Document toolboxDocument toolbox

CrowdStrike

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
4 min read
[ 1 Connect CrowdStrike with Devo SOAR ] [ 2 Actions for CrowdStrike ] [ 2.1 Get Detection Details ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Get Device Details ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Get Process Details ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 Search Devices ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 2.5 Get IOC Details ] [ 2.5.1 Input Field ] [ 2.5.2 Output ] [ 3 Release Notes ]

CrowdStrike Falcon Host uniquely combines an array of powerful methods to provide prevention against the rapidly changing tactics, techniques and procedures (TTPs) used by adversaries to breach organizations - including commodity malware, zero-day malware and even advanced malware-free attacks.

Connect CrowdStrike with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for CrowdStrike.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. API ID: API ID of your CrowdStrike instance.

  9. API Key: API Key of your CrowdStrike instance.

  10. After you've entered all the details, click Connect.

Actions for CrowdStrike

Get Detection Details

Get detection details action allows you to view details for specific detections given one or more detection IDs.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Detection ID Column Name

Column name from the parent table to lookup value for detection ID.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Detection details

Get Device Details

Get device details action allows you to view details for specific devices given one or more device IDs.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Device ID Column Name

Column name from the parent table to lookup value for the device ID.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Device details

Get Process Details

Retrieve the details of a process that is running or that previously ran, given one or more process IDs.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Process ID Column Name

Column name from the parent table to lookup value for process ID.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Process details

Search Devices

Search for devices based on a filter.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Devices Filter Template Column Name

Jinja2 template for the device filter. Following are a few examples. Find more on falcon API documentation.

 

1. To find devices with host name

 

 

hostname: '{{host_column}}'

 

 

  1. To find devices based on prefix or suffix use wildcard ' _ ' (supported by few fields)
    hostname: '{{host_prefix_column}}_'

  2. To find devices with local IP
    local_ip: '{{ip_column}}'

  3. To find devices which matches both hostname and platform '+' operator is used Example:
    hostname: '{{host_column}}' + platform_name:'{{platform_column}}'

  4. To find devices which matches either hostname or platform name ' , ' operator is used. Example:
    hostname: '{{host_column}}' , platform_name:'{{platform_column}}' | Required | | Max Number of Results | Number of results to fetch. (Default is 100 results). | Optional |

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Device details

Get IOC Details

Get IOC (Indicators of Compromise) details based on value and type.

Input Field

Input Name

Description

Required

Input Name

Description

Required

IOC Type

Select the value of IOC Type.

Required

IOC Value Column Name

Column name from parent table that contains IOC value.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: IOC details

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem