP
    local_ip: '{{ip_column}}'

  4. To find devices which matches both hostname and platform '+' operator is used. Example:
    hostname: '{{host_column}}' + platform_name:'{{platform_column}}'

  5. To find devices which matches either hostname or platform name ' , ' operator is used. Example:
    hostname: '{{host_column}}' , platform_name:'{{platform_column}}'

  • Max Number of Results (Optional): No of results to fetch (default is 100 results).

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • result: Device details

Get Device Details

Get device details action allows you to view details for specific devices given one or more device IDs.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Device ID Column Name: Column name from the parent table to lookup value for the device ID.

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • other fields of device

Search Processes

Search for processes associated with a custom IOC type.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • IOC Type: Select IOC Type. sha256/md5/domain/ipv4/ipv6.
  • Indicator Values: Select column containing the string representation of the indicator.
  • Device ID: Specify a host's ID to return only processes from that host.
  • Max Number of Results (Optional): Number of results to fetch (default is 100 results).

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • result: Process details

Get Process Details

Retrieve the details of a process that is running or that previously ran, given one or more process IDs.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Process ID Column Name: Column name from the parent table to lookup value for process ID.

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • other fields of process

Search IOCs

Search custom IOCs in your account

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • IOC Type (Optional): Select IOC Type. sha256/md5/domain/ipv4/ipv6.
  • Indicator Values (Optional): Select column containing the string representation of the indicator.
  • Indicator Policy (Optional): Select Indicator Policy. detect/none.
  • Source (Optional): The source where this indicator originated. This can be used for tracking where this indicator was defined. Limit 200 characters.
  • Created By (Optional): The user or API client who created the custom IOC.
  • Deleted By (Optional): The user or API client who deleted the custom IOC.
  • Include Deleted (Optional): Select the option to include deleted IOCs.
  • After Timestamp (Optional): Find custom IOCs created after this time (RFC-3339 timestamp).
  • Before Timestamp (Optional): Find custom IOCs created before this time (RFC-3339 timestamp).

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • result: IOC details

Get IOC Details

Get IOC (Indicators of Compromise) details based on value and type.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • IOC Type: Select the value of IOC Type.
  • IOC Value Column Name: Column name from parent table that contains IOC value.

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • other fields of IOC

Create Custom IOCs

Create new IOCs to block custom domains, hashes, or IPs.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • IOC Type: Select IOC Type. sha256/md5/domain/ipv4/ipv6.
  • Indicator Values: Select column containing the string representation of the indicator.
  • Indicator Policy: Select Indicator Policy. detect/none.
  • Source (Optional): The source where this indicator originated. This can be used for tracking where this indicator was defined. Limit 200 characters.
  • Expiration Days (Optional): Number of days this custom IOC is active. Only applies for the types 'domain', 'IPv4', and 'IPv6' (default is 30 days).
  • IOC Description (Optional): Descriptive label for this custom IOC.

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null

RTR Command: Single Host

Send Real-Time Response commands to a single host.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Command Scope: Select Scope of RTR Command. RTR Read-Only Analyst/RTR Active Responder/RTR Administrator.
  • Device ID: The Host Agent ID of the device on which an RTR command is to be sent.
  • Command String: Full command string for the command. For example, cd C:\some_directory.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • stdout: output response of running the RTR command on the host
  • stderr: error response of running the RTR command on the host

Take Action on Devices

Take various actions on the hosts in your environment. Contain or lift containment on hosts. Delete or restore hosts.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Action Name: Select one of the actions:
  • Contain - This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy.
  • Lift Containment: This action lifts containment on the host, which returns its network communications to normal.
  • Hide Host: This action will delete a host. After the host is deleted, no new detections for that host will be reported via UI or APIs.
  • Unhide Host: This action will restore a host. Detection reporting will resume after the host is restored
    • Device ID: The Host Agent ID of the device.

Output of action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • result: Successfully executed action on host

Search Incidents

Search for incidents by providing an FQL filter, sorting, and paging details.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Filter (Optional): Filter criteria in the form of an FQL query. For more information about FQL queries, see documentation (https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql) in Falcon.
  • Sort (Optional): Enter the jinja-templated property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "desc". Example: {{property}}.{{direction}} or start.desc
  • Limit (Optional): Maximum number of incidents to return. (Default is 500).
    Note: Crowdstrike allows us to fetch only 500 results in a single API call, therefore a value greater than 500 will involve multiple API calls and may take some time. Increase Action Timeout, in case of action, gets timed out.

Output of Action
Multiple JSON rows containing following items:

  • has_error: True/False
  • error: message/null
  • result: incident-id of a matched incident
{
  "error": null,
  "has_error": false,
  "result": "inc:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

Get Incident Details

Get details on incidents by providing incident IDs.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Incident ID: Column name from the parent table to lookup value for the incident ID.

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • other keys containing incident details
{
  "incident_id": "inc:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "incident_type": 1,
  "cid": "c2f696880d9b4371b9760f7536078690",
  "host_ids": [
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  ],
  "hosts": [
    {
      "device_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "cid": "c2f696880d9b4371b9760f7536078690",
      "agent_load_flags": "0",
      "agent_local_time": "2020-09-23T13:51:08.032Z",
      "agent_version": "5.37.11804.0",
      "bios_manufacturer": "Apple Inc.",
      "bios_version": "199.0.0.0.0",
      "config_id_base": "65994753",
      "config_id_build": "11804",
      "config_id_platform": "4",
      "external_ip": "xx.xx.xx.xx",
      "hostname": "my-backup.local",
      "first_seen": "2020-07-20T04:09:07Z",
      "last_seen": "2020-09-23T14:11:08Z",
      "local_ip": "127.0.0.1",
      "mac_address": "xx-xx-xx-xx-xx-xx",
      "major_version": "19",
      "minor_version": "6",
      "os_version": "Catalina (10.15)",
      "platform_id": "1",
      "platform_name": "Mac",
      "product_type_desc": "Workstation",
      "status": "normal",
      "system_manufacturer": "Apple Inc.",
      "system_product_name": "MacBookPro11,4",
      "modified_timestamp": "2020-09-23T14:12:17Z"
    }
  ],
  "created": "2020-09-23T14:32:32Z",
  "start": "2020-09-23T14:32:32Z",
  "end": "2020-09-23T14:54:21Z",
  "state": "closed",
  "assigned_to": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "assigned_to_name": "Saurabh Prakash",
  "status": 40,
  "tactics": [
    "Persistence"
  ],
  "techniques": [
    "Modify Existing Service"
  ],
  "objectives": [
    "Keep Access"
  ],
  "modified_timestamp": "2020-09-23T14:45:15.179411419Z",
  "fine_score": 10,
  "error": null,
  "has_error": false
}

Falcon X Sandbox File Upload

Upload a file for sandbox analysis. After uploading, use Falcon X Sandbox Analysis to start analyzing the file.
Max file size: 100 MB.
Accepted file formats:

  • Portable executables: .exe, .scr, .pif, .dll, .com, .cpl.
  • Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub
  • PDF
  • APK
  • Executable JAR
  • Windows script component: .sct
  • Windows shortcut: .lnk
  • Windows help: .chm
  • HTML application: .hta
  • Windows script file: .wsf
  • Javascript: .js
  • Visual Basic: .vbs, .vbe
  • Shockwave Flash: .swf
  • Perl: .pl
  • Powershell: .ps1, .psd1, .psm1
  • Scalable vector graphics: .svg
  • Python: .py
  • Linux ELF executables
  • Email files: MIME RFC 822 .eml, Outlook .msg.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • File ID: Column name from parent table that contains LogicHub File ID of the file to be uploaded.
  • File Name (Optional): Column name from parent table that contains the File name of the file to be uploaded (defaults to LogicHub File ID, if the column is not selected or if the column value is empty).
  • Comment (Optional): Jinja-templated descriptive comment to identify the file for other users.

