Document toolboxDocument toolbox

CrowdStrike API resources collector

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
10 min read

Overview

The CrowdStrike Falcon platform is a powerful solution that includes EDR (Endpoint Detection and Response), next-generation anti-virus, and device control for endpoints. It also provides a whole host of other operational capabilities across IT operations and security including Threat Intelligence. The CrowdStrike API is managed from the CrowdStrike Falcon UI by the Falcon Administrator. From there, multiple API clients can be defined along with their required scope

Crowdstrike is one of the top data sources for Devo customers and prospects alike, so would encourage new customers to use this one, and existing ones to transition to this one soon.

Data source description

Data Source

Subtype

Table

Service

End Point

Description

Available from release

Hosts

-

edr.crowdstrike.falconstreaming.agents

hosts

  1. Listing: {base_url}/incidents/queries/devices/v1

  2. Details: {base_url}/incidents/entities/devices/GET/v1

Check the {base_url} in the config parameters details for further information.

Hosts are endpoints that run the Falcon sensor. You can get information and details about these agents.

Refer to the Crowdstrike documentation.

v1.0.0

Incidents

-

edr.crowdstrike.falconstreaming.incidents

incidents

  1. Listing: {base_url}/incidents/queries/incidents/v1

  2. Details: {base_url}/incidents/entities/incidents/GET/v1

Check the {base_url} in the config parameters details for further information.

Incidents are events that occur in an organization which can represent a cybersecurity threat or an attack.

v1.0.0

Vulnerabilities

-

edr.crowdstrike.falconstreaming.vulnerabilities

vulnerabilities

  1. Listing: {base_url}/incidents/queries/vulnerabilities/v1

  2. Details: {base_url}/incidents/entities/vulnerabilities/GET/v1

Vulnerabilities are known security risks in an operating system, application, hardware, firmware, or other part of a computing stack.

v1.0.0

Behaviors

-

edr.crowdstrike.falconstreaming.behaviors

behaviors

  1. Listing: {base_url}/incidents/queries/behaviors/v1

  2. Details: {base_url}/incidents/entities/behaviors/GET/v1

Behaviors are patterns of data transmissions in a network that are out of the norm, used to detect anomalies before cyber attacks occur.

v1.0.0

Event Stream (eStream)

AuthActivity AuditEvent

edr.crowdstrike.falconstreaming.auth_activity

estream

The endpoints are dynamically generated by following this (simplified) approach:

  1. Once an authentication token has been obtained, a request to {base_url}/sensors/entities/datafeed/v2 is performed to obtain the “Data Feeds”.

    1. Check the {base_url} in the config parameters details for further information.

  2. Each Data Feed will contain a URL and a session token. A request to each of these URLs (along with their corresponding token) will return a streaming response in which every non-empty line represents a different event.

    1. Every Data Feed will also contain a “refresh stream” URL, which is accessed every less than 30 minutes.

    2. All the Data Feeds are processed in parallel. The amount of available Data Feeds depend on the CrowdStrike account’s configuration.

The Streaming API provides several types of events.

v1.3.0

IncidentSummaryEvent

edr.crowdstrike.falconstreaming.incident_summary

v1.3.0

RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent

edr.crowdstrike.falconstreaming.remote_response_session

v1.3.0

CustomerIOCEvent

edr.crowdstrike.falconstreaming.customer_ioc

v1.3.0

Event_ExternalAPIEvent

edr.crowdstrike.falconstreaming.external_api

v1.3.0

DetectionSummaryEvent

edr.crowdstrike.falconstreaming.detection_summary

v1.3.0

UserActivityAuditEvent

Depending on the event’s event.ServiceName property (in lowercase):

  • groupsedr.crowdstrike.falconstreaming.user_activity_groups

  • devicesedr.crowdstrike.falconstreaming.user_activity_devices

  • detectionsedr.crowdstrike.falconstreaming.user_activity_detections

  • quarantined_filesedr.crowdstrike.falconstreaming.user_activity_quarantined_files

  • ip_whitelistedr.crowdstrike.falconstreaming.user_activity_quarantined_files

  • prevention_policyedr.crowdstrike.falconstreaming.user_activity_prevention_policy

  • sensor_update_policyedr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

  • device_control_policyedr.crowdstrike.falconstreaming.user_activity_device_control_policy

v1.3.0

Vendor setup

In order to configure the Devo | CrowdStrike API Resources collector, you need to create an API client that will be used to authenticate API requests.

  1. After getting your Crowdstrike Falcon Cloud credentials, log into the CrowdStrike Falcon Cloud dashboard.

  2. Click the three dots in the left menu bar.

  3. Click API Clients and Keys. This will open a page to create an API client.

  4. Click Add API Client at the top right corner. Enter a CLIENT NAME and DESCRIPTION.

  5. Then, enable the API scopes for your new API client. Click the required Read permissions for each scope and click ADD to create the client.

  6. Finally, copy the Client ID and Client Secret shown on the next screen. You will need these values to configure the collector.

Devo collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

Not allowed



Running environments

Cloud collector, on-premise

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

API limitations

Crowdstrike does not apply limitations as long as its use is reasonable.

Change log for 1.x.x

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

v1.0.0

Dec 16, 2021

FEATURE

New Features:

  • Initial release that includes the following data sources from CrowdStrike API:

    • Hosts

    • Incidents

    • Vulnerabilities

    • Behaviors

Upgrade

v1.1.0

Apr 8, 2022

IMPROVEMENTS VULNS

Improvements:

  • The underlay IFC SDK has been updated from v1.1.2 to v1.1.3.

  • The resilience has been improved with a new feature that restart the collector when the Devo connections is lost and it cannot be recovered.

Vulnerabilities mitigation:

  • All critical and high vulnerabilities have been mitigated.

Upgrade

v1.2.0

Jul 7, 2022

IMPROVEMENTS
VULNS

Improvements:

  • Upgraded underlay IFC SDK v1.1.3 to v1.3.0.

  • The resilience has been improved with a new feature that restart the collector when the Devo connections is lost and it cannot be recovered.

  • When an exception is raised by the Collector Setup, the collector retries after 5 seconds. For consecutive exceptions, the waiting time is multiplied by 5 until hits 1800 seconds, which is the maximum waiting time allowed. No maximum retries are applied.

  • When an exception is raised by the Collector Pull method, the collector retries after 5 seconds. For consecutive exceptions, the waiting time is multiplied by 5 until hits 1800 seconds, which is the maximum waiting time allowed. No maximum retries are applied.

  • When an exception is raised by the Collector pre-pull method, the collector retries after 30 seconds. No maximum retries are applied.

Upgrade

v1.3.0

Sep 9, 2022

IMPROVEMENTS FEATURE

Improvements:

  • Upgraded underlay IFC SDK v1.3.0 to v1.4.0.

  • Updated the underlying DevoSDK package to v3.6.4 and dependencies, this upgrade increases the resilience of the collector when the connection with Devo or the Syslog server is lost. The collector is able to reconnect in some scenarios without running the self-kill feature.

  • Support for stopping the collector when a GRACEFULL_SHUTDOWN system signal is received.

  • Re-enabled the logging to devo.collector.out for Input threads.

  • Improved self-kill functionality behavior.

  • Added more details in log traces.

  • Added log traces for knowing system memory usage.

New Features:

  • CrowdStrike Event Stream (eStream) data source is now available. This service leverages the CrowdStrike Falcon Event Streams API to obtain the customer’s DataFeed URLs and continuosly fetch events that will be ingested under the edr.crowdstrike.falconstreaming.* family of tables. For more information, check the CrowdStrike’s official documentation.

Upgrade

v1.3.1

Sep 15, 2022

IMPROVEMENTS

Improvements:

  • The RegEx validation has been updated to enforce the HTTP[S] protocol for all services when this parameter is filled in by the user.

  • The Event Stream (eStream) service has been updated to use the same overriding parameter for the base_url than the other previous services. This allows to the user define this only one time for all available services through override_base_url user config file.

Recommended Version

v1.4.0

Sep 15, 2022

IMPROVEMENTS
BUG FIXING

Improvements:

  • Added @devo_pulling_id field.

  • Update the `details` endpoint to use the v2 API (due to v1 deprecation)

Bug Fixing:

  • Fixed a bug that prevented overriding the base URL.

Recommended Version