...
CrowdStrike Falcon Host uniquely combines an array of powerful methods to provide prevention against the rapidly changing tactics, techniques and procedures (TTPs) used by adversaries to breach organizations - including commodity malware, zero-day malware and even advanced malware-free attacks.
Connect CrowdStrike with Devo SOAR
Navigate to Automations > Integrations.
Search for CrowdStrike.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
API ID: API ID of your CrowdStrike instance.
API Key: API Key of your CrowdStrike instance.
After you've entered all the details, click Connect.
Actions for CrowdStrike
Get Detection Details
Get detection details action allows you to view details for specific detections given one or more detection IDs.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Detection ID Column Name | Column name from the parent table to lookup value for detection ID. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Detection details
...
Get Device Details
Get device details action allows you to view details for specific devices given one or more device IDs.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Device ID Column Name | Column name from the parent table to lookup value for the device ID. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Device details
...
Get Process Details
Retrieve the details of a process that is running or that previously ran, given one or more process IDs.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Process ID Column Name | Column name from the parent table to lookup value for process ID. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Process details
...
Search Devices
Search for devices based on a filter.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
...
To find devices based on prefix or suffix use wildcard ' _ ' (supported by few fields)
hostname: '{{host_prefix_column}}_'To find devices with local IP
local_ip: '{{ip_column}}'To find devices which matches both hostname and platform '+' operator is used Example:
hostname: '{{host_column}}' + platform_name:'{{platform_column}}'To find devices which matches either hostname or platform name ' , ' operator is used. Example:
hostname: '{{host_column}}' , platform_name:'{{platform_column}}' | Required | | Max Number of Results | Number of results to fetch. (Default is 100 results). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Device details
...
Get IOC Details
Get IOC (Indicators of Compromise) details based on value and type.
Input Field
Input Name | Description | Required |
---|---|---|
IOC Type | Select the value of IOC Type. | Required |
IOC Value Column Name | Column name from parent table that contains IOC value. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: IOC details
...
Release Notes
v2.0.0
- Updated architecture to support IO via filesystem
...