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • sha256: SHA256 hash of the uploaded file as reported by CrowdStrike
  • file_name: file name of file uploaded
{
  "error": null,
  "has_error": false,
  "sha256": "42a615198bcdfc72839936409c88af7ded125feabfec4753b307dc985aaba48f",
  "file_name": "virus.exe"
}

Falcon X Sandbox Analysis

Submit either a URL or a sample SHA256 for sandbox analysis. For SHA256 analysis, a file needs to be uploaded to Falcon X first using the action Falcon X Sandbox File Upload. This action waits for the analysis to complete for each row of input. Use the appropriate number of Thread Count to make this action run faster (Recommended: max number of rows expected in the input table). As per Crowdstrike, the time required for each resource to be analyzed varies but is usually less than 15 minutes. Therefore, set Action Timeout appropriately.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Type: Select type SHA256/ URL of analysis you want to run.
  • URL/SHA256: Column name from parent table that contains URL or SHA256 of the file to analyze. Appropriate Type above must be selected for the action to perform correctly.
  • Environment ID: The environment relevant to the URLs/sha being analyzed.
    • Linux (Ubuntu 16.04, 64 bit)
    • Android Static Analysis
    • Windows 10 64 bit
    • Windows 7 64 bit
    • Windows 7 32 bit
  • Report Type (Optional): Select the type of report Detailed/Summarized you want to get. (Default is Summarized)

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • other keys representing the information in the report
{
  "id": "c2f696880d9b4371b9760f7536078690_d00d7b1b2c184d24a63d2c59d638a052",
  "cid": "c2f696880d9b4371b9760f7536078690",
  "created_timestamp": "2020-12-02T04:08:00Z",
  "origin": "apigateway",
  "sandbox": [
    {
      "sha256": "dac3aaa58e1796468ee1b96d8c1c59c8192bff99b1622a1cf09e71ea2a8f8e72",
      "environment_id": 100,
      "environment_description": "Windows 7 32 bit",
      "submit_name": "dac3aaa58e1796468ee1b96d8c1c59c8192bff99b1622a1cf09e71ea2a8f8e72",
      "submission_type": "file",
      "verdict": "no specific threat",
      "file_type": "PDF document, version 1.6",
      "sample_flags": [
        "Extracted Files"
      ]
    }
  ],
  "verdict": "no specific threat",
  "ioc_report_strict_csv_artifact_id": "65172ac1acf79d79958462f9123ee8f365f0e474c92185a2616adc2db2c19360",
  "ioc_report_broad_csv_artifact_id": "65172ac1acf79d79958462f9123ee8f365f0e474c92185a2616adc2db2c19360",
  "ioc_report_strict_json_artifact_id": "734de9198c5a6eae53e2a1a062e83ff9981d2c2a0cde4276a5235db5100cf795",
  "ioc_report_broad_json_artifact_id": "734de9198c5a6eae53e2a1a062e83ff9981d2c2a0cde4276a5235db5100cf795",
  "ioc_report_strict_stix_artifact_id": "205d28c146e45927ad04f99e6154a62682ec1f8fc5a62d8ff5005a8854c81717",
  "ioc_report_broad_stix_artifact_id": "205d28c146e45927ad04f99e6154a62682ec1f8fc5a62d8ff5005a8854c81717",
  "ioc_report_strict_maec_artifact_id": "0ad1af8daad615421fca9aa2bdbc3271a0225c3cee691f5d9fed2bacfa8e6190",
  "ioc_report_broad_maec_artifact_id": "0ad1af8daad615421fca9aa2bdbc3271a0225c3cee691f5d9fed2bacfa8e6190",
  "error": null,
  "has_error": false
}

Did this page help you?